Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3
Using the Startup Wizard
Downloads: This chapterpdf (PDF - 330.0KB) The complete bookPDF (PDF - 22.37MB) | Feedback

Using the Startup Wizard

Table Of Contents

Using the Startup Wizard

Information About the Startup Wizard

Licensing Requirements for the Startup Wizard

Prerequisites for the Startup Wizard

Guidelines and Limitations

Startup Wizard Screens for ASA 5500 Series Adaptive Security Appliances

Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance

Step 1 - Starting Point or Welcome

Step 2 - Basic Configuration

Step 3 - Time Zone and Clock Configuration

Step 4 - Auto Update Server

Step 5 - Management IP Address Configuration

Step 6 - Interface Selection

Step 7 - Switch Port Allocation

Step 8 - Interface IP Address Configuration

Step 9 - Internet Interface Configuration - PPPoE

Step 10 - Business Interface Configuration - PPPoE

Step 11 - Home Interface Configuration - PPPoE

Step 12 - General Interface Configuration

Step 13 - Static Routes

Adding or Editing Static Routes

Step 14 - DHCP Server

Step 15 - Address Translation (NAT/PAT)

Step 16 - Administrative Access

Adding or Editing Administrative Access Entry

Step 17 - Easy VPN Remote Configuration

Step 18 - Startup Wizard Summary

Other Interfaces Configuration

Editing Interfaces

Configuring IPv6 Neighbor Discovery

Configuring Neighbor Solicitation Messages

Configuring the Neighbor Solicitation Message Interval

Configuring the Neighbor Reachable Time

Configuring DAD Settings

Configuring IPv6 Addresses on an Interface

Configuring IPv6 Prefixes on an Interface

Configuring Router Advertisement Messages

Configuring the Router Advertisement Transmission Interval

Configuring the Router Lifetime Value

Suppressing Router Advertisement Messages

Configuring IPv6 Static Neighbors

Adding an IPv6 Static Neighbor

Editing Static Neighbors

Deleting Static Neighbors

Viewing and Clearing Dynamic Neighbors

Interface Configuration

Outside Interface Configuration - PPPoE

Outside Interface Configuration

Feature History for the Startup Wizard


Using the Startup Wizard


The ASDM Startup Wizard guides you through the initial configuration of the adaptive security appliance, and helps you define its settings.

This chapter includes the following sections:

Information About the Startup Wizard

Licensing Requirements for the Startup Wizard

Prerequisites for the Startup Wizard

Guidelines and Limitations

Startup Wizard Screens for ASA 5500 Series Adaptive Security Appliances

Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance

Configuring IPv6 Neighbor Discovery

Configuring IPv6 Static Neighbors

Feature History for the Startup Wizard

Information About the Startup Wizard

To access this feature in the main ASDM application window, choose one of the following:

Wizards > Startup Wizard.

Configuration > Device Setup > Startup Wizard, and then click Launch Startup Wizard.

Licensing Requirements for the Startup Wizard

The following table shows the licensing requirements for this feature:

Model
License Requirement

All models

Base License


Prerequisites for the Startup Wizard

To complete the Startup Wizard, make sure that you have the following information available:

The hostname

The domain name

A password to restrict administrative access through ASDM or the CLI

The IP address information of the outside interface

Other interfaces, such as the inside or DMZ interfaces

NAT or PAT rules

DHCP settings for the inside interface, for use with a DHCP server

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context modes, as noted in Table 7-1.

Firewall Mode Guidelines

Supported in routed and transparent firewall modes, as noted in Table 7-1.

Failover Guidelines

Supports sessions in Stateful Failover.

IPv6 Guidelines

Supports IPv6.

Model Guidelines

Supports all models.

Additional Guidelines

Supports the AIP SSM/SSC for IPS.

Startup Wizard Screens for ASA 5500 Series Adaptive Security Appliances

Table 7-1 lists all of the required Startup Wizard screens for configuring the ASA 5500 series adaptive security appliances and IPS, if you have an AIP SSM installed. The actual sequence of screens is determined by your specified configuration selections. The Availability columns lists the mode or modes in which each screen appears and provides additional configuration information. Click the name to view information for the selected screen.

Table 7-1 Startup Wizard Screens for ASA 5500 Series Adaptive Security Appliances 

Screen Name
Availability

Step 1 - Starting Point or Welcome

All modes.

Step 2 - Basic Configuration

Step 3 - Time Zone and Clock Configuration

Not available in multiple mode.

Step 4 - Auto Update Server

Single, routed, and transparent modes. If enabled in single transparent mode, the Interface Configuration and Step 14 - DHCP Server screens are not available.

Step 5 - Management IP Address Configuration

Single, transparent mode only.

Outside Interface Configuration

Single, routed mode only.

Outside Interface Configuration - PPPoE

Interface Configuration

Single, transparent mode only.

Other Interfaces Configuration

All modes.

Step 13 - Static Routes

Step 14 - DHCP Server

Step 15 - Address Translation (NAT/PAT)

Single, routed mode only.

Step 16 - Administrative Access

All modes.

Step 18 - Startup Wizard Summary


Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance

Table 7-2 lists all of the required Startup Wizard screens for configuring only the ASA 5505 adaptive security appliance and IPS, if you have an AIP SSC installed. The sequence of screens listed represents configuration for the single, routed mode. The Availability columns lists the mode or modes in which each screen appears and provides additional configuration information. Click the name to view information for the selected screen.

Table 7-2 Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance 

Screen Name and Sequence
Availability

Step 1 - Starting Point or Welcome

All modes. The Teleworker option in Step 2 - Basic Configuration is available only on the ASA 5505.

Step 2 - Basic Configuration

Step 3 - Time Zone and Clock Configuration

All modes.

Step 4 - Auto Update Server

Single, routed, and transparent modes. Enabled only if configured for teleworker usage.

Step 5 - Management IP Address Configuration

Single, transparent mode only.

Step 6 - Interface Selection

Single, routed mode only.

Step 7 - Switch Port Allocation

Step 8 - Interface IP Address Configuration

Step 9 - Internet Interface Configuration - PPPoE

Step 10 - Business Interface Configuration - PPPoE

Step 11 - Home Interface Configuration - PPPoE

Step 12 - General Interface Configuration

Step 13 - Static Routes

All modes. Enabled only if configured for teleworker usage.

Step 14 - DHCP Server

All modes.

Step 15 - Address Translation (NAT/PAT)

Single, routed mode only.

Step 16 - Administrative Access

All modes.

Step 17 - Easy VPN Remote Configuration

Single, routed mode, only when enabled for teleworker usage.

Step 18 - Startup Wizard Summary

All modes.


Step 1 - Starting Point or Welcome


Step 1 To change the existing configuration, click the Modify existing configuration radio button.

Step 2 To set the configuration at the factory default values for the inside interface, click the Reset configuration to factory defaults radio button.

Step 3 To configure the IP address and subnet mask of the management interface, check the Configure the IP address of the management interface check box.

Step 4 Specify the IP address of the management interface.

Step 5 Choose the subnet mask of the management interface from the drop-down list.


Note If you reset the configuration to factory defaults, you cannot undo these changes by clicking Cancel or by closing this screen.


Step 6 Click Next to continue.


Step 2 - Basic Configuration


Step 1 To specify a group of configuration settings for a remote worker, check the Configure the device for Teleworker usage check box. For more information, see Step 17 - Easy VPN Remote Configuration.

Step 2 Specify a hostname for the adaptive security appliance. The hostname can be up to 63 alphanumeric characters in mixed case.

Step 3 Specify the IPSec domain name of the adaptive security appliance, which can be used for certificates. The domain name can be a maximum of 63 alphanumeric characters, with no special characters or spaces.

Step 4 The privileged mode (enable) password is required to administer the adaptive security appliance through ASDM or the CLI. To change the current privileged mode (enable) password, check the Change privileged mode (enable) password check box.


Note If you leave the password field blank, a Password Confirmation dialog box appears to notify you that to do so is a high security risk.


Step 5 Specify the old enable password, if one exists.

Step 6 Specify the new enable password. The password is case-sensitive and can be up to 32 alphanumeric characters.

Step 7 Reenter the new enable password.

Step 8 Click Next to continue.


Step 3 - Time Zone and Clock Configuration


Step 1 Choose the time zone from the drop-down list. UTC is the default setting.

Step 2 Enter the IP address of the NTP Server.

Step 3 Choose the local date from the drop-down list.

Step 4 Enter the time in hh:mm:ss format, using a 24-hour clock.

Step 5 Click Next to continue.


Step 4 - Auto Update Server


Step 1 To enable communication between the adaptive security appliance and an Auto Update Server, check the Enable Auto Update for ASA check box.

Step 2 To define the beginning of the URL for the Auto Update Server, from the Server URL drop-down list, choose either HTTPS or HTTP.

Step 3 To confirm that an SSL certificate is enabled on the Auto Update Server, check the Verify Server SSL certificate check box.

Step 4 Enter the username to log in to the Auto Update Server.

Step 5 Enter the password to log in to the Auto Update Server.

Step 6 Reenter the password to confirm it.

Step 7 To uniquely identify the security appliance, choose the Device ID Type from the drop-down list. To enable the Device ID field and specify a particular name, choose User-defined name.

Step 8 Enter a unique string to use as the security appliance ID.

Step 9 (For IPS only) To enable signature and engine updates from Cisco.com, check the Enable Signature and Engine Updates from Cisco.com check box.

Step 10 (For IPS only) Enter your Cisco.com username and password, and then confirm the password.

Step 11 (For IPS only) Enter the start time in hh:mm:ss format, using a 24-hour clock.

Step 12 Click Next to continue.


Step 5 - Management IP Address Configuration


Step 1 Specify the IP address of the host that can access this context for management purposes using ASDM or a session protocol.

Step 2 Specify the subnet mask for the management IP address.

Step 3 Click Next to continue.


Step 6 - Interface Selection

This screen allows you to group the eight, Fast Ethernet switch ports on the ASA 5505 into three VLANs. These VLANs function as separate, Layer 3 networks. You can then choose or create the VLANs that define your network—one for each interface: outside (Internet), inside (Business), or DMZ (Home). A DMZ is a separate network located in the neutral zone between a private (inside) network and a public (outside) network.

To create three VLANs to define your network, perform the following steps:


Step 1 In the Outside VLAN or Internet VLAN area, do the following:

a. From the Choose a VLAN drop-down list, choose a predefined outside VLAN by number.

b. To create a new outside VLAN, check the Create a VLAN check box.

c. To enable the outside VLAN, check the Enable VLAN check box.

Step 2 In the Inside VLAN or Business VLAN area, do the following:

a. From the Choose a VLAN drop-down list, choose a predefined inside VLAN by number.

b. To create a new inside VLAN, check the Create a VLAN check box.

c. To enable the inside VLAN, check the Enable VLAN check box.

Step 3 In the DMZ VLAN or Home VLAN (Optional) area, do the following:

a. From the Choose a VLAN drop-down list, choose a predefined inside VLAN by number.

b. To create a new inside VLAN, check the Create a VLAN check box.

To disable configuration of this VLAN, check the Do not configure check box.

Step 4 Click Next to continue.


Step 7 - Switch Port Allocation

This screen lets you allocate switch ports to outside (Internet), inside (Business), or DMZ (Home) interfaces. The DMZ interface is not available in transparent mode. You must add the ports to the associated VLANs. By default, all switch ports begin with VLAN1.


Step 1 In the Switch Ports for Outside VLAN (vlanid) or Switch Ports for Internet VLAN (vlanid) area, do the following:

a. Choose a port to add or remove from the available list of ports.

b. Choose a port to add or remove from the allocated list of ports.

c. To add a port to the available or allocated list of ports, click Add.

d. To remove a port from the available or allocated list of ports, click Remove.

Step 2 In the Switch Ports for Inside VLAN (vlanid) or Switch Ports for Business VLAN (vlanid) area, do the following:

a. Choose a port to add or remove from the available list of ports.

b. Choose a port to add or remove from the allocated list of ports.

c. To add a port to the available or allocated list of ports, click Add.

d. To remove a port from the available or allocated list of ports, click Remove.

Step 3 In the Switch Ports for DMZ VLAN (vlanid) or Switch Ports for Home VLAN (vlanid) area, do the following:

a. Choose a port to add or remove from the available list of ports.

b. Choose a port to add or remove from the allocated list of ports.

c. To add a port to the available or allocated list of ports, click Add.

d. To remove a port from the available or allocated list of ports, click Remove.

Step 4 Click Next to continue.


Step 8 - Interface IP Address Configuration

To configure the interface through a PPPoE server, a DHCP server, or by specifying a particular IP address and subnet mask, perform the following steps:


Step 1 In the Outside IP Address or Internet IP Address area, do one of the following:

To specify an outside IP address, click the Use the following IP address radio button.

Enter the specific outside IP address and choose the subnet mask from the drop-down list.

To obtain an outside IP address from a DHCP server, click the Use DHCP radio button.

To obtain the default route for an outside IP address from a DHCP server, check the Obtain default rote using DHCP check box.

To obtain an outside IP address from a PPPoE server, click the Use PPPoE radio button.

Step 2 In the Inside IP Address or Business IP Address area, do one of the following:

To specify an inside IP address, click the Use the following IP address radio button.

Enter the specific inside IP address and choose the subnet mask from the drop-down list.

To obtain an inside IP address from a DHCP server, click the Use DHCP radio button.

To obtain the default route for an inside IP address from a DHCP server, check the Obtain default rote using DHCP check box.

To obtain an inside IP address from a PPPoE server, click the Use PPPoE radio button.

In the DMZ IP Address or Home IP Address area, choose one of the following:

To specify a DMZ IP address, click the Use the following IP address radio button, then enter the specific DMZ IP address and choose the subnet mask from the drop-down list.

To obtain a DMZ IP address from a DHCP server, click the Use DHCP radio button.

To obtain a DMZ IP address from a PPPoE server, click the Use PPPoE radio button.

Step 3 Click Next to continue.


Step 9 - Internet Interface Configuration - PPPoE


Note For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces. After you have created the maximum number of interfaces, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and must select an existing one.



Step 1 Specify the name of the group on the PPPoE server. You must specify a group name to proceed.

Step 2 In the User Authentication area, do the following:

a. Specify your username on the PPPoE server.

b. Specify your password on the PPPoE server.

c. Confirm the PPPoE password that you entered.

Step 3 In the Authentication Method area, do one of the following:

To use PAP authentication, click the PAP radio button.

To use CHAP authentication, click the CHAP radio button.

To use MS-CHAP authentication, click the MS-CHAP radio button.

Step 4 In the IP Address area, do one of the following:

To obtain an IP address for the interface from the PPPoE server, click the Obtain an IP address using PPPoE radio button. This field is not visible in transparent mode.

Specify an IP address for the Internet interface. This field is not visible in transparent mode.

Specifies the IP address that you want to use for the Internet interface.

Choose a subnet mask for the Internet interface from the drop-down list.

To set the default routing using the PPPoE server, check the Obtain default route using PPPoE check box.

Step 5 Click Next to continue.


Step 10 - Business Interface Configuration - PPPoE


Note For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces. After you have created the maximum number of interfaces, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and must select an existing one.



Step 1 Enter the name of the group on the PPPoE server. You must specify a group name to proceed.

Step 2 In the User Authentication area, do the following:

a. Enter your username on the PPPoE server.

b. Enter your password on the PPPoE server.

c. Enter the PPPoE password that you entered.

Step 3 In the Authentication Method area, choose one of the following:

To use PAP authentication, click PAP.

To use CHAP authentication., click CHAP.

To use MS-CHAP authentication, click MS-CHAP.

Step 4 In the IP Address area, choose one of the following:

Click the Obtain an IP address using PPPoE radio button to obtain an IP address for the interface from the PPPoE server. This option is not visible in transparent mode.

Enter an IP address for the inside interface. This option is not visible in transparent mode.

Enter the IP address that you want to use for the inside interface.

Choose a subnet mask for the Internet interface from the drop-down list.

To set the default routing using the PPPoE server, check the Obtain default route using PPPoE check box.

Step 5 Click Next to continue.


Step 11 - Home Interface Configuration - PPPoE


Note For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces. After you have created the maximum number of interfaces, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and must select an existing one.



Step 1 Enter the name of the group on the PPPoE server. You must specify a group name to proceed.

Step 2 In the User Authentication area, do the following:

a. Enter your username on the PPPoE server.

b. Enter your password on the PPPoE server.

c. Enter the PPPoE password that you entered.

Step 3 In the Authentication Method area, choose one of the following:

To use PAP authentication, click PAP.

To use CHAP authentication., click CHAP.

To use MS-CHAP authentication, click MS-CHAP.

Step 4 In the IP Address area, choose one of the following:

Click the Obtain an IP address using PPPoE radio button to obtain an IP address for the DMZ interface from the PPPoE server. This option is not visible in transparent mode.

Enter an IP address for the DMZ interface. This option is not visible in transparent mode.

Enter the IP address that you want to use for the DMZ interface.

Choose a subnet mask for the DMZ interface from the drop-down list.

To set the default routing using the PPPoE server, check the Obtain default route using PPPoE check box.

Step 5 Click Next to continue.


Step 12 - General Interface Configuration

Restricted traffic is not an optional configuration. If you only have a restricted license, you must restrict traffic from one interface to any of the other interfaces. The Restrict Traffic area fields are hidden if you have a full license or if the device is in transparent mode.

To enable and restrict traffic between interfaces and between hosts connected to the same interface, perform the following steps:


Step 1 To enable traffic between two or more interfaces with the same security level, check the Enable traffic between two or more interfaces with the same security level check box.

Step 2 To enable traffic between two or more hosts connected to the same interface, check the Enable traffic between two or more hosts connected to the same interface check box.

Step 3 In the Restrict traffic area, do the following:

To restrict traffic from an interface, choose an interface from the drop-down list.

To restrict traffic to an interface, choose an interface from the drop-down list.

Step 4 Click Next to continue.


Step 13 - Static Routes


Step 1 To create, edit, and remove static routes that will access networks connected to a router on any interface, perform the following steps:

Step 2 Choose to filter by IPv4 addresses, IPv6 addresses, or both.

Step 3 To continue, see the "Configuring Static and Default Routes" section.

Step 4 Click Next to continue.


Adding or Editing Static Routes

The Add/Edit Static Routes dialog box lets you add, edit, or remove a static route. For more information, see the "Configuring Static and Default Routes" section.

Step 14 - DHCP Server


Step 1 To allow connection to the DHCP server from the inside interface, check the Enable DHCP server on the inside interface check box.

Step 2 In the DHCP Address Pool area, do the following:

Enter the starting range of the DHCP server pool in a block of IP addresses from the lowest to highest.

Enter the ending range of the DHCP server pool in a block of IP addresses from the lowest to highest.


Note The adaptive security appliance supports up to 256 IP addresses.


Step 3 In the DHCP Parameters area, do the following:

a. To allow automatic configuration of the DNS server, WINS server, lease length, and ping timeout settings, check the Enable auto-configuration check box.

b. Enter the IP address of the DNS server.

c. Enter the IP address of the WINS server.

d. Enter the IP address of the alternate DNS server.

e. Enter the IP address of the alternate WINS server.

f. Enter the amount of time (in seconds) that the client can use its allocated IP address before the lease expires. The default value is 3600 seconds (1 hour).

g. Enter the parameters for the ping timeout value in milliseconds.

h. Enter the domain name of the DNS server to use DNS.

i. To enable DHCP auto-configuration and choose the interface from the drop-down list, check the Enable auto-configuration from interface check box. The values you specify in the previous areas of this screen take precedence over the auto-configured values.

Step 4 Click Next to continue.

For more information, see the Chapter 10 "Configuring DHCP."


Step 15 - Address Translation (NAT/PAT)

PAT lets you set up a single IP address for use as the global address. In addition, you can set multiple outbound sessions to appear as if they originate from a single IP address. PAT lets up to 65,535 hosts start connections through a single outside IP address.

If you decide to use NAT, enter an address range to use for translating all addresses on the inside interface to addresses on the outside interface. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections.

When you use PAT, be aware of the following:

PAT does not work with caching name servers.

You may need to enable the corresponding inspection engine to pass multimedia application protocols through the adaptive security appliance.

PAT does not work with the established command.

With passive FTP, use the inspect protocol ftp strict command with the access-list command to allow outbound FTP traffic.

A DNS server on a higher level security interface cannot use PAT.


Step 1 To enable NAT and share several external IP addresses on the inside VLAN to be used for translation, click the Use Network Address Translation (NAT) radio button, then do the following:

a. Enter the first IP address in a range of IP addresses to be used for translation.

b. Enter the last IP address in a range of IP addresses to be used for translation.

c. (Optional) Enter the subnet mask for the range of IP addresses to be used for translation.

Step 2 To enable PAT, click the Use Port Address Translation (PAT) radio button. If you select this option, choose one of the following:


Note IPSec with PAT may not work correctly, because the outside tunnel endpoint device cannot handle multiple tunnels from one IP address.


To use the IP address of the outside interface for PAT, click the Use the IP address on the outside interface radio button.

To indicate a particular address to use for PAT, click the Specify an IP address radio button.

Enter an IP address for the outside interface for PAT.

(Optional) Choose a subnet mask from the drop-down list.

To allow traffic through the adaptive security appliance without translation, check the Enable traffic through the firewall without translation check box.

Step 3 Click Next to continue.


Step 16 - Administrative Access

To configure management access on the adaptive security appliance, perform the following steps:


Step 1 To add or change the access type, an interface, and then specify the IP address and netmask of the host network that may connect to that interface for management purposes only, see the "Adding or Editing Administrative Access Entry" section.

The Type column specifies whether the host or network is accessing the adaptive security appliance through HTTP over SSL in ASDM, SSH, or Telnet.

The Interface column displays the host or network name.

The IP Address column displays the IP address of the host or network.

The Mask column displays the subnet mask of the host or network.

Step 2 To enable a secure connection to an HTTP server to access ASDM, check the Enable HTTP server for HTTPS/ASDM access check box.

Step 3 To allow ASDM to collect and display statistics, check the Enable ASDM history metrics check box.

Step 4 Click Next to continue.


Adding or Editing Administrative Access Entry


Step 1 To configure the hosts, in the main ASDM application window, choose one of the following:

Configuration > Properties > Device Access > HTTPS/ASDM

Configuration > Properties > Device Access > Telnet

Configuration > Properties > Device Access > SSH

Configuration > Properties > History Metrics

Step 2 Choose one of the following preconfigured connections for the CLI console sessions from the Access Type drop-down list:

ASDM/HTTPS

SSH

Telnet


Note ASDM uses HTTP over SSL (HTTPS) for all communication with the adaptive security appliance.


Step 3 Choose the interface name from the Interface drop-down list.

Step 4 Enter an IP address for the interface.

Step 5 Enter a subnet mask for the interface from the Subnet Mask drop-down list.

Step 6 Click OK to save these settings and return to the Administrative Access screen.


Step 17 - Easy VPN Remote Configuration

The adaptive security appliance can act as an Easy VPN remote device to enable deployment of VPNs to remote locations. The following two modes of operation are available:

Client Mode

Network Extension Mode

In Client Mode, the adaptive security appliance does not expose the IP addresses of clients on the inside network. Instead, the adaptive security appliance uses NAT to translate the IP addresses on the private network to a single, assigned IP address. In this mode, you cannot ping or access any device from outside the private network.

In Network Extension Mode, the adaptive security appliance does not protect the IP addresses of local hosts by substituting an assigned IP address. Therefore, hosts on the other side of the VPN connection can communicate directly with hosts on the local network.

To configure the adaptive security appliance in one of these two modes, use the following guidelines:

Use Client Mode if:

You want VPN connections to be initiated by client traffic.

You want the IP addresses of local hosts to be hidden from remote networks.

You are using DHCP on the ASA 5505 to provide IP addresses to local hosts.

Use Network Extension Mode if:

You want VPN connections to remain open even when not required for transmitting traffic.

You want remote hosts to be able to communicate directly with hosts on the local network.

Hosts on the local network have static IP addresses.


Note To access this screen, you must have checked the Configure the device for Teleworker usage check box in Step 2 - Basic Configuration and unchecked the Enable Auto Update check box in the Interface Configuration.


To form a secure VPN tunnel between the adaptive security appliance and a remote Cisco VPN 3000 concentrator, Cisco router, or adaptive security appliance that is acting as an Easy VPN server, perform the following steps:


Step 1 To enable the security appliance to act as an Easy VPN remote device, check the Enable Easy VPN remote check box. If you do not enable this feature, any host that has access to the security appliance outside interface through a VPN tunnel can manage it remotely.

Step 2 In the Mode area, choose one of the following:

If you are using a DHCP server to generate dynamic IP addresses for hosts on your inside network, click the Client mode radio button.

If hosts on your inside network have static IP addresses, click the Network Extension mode radio button.

Step 3 In the Group Settings area, do the following:

a. To use X.509 certificates to enable the IPSec main mode, click the Use X.509 Certificate radio button. Choose the trustpoint from the drop-down list.

b. To enter a password for a group of users, click the Use group password radio button.

Enter a name for the user group.

Enter a password for the user group.

Confirm the password.

Step 4 In the User Settings area, do the following:

a. Enter a username for your settings.

b. Enter a password for your settings.

c. Confirm the password for your settings.

Step 5 In the Easy VPN Server area, do the following:

a. Enter the IP address of the primary Easy VPN server.

b. Enter the IP address of a secondary Easy VPN server.


Note The adaptive security appliance supports a maximum of 11 Easy VPN servers: one primary and up to ten secondary. Before you can connect the ASA Easy VPN remote device to the Easy VPN server, you must establish network connectivity between both devices through your ISP. After you have connected the ASA 5500 series adaptive security appliance to the DSL or cable modem, follow the instructions provided by your ISP to complete the network connection. You can obtain an IP address through a PPPoE server, a DHCP server, or a static configuration.


Step 6 Click Next to continue.


Step 18 - Startup Wizard Summary

This screen summarizes all of the configuration settings that you have made for the adaptive security appliance.


Step 1 To change any of the settings in previous screens, click Back.

Step 2 Choose one of the following:

If you ran the Startup Wizard directly from a browser, when you click Finish, the configuration settings that you created through the wizard are sent to the adaptive security appliance and saved in flash memory automatically.

If you ran the Startup Wizard from within ASDM, you must explicitly save the configuration in flash memory by choosing File > Save Running Configuration to Flash.


Other Interfaces Configuration

To configure the remaining interfaces, perform the following steps:


Step 1 Select the interface to change and click Edit.

The Edit Interface dialog box appears.

The Interface field displays the network interface on which the original host or network resides.

The Name field displays the name of the interface being configured.

The Security Level field displays the security level range for the interface from 0 to 100, with 100 assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default.

Step 2 To assign the same security level to two or more interfaces, and enable traffic between them, check the Enable traffic between two or more interfaces with same security levels check box.

Step 3 If you have an interface between two or more hosts and want to enable traffic between them, check the Enable traffic between two or more hosts connected to the same interface check box.

Step 4 Click Next to continue.


Editing Interfaces

On the Interface Properties and IPv4 Settings tab, perform the following steps:


Step 1 The Interface field is display-only and shows the name of the selected interface to edit. The Enable interface check box is checked by default.

Step 2 The Interface Name field displays the name of the selected interface. Change the name of the interface, if needed.

Step 3 The Security Level field displays the security level of the selected interface. Change the security level for the interface, if needed. If you change the security level of the interface to a lower level, a warning message appears.

Step 4 In the IP Address area, choose one of the following three options:

To enter a specific IP address for an interface, click the Use the following IP address radio button.

Enter the IP address of the interface.

Choose an existing subnet mask from the drop-down list.

To use the security appliance as a DHCP server, click the Use DHCP radio button.

To use PPPoE to provide an authenticated method of assigning an IP address to an outside interface, click the Use PPPoE radio button.


Note Because PPPoE is permitted on multiple interfaces, each instance of the PPPoE client may require different authentication levels with different usernames and passwords.


Enter a group name to proceed.

Enter the PPPoE username and password, and confirm the password.

PAP is the default authentication method for PPPoE. You have the option of configuring CHAP or MS-CHAP manually by clicking the applicable radio button.

Step 5 Choose one of the following:

To assign an IP address using PPPoE, click the Obtain IP Address using PPPoE radio button.

To assign a particular IP address, click the Specify an IP address radio button.

Enter the IP address.

Choose a subnet mask from the drop-down list.

Step 6 Click OK to save these settings.


On the IPv6 Settings tab, perform the following steps:


Step 1 To configure Neighbor Discovery settings, see the "Configuring IPv6 Neighbor Discovery" section.

Step 2 To configure IPv6 addresses on an interface, see the "Configuring IPv6 Addresses on an Interface" section.

Step 3 To configure IPv6 prefixes on an interface, see the "Configuring IPv6 Prefixes on an Interface" section.

Step 4 Click OK to save these settings.


Configuring IPv6 Neighbor Discovery

The IPv6 neighbor discovery process uses ICMPv6 messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local link), verify the reachability of a neighbor, and keep track of neighboring routers. For more information about IPv6 Neighbor Discovery, see Chapter 25 "Configuring IPv6 Neighbor Discovery."

This section includes the following topics:

Configuring Neighbor Solicitation Messages

Configuring Router Advertisement Messages

Configuring IPv6 Static Neighbors

Configuring Neighbor Solicitation Messages

Neighbor solicitation messages (ICMPv6 Type 135) are sent on the local link by nodes attempting to discover the link-layer addresses of other nodes on the local link. The neighbor solicitation message is sent to the solicited-node multicast address. The source address in the neighbor solicitation message is the IPv6 address of the node sending the neighbor solicitation message. The neighbor solicitation message also includes the link-layer address of the source node.

After receiving a neighbor solicitation message, the destination node replies by sending a neighbor advertisement message (ICPMv6 Type 136) on the local link. The source address in the neighbor advertisement message is the IPv6 address of the node sending the neighbor advertisement message; the destination address is the IPv6 address of the node that sent the neighbor solicitation message. The data portion of the neighbor advertisement message includes the link-layer address of the node sending the neighbor advertisement message. After the source node receives the neighbor advertisement, the source node and destination node can communicate.

Figure 7-1 shows the neighbor solicitation and response process.

Figure 7-1 IPv6 Neighbor Discovery—Neighbor Solicitation Message

Neighbor solicitation messages are also used to verify the reachability of a neighbor after the link-layer address of a neighbor is identified. When a node wants to verify the reachability of a neighbor, the destination address in a neighbor solicitation message is the unicast address of the neighbor.

Neighbor advertisement messages are also sent when there is a change in the link-layer address of a node on a local link. When there is such a change, the destination address for the neighbor advertisement is the all-nodes multicast address.

You can configure the neighbor solicitation message interval and neighbor reachable time on a per-interface basis.

In addition, you can configure DAD settings, IPv6 addresses, and IPv6 prefixes. For more information, see the following sections:

Configuring the Neighbor Solicitation Message Interval

Configuring the Neighbor Reachable Time

Configuring DAD Settings

Configuring IPv6 Addresses on an Interface

Configuring IPv6 Prefixes on an Interface

Configuring the Neighbor Solicitation Message Interval

You can configure the interval between IPv6 neighbor solicitation retransmissions on an interface. Valid values range from 1000 to 3600000 milliseconds. The default value is 1000 milliseconds. This setting is also sent in router advertisement messages.

To configure the neighbor solicitation message interval, perform the following steps:


Step 1 Choose Configuration > Device Setup > Interfaces.

Step 2 Choose the interface on which to configure the neighbor solicitation interval. The interface must have been configured with an IPv6 address. See the "Configuring IPv6 Neighbor Discovery" section for more information.

Step 3 Click Edit. The Edit Interface dialog box appears with three tabs: General, Advanced, and IPv6.

Step 4 Click the IPv6 tab.

Step 5 In the NS Interval field, enter the time interval.

Step 6 Click OK.

Step 7 Click Apply to save the configuration.


Configuring the Neighbor Reachable Time

The neighbor reachable time enables detecting unavailable neighbors. Shorter configured times enable detecting unavailable neighbors more quickly; however, shorter times consume more IPv6 network bandwidth and processing resources in all IPv6 network devices. Very short configured times are not recommended in normal IPv6 operation.

Valid time values range from 0 to 3600000 milliseconds. The default is 0; however, when you use 0, the reachable time is sent as undetermined. It is up to the receiving devices to set and track the reachable time value.

To configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, perform the following steps:


Step 1 Choose Configuration > Device Setup > Interfaces.

Step 2 Choose the interface for which you want to configure the time. The interface must have been configured with an IPv6 address. For more information, see the "Configuring IPv6 Neighbor Discovery" section.

Step 3 Click Edit. The Edit Interface dialog box appears with three tabs: General, Advanced, and IPv6.

Step 4 Click the IPv6 tab.

Step 5 In the Reachable Time field, enter a valid value.

Step 6 Click OK.

Step 7 Click Apply to save the configuration.


Configuring DAD Settings

Duplicate Address Detection (DAD) settings are part of the Neighbor Discovery configuration. DAD verifies the uniqueness of new unicast IPv6 addresses before they are assigned and ensures that duplicate IPv6 addresses are detected in the network on a link basis.

To specify DAD settings on the interface, perform the following steps:


Step 1 Enter the number of allowed DAD attempts. This setting configures the number of consecutive neighbor solicitation messages that are sent on an interface while DAD is performed on IPv6 addresses. Valid values are from 0 to 600. A zero value disables DAD processing on the specified interface. The default is one message.

Step 2 Enter the neighbor solicitation message interval. The neighbor solicitation message requests the link-layer address of a target node. Valid values are from 1000 to 3600000 milliseconds. The default is 1000 milliseconds.

Step 3 Enter the amount of time in seconds that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred. Valid values are from 1000 to 3600000 milliseconds. The default is zero. A configured time enables the detection of unavailable neighbors. Shorter times enable detection more quickly; however, very short configured times are not recommended in normal IPv6 operation.

Step 4 Enter the amount of time that IPv6 router advertisement transmissions are considered valid. Valid values are from 3 to 1800 seconds. The default is 200 seconds. Router advertisement transmissions include a preference level and a lifetime field for each advertised router address. These transmissions provide route information and indicate that the router is still operational to network hosts. By default, these transmissions are sent every 400 to 600 seconds.

Step 5 Enter the interval between IPv6 router advertisement transmissions. Valid values are from 3 to 1800 seconds. The default is 200 seconds. To have the router advertisement transmission interval be listed in milliseconds, check the RA Interval in Milliseconds check box.

Step 6 To allow the generation of addresses for hosts, make sure that the Suppress RA check box is unchecked. This is the default setting if IPv6 unicast routing is enabled. To prevent the generation of IPv6 router advertisement transmissions, check the Suppress RA check box.

Step 7 To continue, see the "Configuring IPv6 Addresses on an Interface" section.


Configuring IPv6 Addresses on an Interface

To configure IPv6 addresses on an interface, perform the following steps:


Step 1 If you have not configured any IPv6 addresses with the CLI, to enable IPv6 addressing, check the Enable IPv6 check box.

Step 2 To make sure that the source addresses of IPv6 packets received on that interface are verified according to the source MAC addresses to ensure that the interface identifiers use the modified EUI-64 format, check the Enforce EUI-64 check box. If the interface identifiers do not conform to the modified EUI-64 format, an error message appears.

Step 3 If you are not going to assign any other IPv6 addresses, to set the link-local address manually, enter an address in the Link-local address field. A link-local address should start with FE8, FE9, FEA, or FEB, for example fe80::20d:88ff:feee:6a82. Alternatively, click the ellipsis to choose a link-local address from the Browse Link-local address dialog box.

Step 4 After you have selected the link-local address, click OK to return to the IPv6 tab.

The selected link-local address appears in the Link-local address field.

Step 5 To enable address autoconfiguration, check the Enable address autoconfiguration check box. During the stateless autoconfiguration process, duplicate address detection (DAD) verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in a tentative state while duplicate address detection is performed). Duplicate address detection is performed first on the new link-local address. When the link local address is verified as unique, then duplicate address detection is performed all the other IPv6 unicast addresses on the interface. For more information about DAD, see the "Configuring DAD Settings" section.

Step 6 In the Interface IPv6 Addresses area, click Add.

The Add IPv6 Address for Interface dialog box appears.

Step 7 (Optional) Check the EUI-64 check box.

Step 8 Click OK to save your settings.

The Interface IPv6 Addresses Address field appears with the modified EUI-64 address.


Note You cannot use IPv6 addresses for the failover LAN and state links. For more information, see the "Configuring Failover with the High Availability and Scalability Wizard" section.


Step 9 To continue, see the "Configuring IPv6 Prefixes on an Interface" section.


Configuring IPv6 Prefixes on an Interface

To configure IPv6 prefixes on an interface, perform the following steps:


Step 1 In the Interface IPv6 Prefixes area, click Add.

The Add IPv6 Prefix for Interface dialog box appears.

Step 2 Enter the IPv6 address with the prefix length.

Step 3 (Optional) To configure the IPv6 address manually, check the No Auto-Configuration check box. This setting indicates to hosts on the local link that the specified prefix cannot be used for IPv6 autoconfiguration.

Step 4 (Optional) To indicate that the IPv6 prefix is not advertised, check the No Advertisements check box.

Step 5 (Optional) The Off Link check box indicates that the specified prefix is assigned to the link. Nodes sending traffic to addresses that contain the specified prefix consider the destination to be locally reachable on the link. This prefix should not be used for on-link determination.

Step 6 In the Prefix Lifetime area, click the Lifetime Duration radio button, and specify the following:

a. A valid lifetime for the prefix in seconds from the drop-down list. This setting is the amount of time that the specified IPv6 prefix is advertised as being valid. The maximum value represents infinity. Valid values are from 0 to 4294967295. The default is 2592000 (30 days).

b. A preferred lifetime for the prefix from the drop-down list. This setting is the amount of time that the specified IPv6 prefix is advertised as being preferred. The maximum value represents infinity. Valid values are from 0 to 4294967295. The default setting is 604800 (seven days).

Step 7 To define a prefix lifetime expiration date, click the Lifetime Expiration Date radio button, and specify the following:

a. Choose a valid month and day from the drop-down list, and then enter a time in hh:mm format.

b. Choose a preferred month and day from the drop-down list, and then enter a time in hh:mm format.

Step 8 Click OK to save your settings.

The Interface IPv6 Prefixes Address field appears with the preferred and valid dates.


Configuring Router Advertisement Messages

Router advertisement messages (ICMPv6 Type 134) are periodically sent from each IPv6 configured interface of the adaptive security appliance. The router advertisement messages are sent to the all-nodes multicast addressFigure 7-2 shows an example of a router advertisement message.

Figure 6-2 shows the flow of router advertisement messages from an IPv6 configured interface.

Figure 7-2 IPv6 Neighbor Discovery—Router Advertisement Message

Router advertisement messages typically include the following information:

One or more IPv6 prefix that nodes on the local link can use to automatically configure their IPv6 addresses.

Lifetime information for each prefix included in the advertisement.

Sets of flags that indicate the type of autoconfiguration (stateless or stateful) that can be completed.

Default router information (whether the router sending the advertisement should be used as a default router and, if so, the amount of time (in seconds) the router should be used as a default router).

Additional information for hosts, such as the hop limit and MTU a host should use in packets that it originates.

The amount of time between neighbor solicitation message retransmissions on a given link.

The amount of time a node considers a neighbor reachable.

Router advertisements are also sent in response to router solicitation messages (ICMPv6 Type 133). Router solicitation messages are sent by hosts at system startup so that the host can immediately autoconfigure without needing to wait for the next scheduled router advertisement message. Because router solicitation messages are usually sent by hosts at system startup, and the host does not have a configured unicast address, the source address in router solicitation messages is usually the unspecified IPv6 address (0:0:0:0:0:0:0:0). If the host has a configured unicast address, the unicast address of the interface sending the router solicitation message is used as the source address in the message. The destination address in router solicitation messages is the all-routers multicast address with scope of the link. When a router advertisement is sent in response to a router solicitation, the destination address in the router advertisement message is the unicast address of the source of the router solicitation message.

You can configure the following settings for router advertisement messages:

The time interval between periodic router advertisement messages.

The router lifetime value, which indicates the amount of time IPv6 nodes should consider the adaptive security appliance to be the default router.

The IPv6 network prefixes used on the link.

Whether or not an interface transmits router advertisement messages.

Unless otherwise noted, the router advertisement message settings are specific to an interface and are entered in interface configuration mode. For information about changing these settings, see the following sections:

Configuring the Router Advertisement Transmission Interval

Configuring the Router Lifetime Value

Suppressing Router Advertisement Messages

Configuring the Router Advertisement Transmission Interval

By default, router advertisements are sent out every 200 seconds. Valid values range from 3 to 1800 seconds.

The interval between transmissions should be less than or equal to the IPv6 router advertisement lifetime if the adaptive security appliance is configured as a default router. For more information, see the "Configuring the Router Lifetime Value" section. To prevent synchronization with other IPv6 nodes, randomly adjust the actual value used to within 20 percent of the desired value.

To change the interval between router advertisement transmissions on an interface, perform the following steps:


Step 1 Choose Configuration > Device Setup > Interfaces.

Step 2 Select the interface for which you want to configure the time.

The interface must have been configured with an IPv6 address. For more information, see the "Configuring IPv6 Neighbor Discovery" section.

Step 3 Click Edit. The Edit Interface dialog box appears with three tabs: General, Advanced, and IPv6.

Step 4 Click the IPv6 tab.

Step 5 In the RA Interval field, enter a valid transmission interval value.


Note (Optional) To add a router advertisement transmission interval value in milliseconds instead, check the RA Interval in Milliseconds check box, and enter a value from 500 to 1800000.


Step 6 Click OK.

Step 7 Click Apply to save the configuration.


Configuring the Router Lifetime Value

The router lifetime value specifies how long nodes on the local link should consider the adaptive security appliance as the default router on the link. Valid values range from 0 to 9000 seconds. The default is 1800 seconds. Entering 0 indicates that the adaptive security appliance should not be considered a default router on the selected interface.

To configure the router lifetime value in IPv6 router advertisements on an interface, perform the following steps:


Step 1 Choose Configuration > Device Setup > Interfaces.

Step 2 Select the interface for which you want to configure the lifetime value.

The interface must have been configured with an IPv6 address. For more information see the "Configuring IPv6 Neighbor Discovery" section.

Step 3 Click Edit.

The Edit Interface dialog box appears with three tabs: General, Advanced, and IPv6.

Step 4 Click the IPv6 tab.

Step 5 In the RA Lifetime field, enter a valid lifetime value.

Step 6 Click OK.

Step 7 Click Apply to save the configuration.


Suppressing Router Advertisement Messages

By default, router advertisement messages are automatically sent in response to router solicitation messages. You may want to disable these messages on any interface for which you do not want the adaptive security appliance to supply the IPv6 prefix (for example, the outside interface).

To suppress IPv6 router advertisement transmissions on an interface, perform the following steps:


Step 1 Choose Configuration > Device Setup > Interfaces.

Step 2 Select the interface for which you want to configure the lifetime value. The interface must have been configured with an IPv6 address. For more information, see the "Configuring IPv6 Neighbor Discovery" section.

Step 3 Click Edit.

The Edit Interface dialog box appears with three tabs: General, Advanced, and IPv6.

Step 4 Click the IPv6 tab.

Step 5 Check the Suppress RA check box.

Step 6 Verify that the router advertisement message is suppressed on the interface that is configured for the IPv6 address.


Configuring IPv6 Static Neighbors

This section includes the following topics:

Adding an IPv6 Static Neighbor

Editing Static Neighbors

Deleting Static Neighbors

Viewing and Clearing Dynamic Neighbors

Adding an IPv6 Static Neighbor

Make sure that IPv6 is enabled on at least one interface before trying to add a neighbor, or ASDM returns an error message indicating that the configuration failed. For information about configuring IPv6 on an interface, see the "Configuring a Static IPv6 Neighbor" section.

For information about configuring IPv6 Neighbor Discovery, see the "Configuring IPv6 Neighbor Discovery" section.

To add an IPv6 static neighbor, perform the following steps:


Step 1 Choose Configuration > Device Management > Advanced > IPv6 Neighbor Discovery Cache.

Step 2 Click Add.

The Add IPv6 Static Neighbor dialog box appears.

Step 3 From the Interface Name drop-down list, choose an interface on which to add the neighbor.

Step 4 In the IP Address field, enter the IPv6 address that corresponds to the local data-link address, or click the ellipsis (...) to browse for an address.

If an entry for the specified IPv6 address already exists in the neighbor discovery cache—learned through the IPv6 neighbor discovery process—the entry is automatically converted to a static entry.

Step 5 In the MAC address field, enter the local data-line (hardware) MAC address.

Step 6 Click OK.


Note Before you apply the changes and save the configuration, you can click Reset to cancel any changes and restore the original values.


Step 7 Click Apply to save the configuration.


Editing Static Neighbors

To edit a static neighbor that is defined in your configuration, perform the following steps:


Step 1 Choose Configuration > Device Management > Advanced > IPv6 Neighbor Discovery Cache.

Step 2 Select the neighbor from the main pane, and click Edit.

The Edit IPv6 Static Neighbor dialog box appears.

Step 3 Enter all necessary changes, and click OK.

Step 4 Click Apply to save the changes to your configuration.


Deleting Static Neighbors

To delete a static neighbor from your configuration, perform the following steps:


Step 1 Choose Configuration > Device Management > Advanced > IPv6 Neighbor Discovery Cache.

Step 2 Select the neighbor to delete from the main pane, and click Delete.

The selected neighbor is removed from the list.

Step 3 Click Apply to save the change to your current configuration.


Note Before you apply the changes and permanently delete the neighbor from your configuration, you can click Reset to restore the original values.



Viewing and Clearing Dynamic Neighbors

When a host or node communicates with a neighbor, the neighbor is added to the neighbor discovery cache. The neighbor is removed from the cache when there is no longer any communication with the neighbor.

To view dynamically discovered neighbors and to clear neighbors from the IPv6 Neighbor Discovery Cache, perform the following steps:


Step 1 Choose Monitoring > Interface Graphs > IPv6 Neighbor Discovery Cache.

You can view all static and dynamically discovered neighbors from the IPv6 Neighbor Discovery Cache pane.

Step 2 To clear all dynamically discovered neighbors from the cache, click Clear Dynamic Neighbor Entries.

The neighbor information is removed from the cache.


Note This procedure clears only dynamically discovered neighbors from the cache; it does not clear static neighbors. To clear static neighbors, see the "Deleting Static Neighbors" section.



Interface Configuration

To configure the remaining interfaces and enable traffic between two or more interfaces, perform the following steps:


Step 1 To change the configuration of the interface in the Edit Interface dialog box, click Edit.

Step 2 To enable traffic between two or more interfaces with the same security level, check the Enable traffic between two or more interfaces with the same security level check box.


Note IP address-related fields are not available in transparent mode.


Step 3 Click Next to continue.


Outside Interface Configuration - PPPoE

To configure the outside interface by obtaining an IP address from a PPPoE server, perform the following steps:


Step 1 Enter the name of the group. You must specify a group name to proceed.

Step 2 In the User Authentication area, enter the following information:

The PPPoE username.

The PPPoE password.

Confirm the PPPoE password.

Step 3 In the Authentication Method area, enter the following:

PAP is the default authentication method for PPPoE. You have the option of configuring CHAP or MS-CHAP manually. The username and password are sent unencrypted using this method.

To select CHAP authentication, check the CHAP check box. CHAP does not prevent unauthorized access; it identifies the remote end. The access server then determines whether the user is allowed access.

To select MS-CHAP authentication for PPP connections between a computer using a Windows operating system and an access server, check the MS-CHAP check box.

Step 4 In the IP Address area, choose one of the following:

To obtain an IP address using a PPPoE server, click the Obtain IP Address using PPPoE radio button.

To specify an IP address for an interface, click the Specify an IP address radio button.

Enter an IP address for an interface.

Enter or choose a subnet mask for an interface from the drop-down list.

To obtain the default route between the PPPoE server and the PPPoE client, click the Obtain default route using PPPoE radio button.

Step 5 Click Next to continue.


Outside Interface Configuration


Note For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces. After you have created the maximum number of interfaces, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and must select an existing one.


To configure the outside interface by specifying an IP address, or by obtaining one from a PPPoE or a DHCP server, perform the following steps:


Step 1 On the Interface Settings tab, do the following:

a. Choose an interface from the drop-down list.

b. Add a name to a new interface or show the name associated with an existing interface.

c. To activate the interface in privileged mode, check the Enable interface check box.

d. Specify the security level range for the interface from 0 to 100, with 100 assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default.

Step 2 Choose one of the following:

To obtain an IP address from a PPPoE server, click the Use PPPoE radio button.

To obtain an IP address from a DHCP server, click the Use DHCP radio button.

To obtain an IP address for the default gateway using DHCP, check the Obtain default route using DHCP check box.

Step 3 On the IPv6 Interface Settings tab, do the following:

To enable the IPv6 interface, check the Enable IPv6 for the Interface check box.

To add an IPv6 interface address, check the Add an IPv6 Address check box.

Specify the IPv6 address and prefix length (for example, fe80:aabb::). Multiple addresses with prefixes are allowed; however, no two addresses can be repeated within the list of addresses.

To configure an address using the EUI 64-bit interface identifier format, check the EUI 64 check box.

Step 4 Click Next to continue.


Feature History for the Startup Wizard

Table 7-3 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.

Table 7-3 Feature History for the Startup Wizard

Feature Name
Platform Releases
Feature Information

Startup Wizard

7.0(1)

This feature was introduced.