Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3
Configuring Basic Settings
Downloads: This chapterpdf (PDF - 228.0KB) The complete bookPDF (PDF - 22.37MB) | Feedback

Configuring Basic Settings

Table Of Contents

Configuring Basic Settings

Configuring the Hostname, Domain Name, and Passwords

Setting the Date and Time

Setting the Date and Time Using an NTP Server

Add/Edit NTP Server Configuration

Setting the Date and Time Manually

Configuring HTTP Redirect  

Edit HTTP/HTTPS Settings

Configuring the Master Passphrase

Information About the Master Passphrase

Licensing Requirements for the Master Passphrase

Guidelines and Limitations

Adding or Changing the Master Passphrase

Disabling the Master Passphrase

Recovering the Master Passphrase

Feature History for the Master Passphrase

Configuring the DNS Server

Defining ASDM Preferences

Using the ASDM Assistant

Enabling History Metrics

Setting the Management IP Address for a Transparent Firewall

Information About the Management IP Address

Licensing Requirements for the Management IP Address for a Transparent Firewall

Guidelines and Limitations

Configuring the IPv4 Address

Configuring the IPv6 Address

Configuring the Global Address

Configuring the Link-Local Addresses Automatically

Configuring DAD Settings

Feature History for the Management IP Address for a Transparent Firewall


Configuring Basic Settings


This chapter describes how to configure basic settings on your adaptive security appliance that are typically required for a functioning configuration. This chapter includes the following sections:

Configuring the Hostname, Domain Name, and Passwords

Setting the Date and TimeConfiguring HTTP Redirect

Configuring the Master Passphrase

Configuring the DNS Server

Defining ASDM Preferences

Using the ASDM Assistant

Enabling History Metrics

Setting the Management IP Address for a Transparent Firewall

Configuring the Hostname, Domain Name, and Passwords

The Configuration > Device Setup > Device Name/Password pane lets you set the hostname and domain name for the adaptive security appliance and set the enable and telnet passwords.

The hostname appears in the command line prompt, and if you establish sessions to multiple devices, the hostname helps you keep track of where you enter commands. The hostname is also used in system messages.

For multiple context mode, the hostname that you set in the system execution space appears in the command line prompt for all contexts. The hostname that you optionally set within a context does not appear in the command line; it can be used for a banner.

The adaptive security appliance appends the domain name as a suffix to unqualified names. For example, if you set the domain name to "example.com," and specify a syslog server by the unqualified name of "jupiter," then the security appliance qualifies the name to "jupiter.example.com."

The Telnet Password sets the login password. By default, it is "cisco." Although this area is called Telnet Password, this password applies to Telnet and SSH access. The login password lets you access EXEC mode if you connect to the adaptive security appliance using a Telnet or SSH session. (If you configure user authentication for Telnet or SSH access, then each user has their own password, and this login password is not used.)

The enable password lets you access privileged EXEC mode after you log in. Also, this password is used to access ASDM as the default user, which is blank. The default user shows as "enable_15" in the User Accounts pane. (If you configure user authentication for enable access, then each user has their own password, and this enable password is not used. In addition, you can configure authentication for HTTP/ASDM access.)

Fields

The Hostname and Domain Name area contains the following fields:

Hostname—Sets the hostname. The default hostname depends on your platform.

Domain Name—Sets the domain name. The default domain name is default.domain.invalid.

The Enable Password area contains the following fields. In multiple context mode, the Enable Password area only appears in contexts; it does not appear in the system execution space.

Change the privileged mode password—Lets you change the enable password.

Old Password—Enter the old password.

New Password—Enter the new password.

Confirm New Password—Confirm the new password.

The Telnet Password area contains the following fields. In multiple context mode, the Telnet Password area only appears in contexts; it does not appear in the system execution space.

Change the password to access the platform console—Lets you change the login password.

Old Password—Enter the old password.

New Password—Enter the new password.

Confirm New Password—Confirm the new password.

Setting the Date and Time

This section describes how to set the date and time, either manually or dynamically using an NTP server. Time derived from an NTP server overrides any time set manually. This section also describes how to set the time zone and daylight saving time date range.


Note In multiple context mode, set the time in the system configuration only.


This section includes the following topics:

Setting the Date and Time Using an NTP Server

Setting the Date and Time Manually

Setting the Date and Time Using an NTP Server

To obtain the date and time from an NTP server, perform the following steps.

Detailed Steps

The Configuration > Device Setup > System Time > NTP NTP pane lets you define NTP servers to dynamically set the time on the adaptive security appliance. The time displays in the status bar at the bottom of the main ASDM pane.

Time derived from an NTP server overrides any time set manually in the Clock pane.

NTP is used to implement a hierarchical system of servers that provide a precisely synchronized time among network systems. This kind of accuracy is required for time-sensitive operations, such as validating CRLs, which include a precise time stamp. You can configure multiple NTP servers. The adaptive security appliance chooses the server with the lowest stratum—a measure of how reliable the data is.

Fields

NTP Server List—Shows defined NTP servers.

IP Address—Shows the NTP server IP address.

Interface—Specifies the outgoing interface for NTP packets, if configured. The system does not include any interfaces, so it uses the admin context interfaces. If the interface is blank, then the adaptive security appliance uses the default admin context interface according to the routing table.

Preferred?—Shows whether this NTP server is a preferred server, Yes or No. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one. If servers are of similar accuracy, then the preferred server is used. However, if a server is significantly more accurate than the preferred one, the adaptive security appliance uses the more accurate one. For example, the adaptive security appliance uses a more accurate server over a less accurate server that is preferred.

Key Number—Shows the authentication key ID number.

Trusted Key?—Shows if the key is a trusted key, Yes or No. The key must be trusted for authentication to work.

Enable NTP Authentication—Enables authentication for all servers.

Add—Adds an NTP server.

Edit—Edits an NTP server.

Delete—Deletes and NTP server.

Add/Edit NTP Server Configuration

The Configuration > Device Setup > System Time > NTP > Add/Edit NTP Server Configuration dialog box lets you add or edit an NTP server.

Fields

IP Address—Sets the NTP server IP address.

Preferred—Sets this server as a preferred server. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one. If servers are of similar accuracy, then the preferred server is used. However, if a server is significantly more accurate than the preferred one, the adaptive security appliance uses the more accurate one. For example, the adaptive security appliance uses a more accurate server over a less accurate server that is preferred.

Interface—Sets the outgoing interface for NTP packets, if you want to override the default interface according to the routing table. The system does not include any interfaces, so it uses the admin context interfaces. If you intend to change the admin context (thus changing the available interfaces), you should choose None (the default interface) for stability.

Authentication Key—Sets the authentication key attributes if you want to use MD5 authentication for communicating with the NTP server.

Key Number—Sets the key ID for this authentication key. The NTP server packets must also use this key ID. If you previously configured a key ID for another server, you can select it in the list; otherwise, type a number between 1 and 4294967295.

Trusted—Sets this key as a trusted key. You must select this box for authentication to work.

Key Value—Sets the authentication key as a string up to 32 characters in length.

Reenter Key Value—Validates the key by ensuring that you enter the key correctly two times.

Setting the Date and Time Manually

The Configuration > Device Setup > System Time > Clock pane lets you manually set the date and time for the adaptive security appliance. The time displays in the status bar at the bottom of the main ASDM pane.

In multiple context mode, you can set the time in the system configuration only.

To dynamically set the time using an NTP server, see the Configuring the Master Passphrase pane; time derived from an NTP server overrides any time set manually in the Clock pane.

Fields

Time Zone—Sets the time zone as GMT plus or minus the appropriate number of hours. If you select the Eastern Time, Central Time, Mountain Time, or Pacific Time zone, then the time adjusts automatically for daylight savings time, from 2:00 a.m. on the second Sunday in March to 2:00 a.m. on the first Sunday in November.


Note Changing the time zone on the adaptive security appliance may drop the connection to intelligent SSMs.


Date—Sets the date. Click the Date drop-down list to display a calendar. Then navigate to the correct date using the following methods:

Click the name of the month to display a list of months. Click the desired month. The calendar updates to that month.

Click the year to change the year. You can use the up and down arrows to scroll through the years, or you can type a year in the entry field.

Click the arrows to the right and left of the month and year display to scroll the calendar forward and backwards one month at a time.

Click a day on the calendar to set the date.

Time—Sets the time on a 24-hour clock.

hh, mm, and ss boxes—Sets the hour, minutes, and seconds.

Update Display Time—Updates the time shown in the bottom right corner of the ASDM pane. The current time updates automatically every ten seconds.

Configuring HTTP Redirect  

The HTTP Redirect table displays each interface on the adaptive security appliance, shows whether it is configured to redirect HTTP connections to HTTPS, and the port number from which it redirects those connections.


Note To redirect HTTP, the interface requires an access list that permits HTTP. Otherwise, the interface cannot listen to the HTTP port.


The Configuration > Device Management > Advanced > HTTP Redirect > Edit pane lets you change the HTTP redirect setting of an interface or the port from which it redirects HTTP connections, select the interface in the table and click Edit. You can also double-click an interface. The Edit HTTP/HTTPS Settings dialog box opens.

Edit HTTP/HTTPS Settings

The Edit HTTP/HTTPS Settings dialog box lets you change the HTTP redirect setting of an interface or the port number.

Fields

The Edit HTTP/HTTPS Settings dialog box includes the following fields:

Interface—Identifies the interface on which the adaptive security appliance redirects or does not redirect HTTP requests to HTTPS.

Redirect HTTP to HTTPS—Check to redirect HTTP requests to HTTPS, or uncheck to not redirect HTTP requests to HTTPS.

HTTP Port—Identifies the port from which the interface redirects HTTP connections. By default it listens to port 80.

Configuring the Master Passphrase

This section describes how to configure the master passphrase. This section includes the following topics:

Information About the Master Passphrase

Licensing Requirements for the Master Passphrase

Guidelines and Limitations

Adding or Changing the Master Passphrase

Disabling the Master Passphrase

Recovering the Master Passphrase

Feature History for the Master Passphrase

Information About the Master Passphrase

The master passphrase feature allows you to securely store plain text passwords in encrypted format. The master passphrase provides a key that is used to universally encrypt or mask all passwords, without changing any functionality. Passwords that take advantage of this feature include:

OSPF

EIGRP

VPN load balancing

VPN (remote access and site-to-site)

Failover

AAA servers

Logging

Shared licenses

And many more...

Licensing Requirements for the Master Passphrase

Model
License Requirement

All models

Base License.


Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context mode.

Adding or Changing the Master Passphrase

This section describes how to configure the master passphrase feature.

Prerequisites

If failover is enabled but no failover shared key is set, then changing the master passphrase displays an error message, informing you that a failover shared key must be entered to protect the master passphrase changes from being sent as plain text.

In the Configuration > Device Management > High Availability > Failover pane, enter any character in the Shared Key field or 32 hexdecimal numbers (0-9A-Fa-f) if failover hex key is selected except a back space. Then click Apply.

Detailed Steps


Step 1 In single contex mode, choose Configuration > Device Management > Advanced > Master Passphrase pane.

In multiple context mode, choose Configuration > Device Management > Device Administration > Master Passphrase.

Step 2 Check the Advanced Encryption Standard (AES) password encryption check box.

If no master passphrase is in effect, a warning statement appears when you click Apply. You can click OK or Cancel to continue.

If you later disable password encryption, all existing encrypted passwords are left unchanged, and as long as the master passphrase exists, the encrypted passwords will be decrypted as required by the application.

Step 3 Check the Change the encryption master passphrase check box; this will enable you to enter and confirm your new master passphrases. By default, they are disabled.

Your new master passphrase must be between 8 and 128 characters long.

If you are changing an existing passphrase, you must enter the old passphrase before you can enter a new one.

To delete the master passphrase, just leave the New and Confirm master passphrase fields blank.

Step 4 Click Apply.


You will see warning messages if:

The Change the encryption master passphrase field is enabled, and the new master passphrase field is empty, then the no key configuration-key password-encrypt command will be sent to the device. A warning message appears when you click Apply.

The old master passphrase does not match the hash value in the show password encryption command output.

You use non-portable characters, particularly those with the high-order bit set in an 8-bit representation.

A master passphrase and failover are in effect, then an attempt to remove the failover shared key displays an error message.

Eencryption is disabled, but a new or replacement master passphrase is supplied.You can click OK or Cancel to continue.

If the master passphrase is changed, in multiple security context mode.

If Active/Active failover is configured and the master passphrase is changed.

If any running configurations are configured so that their configuration cannot be saved back to their server, such as with context config-URLs that use HTTP or HTTPS and the master passphrase is changed.




Disabling the Master Passphrase

Disabling the master passphrase reverts encrypted passwords into plain text passwords. Removing the passphrase might be useful if you downgrade to a previous software version that does not support encrypted passwords.

Prerequisites

You must know the current master passphrase to disable it. If you do not know the passphrase, see the "Recovering the Master Passphrase" section.

Detailed Steps


Step 1 In single contex mode, choose Configuration > Device Management > Advanced > Master Passphrase pane.

In multiple context mode, choose Configuration > Device Management > Device Administration > Master Passphrase.

Step 2 Check the Advanced Encryption Standard (AES) password encryption check box.

If no master passphrase is in effect, a warning statement appears when you click Apply. You can click OK or Cancel to continue.

Step 3 Check the Change the encryption master passphrase check box.

Step 4 Enter your old master passphrase in the Old master passphrase field. You must provide your old master passphrase to disable your passphrase.

Step 5 Leave the New master passphrase and the Confirm master passphrase fields empty.

Step 6 Click Apply.


Recovering the Master Passphrase

You cannot recover the master passphrase.

If the master passphrase is lost or unknown, it could be removed by using the write erase command followed by the reload command. This removes the master key along with the configuration containing the encrypted passwords.

Feature History for the Master Passphrase

Table 9-2 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.

Table 1 Feature History for the Master Passphrase

Feature Name
Platform Releases
Feature Information

Master Passphrase

8.3(1)

This feature was introduced.

The following screens were introduced: Configuration > Device Management > Advanced > Master Passphrase, Configuration > Device Management > Device Administration > Master Passphrase.


Configuring the DNS Server

Some adaptive security appliance features require use of a DNS server to access external servers by domain name; for example, the Botnet Traffic Filter feature requires a DNS server to access the dynamic database server and to resolve entries in the static database. Other features, such as the ping or traceroute command, let you enter a name that you want to PING for traceroute, and the adaptive security appliance can resolve the name by communicating with a DNS server. Many SSL VPN and certificate commands also support names.


Note The adaptive security appliance has limited support for using the DNS server, depending on the feature. For these feature, to resolve the server name to an IP address you must enter the IP address manually by adding the server name in the Configuration > Firewall > Objects > Network Object/Groups pane.


For information about dynamic DNS, see the "Configuring Dynamic DNS" section.

Prerequisites

Make sure you configure the appropriate routing for any interface on which you enable DNS domain lookup so you can reach the DNS server. See the "Information About Routing" section for more information about routing.

Detailed Steps


Step 1 In the ASDM main application window, choose Configuration > Device Management > DNS > DNS Client.

Step 2 In the DNS Setup area, choose one of the following options:

Configure one DNS server group.

Configure multiple DNS server groups.

Step 3 Click Add to display the Add DNS Server Group dialog box.

Step 4 Specify up to six addresses to which DNS requests can be forwarded. The adaptive security appliance tries each DNS server in order until it receives a response.


Note You must first enable DNS on at least one interface before you can add a DNS server. The DNS Lookup area shows the DNS status of an interface. A False setting indicates that DNS is disabled. A True setting indicates that DNS is enabled.


Step 5 Enter the name of each configured DNS server group.

Step 6 Enter the IP addresses of the configured servers, and click Add to include them in the server group. To remove a configured server from the group, click Delete.

Step 7 To change the sequence of the configured servers, click Move Up or Move Down.

Step 8 In the Other Settings area, enter the number of seconds to wait before trying the next DNS server in the list, between 1 and 30 seconds. The default is 2 seconds. Each time the adaptive security appliance retries the list of servers, the timeout time doubles.

Step 9 Enter the number of seconds to wait before trying the next DNS server in the group.

Step 10 Enter a valid DNS domain name for the group of configured servers (for example, example.com).

Step 11 Click OK to close the Add DNS Server Group dialog box.

The new DNS server settings appear.

Step 12 To change these settings, click Edit to display the Edit DNS Server Group dialog box.

Step 13 Make your desired changes, then click OK to close the Edit DNS Server Group dialog box.

The revised DNS server settings appear.

Step 14 To enable a DNS server group to receive DNS requests, click Set Active.

Step 15 In the DNS Guard area, to enforce one DNS response per query, check the Enable DNS Guard on all interfaces check box. If DNS inspection is enabled, this setting is ignored on the selected interface.

Step 16 Click Apply to save your changes, or click Reset to discard those changes and enter new ones.


Defining ASDM Preferences

This feature lets you define the behavior of certain ASDM settings.

To change various settings in ASDM, perform the following steps:


Step 1 In the main ASDM application window, choose Tools > Preferences.

The Preferences dialog box appears, with three tabs: General, Rules Table, and Syslog.

Step 2 To define your settings, click one of these tabs: the General tab to specify general preferences; the Rules Table tab to specify preferences for the Rules table; and the Syslog tab to specify the appearance of syslog messages displayed in the Home pane and to enable the display of a warning message for NetFlow-related syslog messages.

Step 3 On the General tab, specify the following:

a. Check the Warn that configuration in ASDM is out of sync with the configuration in ASA check box to be notified when the startup configuration and the running configuration are no longer in sync with each other.

b. Check the Show configuration restriction message to read-only user check box to display the following message to a read-only user at startup. This option is checked by default.

"You are not allowed to modify the ASA configuration, because you do not have 
sufficient privileges."
 
   

c. Check the Confirm before exiting ASDM check box to display a prompt when you try to close ASDM to confirm that you want to exit. This option is checked by default.

d. Check the Enable screen reader support (requires ASDM restart) check box to enable screen readers to work. You must restart ASDM to enable this option.

e. Check the Preview commands before sending them to the device check box to view CLI commands generated by ASDM.

f. Check the Enable cumulative (batch) CLI delivery check box to send multiple commands in a single group to the adaptive security appliance.

g. Enter the minimum amount of time in seconds for a configuration to send a timeout message. The default is 60 seconds.

h. To allow the Packet Capture Wizard to display captured packets, enter the name of the network sniffer application or click Browse to find it in the file system.

Step 4 On the Rules Table tab, specify the following:

a. Display settings let you change the way rules appear in the Rules table.

Check the Auto-expand network and service object groups with specified prefix check box to display the network and service object groups automatically expanded based on the Auto-Expand Prefix setting.

In the Auto-Expand Prefix field, enter the prefix of the network and service object groups to expand automatically when displayed.

Check the Show members of network and service object groups check box to display members of network and service object groups and the group name in the Rules table. If the check box is not checked, only the group name is displayed.

In the Limit Members To field, enter the number of network and service object groups to display. When the object group members are displayed, then only the first n members are displayed.

Check the Show all actions for service policy rules check box to display all actions in the Rules table. When unchecked, a summary appears.

b. Deployment settings let you configure the behavior of the adaptive security appliance when deploying changes to the Rules table.

Check the Issue "clear xlate" command when deploying access lists check box to clear the NAT table when deploying new access lists. This setting ensures the access lists that are configured on the adaptive security appliance are applied to all translated addresses.

c. Access Rule Hit Count Settings let you configure the frequency for which the hit counts are updated in the Access Rules table. Hit counts are applicable for explicit rules only. No hit count will be displayed for implicit rules in the Access Rules table.

Check the Update access rule hit counts automatically check box to have the hit counts automatically updated in the Access Rules table.

In the Update Frequency field, specify the frequency in seconds in which the hit count column is updated in the Access Rules table. Valid values are 10 - 86400 seconds.

Step 5 On the Syslog tab, specify the following:

In the Syslog Colors area, you can customize the message display by configuring background or foreground colors for messages at each severity level. The Severity column lists each severity level by name and number. To change the background color or foreground color for messages at a specified severity level, click the corresponding column. The Pick a Color dialog box appears. Click one of the following tabs:

On the Swatches tab, choose a color from the palette, and click OK.

On the HSB tab, specify the H, S, and B settings, and click OK.

On the RGB tab, specify the Red, Green, and Blue settings, and click OK.

In the NetFlow area, to enable the display of a warning message to disable redundant syslog messages, check the Warn to disable redundant syslog messages when NetFlow action is first applied to the global service policy rule check box.

Step 6 After you have specified settings on these three tabs, click OK to save your settings and close the Preferences dialog box.


Note Each time that you check or uncheck a preferences setting, the change is saved to the .conf file and becomes available to all the other ASDM sessions running on the workstation at the time. You must restart ASDM for all changes to take effect.



Using the ASDM Assistant

The ASDM Assistant tool lets you search and view useful ASDM procedural help about certain tasks.

To access information, choose View > ASDM Assistant > How Do I? or enter a search request from the Look For field in the menu bar. From the Find drop-down list, choose How Do I? to begin the search.


Note This feature is not available on the PIX security appliance.


To view the ASDM Assistant, perform the following steps:


Step 1 In the main ASDM application window, choose View > ASDM Assistant.

The ASDM Assistant pane appears.

Step 2 In the Search field, enter the information that you want to find, and click Go.

The requested information appears in the Search Results pane.

Step 3 Click any links that appear in the Search Results and Features sections to obtain more details.


Enabling History Metrics

The Configuration > Device Management > Advanced > History Metrics pane lets you configure the adaptive adaptive security appliance to keep a history of various statistics, which ASDM can display on any Graph/Table. If you do not enable history metrics, you can only monitor statistics in real time. Enabling history metrics lets you view statistics graphs from the last 10 minutes, 60 minutes, 12 hours, and 5 days.

To configure history metrics, perform the following steps:


Step 1 Choose Configuration > Device Management > Advanced > History Metrics.

The History Metrics pane appears.

Step 2 Check the ASDM History Metrics check box to enable history metrics, and then click Apply.


Setting the Management IP Address for a Transparent Firewall

This section describes how to configure the management IP address for transparent firewall mode, and includes the following topics:

Information About the Management IP Address

Licensing Requirements for the Management IP Address for a Transparent Firewall

Guidelines and Limitations

Configuring the IPv4 Address

Configuring the IPv6 Address

Feature History for the Management IP Address for a Transparent Firewall

Information About the Management IP Address

A transparent firewall does not participate in IP routing. The only IP configuration required for the adaptive security appliance is to set the management IP address. This address is required because the adaptive security appliance uses this address as the source address for traffic originating on the adaptive security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access.

For IPv4 traffic, the management IP address is required to pass any traffic. For IPv6 traffic, you must, at a minimum, configure the link-local addresses to pass traffic, but a global management address is recommended for full functionality, including remote management and other management operations.


Note In addition to the management IP address for the device, you can configure an IP address for the Management 0/0 or 0/1 management-only interface. This IP address can be on a separate subnet from the main management IP address. See the "Configuring General Interface Parameters" section.

Although you do not configure IPv4 or global IPv6 addresses for other interfaces, you still need to configure the security level and interface name according to the "Configuring General Interface Parameters" section.


Licensing Requirements for the Management IP Address for a Transparent Firewall

Model
License Requirement

All models

Base License.


Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context mode. For multiple context mode, set the management IP address within each context.

Firewall Mode Guidelines

Supported in transparent firewall mode. For routed mode, set the IP address for each interface according to the "Configuring General Interface Parameters" section.

IPv6 Guidelines

Supports IPv6.

The following IPv6 address-related commands are not supported in transparent mode, because they require router capabilities:

ipv6 address autoconfig

ipv6 nd suppress-ra

For a complete list of IPv6 commands that are not supported in transparent mode, see the "IPv6-Enabled Commands" section.

No support for IPv6 anycast addresses.

You can configure both IPv6 and IPv4 addresses.

Additional Guidelines and Limitations

In addition to the management IP address for the device, you can configure an IP address for the Management 0/0 or 0/1 management-only interface. This IP address can be on a separate subnet from the main management IP address. See the "Configuring General Interface Parameters" section.

Although you do not configure IP addresses for other interfaces, you still need to configure the security level and interface name according to the "Configuring General Interface Parameters" section.

Configuring the IPv4 Address

This section tells how to configure the IPv4 address.

Detailed Steps


Step 1 Go to Configuration > Device Management > Management Access > Management IP Address.

Step 2 In the IPv4 Address area, enter the IP address in the Management IP Address field.

This address must be on the same subnet as the upstream and downstream routers. You cannot set the subnet to a host subnet (255.255.255.255). The standby keyword and address is used for failover.

Step 3 From the Subnet Mask drop-down list, choose a subnet mask, or enter a subnet mask directly in the field.

Step 4 Click Apply.


Configuring the IPv6 Address

You can configure two types of unicast addresses for IPv6:

Global—The global address is a public address that you can use on the public network. This address needs to be configured for the whole device, and not per-interface.

Link-local—The link-local address is a private address that you can only use on the directly-connected network. Routers do not forward packets using link-local addresses; they are only for communication on a particular physical network segment. They can be used for address configuration or for the ND functions such as address resolution and neighbor discovery. Because the link-local address is only available on a segment, and is tied to the interface MAC address, you need to configure the link-local address per interface.

At a minimum, you need to configure a link-local addresses for IPv6 to operate. If you configure a global address, a link-local addresses is automatically configured on each interface, so you do not also need to specifically configure a link-local address. If you do not configure a global address, then you need to configure the link-local address, either automatically or manually.

See the "IPv6 Addresses" section for more information about IPv6 addressing.

This section describes how to configure the global address or the link-local address, and includes the following topics:

Configuring the Link-Local Addresses Automatically

Configuring the Link-Local Addresses Automatically

Configuring DAD Settings

Configuring the Global Address

To set the management IPv6 address, perform the following steps:


Step 1 Go to Configuration > Device Management > Management Access > Management IP Address.

Step 2 In the IPv6 Addresses area, click Add.

The Add IPv6 Management Address dialog box appears.

Step 3 In the IP Address field, enter an IPv6 address.

For example, 2001:0DB8::BA98:0:3210. See the "IPv6 Addresses" section for more information about IPv6 addressing.

Step 4 In the Prefix Length field, enter the prefix length.

For example, 48. See the "IPv6 Addresses" section for more information about IPv6 addressing.

Step 5 Click OK.

Step 6 To configure additional addresses, repeat Step 2 through Step 5.

Step 7 Click Apply.


Configuring the Link-Local Addresses Automatically

If you only need to configure a link-local address and are not going to assign any other IPv6 addresses, you have the option of generating the link-local addresses based on the interface MAC addresses (Modified EUI-64 format). To manually assign the link-local address, see the "Configuring the Link-Local Address on an Interface (Transparent Firewall Mode)" section.

To automatically configure the link-local addresses for all interfaces, perform the following steps:


Step 1 Go to Configuration > Device Management > Management Access > Management IP Address.

Step 2 In the IPv6 configuration area, check Enable IPv6.

This option enables IPv6 on all interfaces and automatically generates the link-local addresses using the Modified EUI-64 interface ID based on the interface MAC address.


Note You do not need to check this option if you configure any IPv6 addresses (either global or link-local); IPv6 support is automatically enabled as soon as you assign an IPv6 address. Similarly, unchecking this option does not disable IPv6 if you configured IPv6 addresses.


To configure IPv6 DAD parameters, shown in this area, see the "Configuring DAD Settings" section.

Step 3 Click Apply.


Configuring DAD Settings

DAD verifies the uniqueness of new unicast IPv6 addresses before they are assigned and ensures that duplicate IPv6 addresses are detected in the network on a link basis.

For information about the Enable IPv6 parameter, see the "Configuring the Link-Local Addresses Automatically" section.

To specify DAD settings on an interface, perform the following steps:


Step 1 Go to Configuration > Device Management > Management Access > Management IP Address.

Step 2 In the IPv6 configuration area, in the DAD attempts field, enter the number of allowed DAD attempts.

This setting configures the number of consecutive neighbor solicitation messages that are sent on an interface while DAD is performed on IPv6 addresses. Valid values are from 0 to 600. A zero value disables DAD processing on the specified interface. The default is one message.

Step 3 In the NS Interval field, enter the neighbor solicitation message interval.

The neighbor solicitation message requests the link-layer address of a target node. Valid values are from 1000 to 3600000 milliseconds. The default is 1000 milliseconds.

Step 4 In the Reachable Time field, enter the amount of time in seconds that a remote IPv6 node is considered reachable after a leachability confirmation event has occurred.

Valid values are from 1000 to 3600000 milliseconds. The default is zero. A configured time enables the detection of unavailable neighbors. Shorter times enable detection more quickly; however, very short configured times are not recommended in normal IPv6 operation.

Step 5 Click Apply.


Feature History for the Management IP Address for a Transparent Firewall

Table 9-2 lists the release history for this feature.

Table 9-2 Feature History for Transparent Mode Management Address 

Feature Name
Releases
Feature Information

IPv6 support

8.2(1)

IPv6 support was introduced for transparent firewall mode.