Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3
Getting Started
Downloads: This chapterpdf (PDF - 163.0KB) The complete bookPDF (PDF - 20.75MB) | Feedback

Getting Started

Table Of Contents

Getting Started

Factory Default Configurations

Restoring the Factory Default Configuration

ASA 5505 Default Configuration

ASA 5510 and Higher Default Configuration

Accessing the Command-Line Interface

Working with the Configuration

Saving Configuration Changes

Saving Configuration Changes in Single Context Mode

Saving Configuration Changes in Multiple Context Mode

Copying the Startup Configuration to the Running Configuration

Viewing the Configuration

Clearing and Removing Configuration Settings

Creating Text Configuration Files Offline

Applying Configuration Changes to Connections


Getting Started


This chapter describes how to get started with your adaptive security appliance. This chapter includes the following sections:

Factory Default Configurations

Accessing the Command-Line Interface

Working with the Configuration

Applying Configuration Changes to Connections

https://192.168.1.1/admin

Factory Default Configurations

The factory default configuration is the configuration applied by Cisco to new adaptive security appliances.

For the ASA 5510 and higher adaptive security appliances, the factory default configuration configures an interface for management so you can connect to it using ASDM, with which you can then complete your configuration.

For the ASA 5505 adaptive security appliance, the factory default configuration configures interfaces and NAT so that the adaptive security appliance is ready to use in your network immediately.

The factory default configuration is available only for routed firewall mode and single context mode. See Chapter 5 "Configuring Multiple Context Mode," for more information about multiple context mode. See Chapter 4 "Configuring the Transparent or Routed Firewall," for more information about routed and transparent firewall mode.


Note In addition to the image files and the (hidden) default configuration, the following folders and files are standard in flash memory: log/, crypto_archive/, and coredumpinfo/coredump.cfg. The date on these files may not match the date of the image files in flash memory. These files aid in potential troubleshooting; they do not indicate that a failure has occurred.


This section includes the following topics:

Restoring the Factory Default Configuration

ASA 5505 Default Configuration

ASA 5510 and Higher Default Configuration

Restoring the Factory Default Configuration

This section describes how to restore the factory default configuration.

Limitations

This feature is available only in routed firewall mode; transparent mode does not support IP addresses for interfaces. In addition, this feature is available only in single context mode; an adaptive security appliance with a cleared configuration does not have any defined contexts to configure automatically using this feature.

Detailed Steps

 
Command
Purpose

Step 1 

configure factory-default [ip_address [mask]]

Example:

hostname(config)# configure factory-default 10.1.1.1 255.255.255.0

Restores the factory default configuration.

If you specify the ip_address, then you set the inside or management interface IP address, depending on your model, instead of using the default IP address of 192.168.1.1. The http command uses the subnet you specify. Similarly, the dhcpd address command range consists of addresses within the subnet that you specify.

Note This command also clears the boot system command, if present, along with the rest of the configuration. The boot system command lets you boot from a specific image, including an image on the external flash memory card. The next time you reload the adaptive security appliance after restoring the factory configuration, it boots from the first image in internal flash memory; if you do not have an image in internal flash memory, the adaptive security appliance does not boot.

Step 2 

write memory
 
        
Example:
active(config)# write memory

Saves the default configuration to flash memory. This command saves the running configuration to the default location for the startup configuration, even if you previously configured the boot config command to set a different location; when the configuration was cleared, this path was also cleared.

What to Do Next

To configure additional settings that are useful for a full configuration, see the setup command.

ASA 5505 Default Configuration

The default factory configuration for the ASA 5505 adaptive security appliance configures the following:

An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0.

An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address using DHCP.

The default route is also derived from DHCP.

All inside IP addresses are translated when accessing the outside using interface PAT.

By default, inside users can access the outside, and outside users are prevented from accessing the inside.

The DHCP server is enabled on the adaptive security appliance, so a PC connecting to the VLAN 1 interface receives an address between 192.168.1.2 and 192.168.1.254.

The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.

The configuration consists of the following commands:

interface Ethernet 0/0
   switchport access vlan 2
   no shutdown
interface Ethernet 0/1
   switchport access vlan 1
   no shutdown
interface Ethernet 0/2
   switchport access vlan 1
   no shutdown
interface Ethernet 0/3
   switchport access vlan 1
   no shutdown
interface Ethernet 0/4
   switchport access vlan 1
   no shutdown
interface Ethernet 0/5
   switchport access vlan 1
   no shutdown
interface Ethernet 0/6
   switchport access vlan 1
   no shutdown
interface Ethernet 0/7
   switchport access vlan 1
   no shutdown
interface vlan2
   nameif outside
   no shutdown
   ip address dhcp setroute
interface vlan1
   nameif inside
   ip address 192.168.1.1 255.255.255.0
   security-level 100
   no shutdown
object network obj_any
   subnet 0 0
   nat (inside,outside) dynamic interface
http server enable
http 192.168.1.0 255.255.255.0 inside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd auto_config outside
dhcpd enable inside
logging asdm informational
 
   

ASA 5510 and Higher Default Configuration

The default factory configuration for the ASA 5510 and higher adaptive security appliance configures the following:

The management interface, Management 0/0. If you did not set the IP address in the configure factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0.

The DHCP server is enabled on the adaptive security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254.

The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.

The configuration consists of the following commands:

interface management 0/0
   ip address 192.168.1.1 255.255.255.0
   nameif management
   security-level 100
   no shutdown
asdm logging informational 100
asdm history enable
http server enable
http 192.168.1.0 255.255.255.0 management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable management
 
   

Accessing the Command-Line Interface

For initial configuration, access the command-line interface directly from the console port. Later, you can configure remote access using Telnet or SSH according to Chapter 34 "Configuring Management Access." If your system is already in multiple context mode, then accessing the console port places you in the system execution space. See Chapter 5 "Configuring Multiple Context Mode," for more information about multiple context mode.


Note If you want to use ASDM to configure the adaptive security appliance instead of the command-line interface, you can connect to the default management address of 192.168.1.1 (if your adaptive security appliance includes a factory default configuration. See the "Factory Default Configurations" section.). On the ASA 5510 and higher adaptive security appliances, the interface to which you connect with ASDM is Management 0/0. For the ASA 5505 adaptive security appliance, the switch port to which you connect with ASDM is any port, except for Ethernet 0/0. If you do not have a factory default configuration, follow the steps in this section to access the command-line interface. You can then configure the minimum parameters to access ASDM by entering the setup command.


To access the command-line interface, perform the following steps:


Step 1 Connect a PC to the console port using the provided console cable, and connect to the console using a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.

See the hardware guide that came with your adaptive security appliance for more information about the console cable.

Step 2 Press the Enter key to see the following prompt:

hostname>

This prompt indicates that you are in user EXEC mode.

Step 3 To access privileged EXEC mode, enter the following command:

hostname> enable
 
   

The following prompt appears:

Password:
 
   

Step 4 Enter the enable password at the prompt.

By default, the password is blank, and you can press the Enter key to continue. See the "Changing the Enable Password" section to change the enable password.

The prompt changes to:

hostname#
 
   

To exit privileged mode, enter the disable, exit, or quit command.

Step 5 To access global configuration mode, enter the following command:

hostname# configure terminal
 
   

The prompt changes to the following:

hostname(config)#
 
   

To exit global configuration mode, enter the exit, quit, or end command.


Working with the Configuration

This section describes how to work with the configuration. The adaptive security appliance loads the configuration from a text file, called the startup configuration. This file resides by default as a hidden file in internal flash memory. You can, however, specify a different path for the startup configuration. (For more information, see Chapter 76 "Managing Software and Configurations.")

When you enter a command, the change is made only to the running configuration in memory. You must manually save the running configuration to the startup configuration for your changes to remain after a reboot.

The information in this section applies to both single and multiple security contexts, except where noted. Additional information about contexts is in Chapter 5 "Configuring Multiple Context Mode."

This section includes the following topics:

Saving Configuration Changes

Copying the Startup Configuration to the Running Configuration

Viewing the Configuration

Clearing and Removing Configuration Settings

Creating Text Configuration Files Offline

Saving Configuration Changes

This section describes how to save your configuration and includes the following topics:

Saving Configuration Changes in Single Context Mode

Saving Configuration Changes in Multiple Context Mode

Saving Configuration Changes in Single Context Mode

To save the running configuration to the startup configuration, enter the following command:

Command
Purpose

write memory

Example:

hostname# write memory

Saves the running configuration to the startup configuration.

Note The copy running-config startup-config command is equivalent to the write memory command.


Saving Configuration Changes in Multiple Context Mode

You can save each context (and system) configuration separately, or you can save all context configurations at the same time. This section includes the following topics:

Saving Each Context and System Separately

Saving All Context Configurations at the Same Time

Saving Each Context and System Separately

To save the system or context configuration, enter the following command within the system or context:

Command
Purpose

write memory

Example:

hostname# write memory

Saves the running configuration to the startup configuration.

For multiple context mode, context startup configurations can reside on external servers. In this case, the adaptive security appliance saves the configuration back to the server you identified in the context URL, except for an HTTP or HTTPS URL, which do not let you save the configuration to the server.

Note The copy running-config startup-config command is equivalent to the write memory command.


Saving All Context Configurations at the Same Time

To save all context configurations at the same time, as well as the system configuration, enter the following command in the system execution space:

Command
Purpose

write memory all [/noconfirm]

Example:

hostname# write memory all /noconfirm

Saves the running configuration to the startup configuration for all contexts and the system configuration.

If you do not enter the /noconfirm keyword, you see the following prompt:

Are you sure [Y/N]:
 
        

After you enter Y, the adaptive security appliance saves the system configuration and each context. Context startup configurations can reside on external servers. In this case, the adaptive security appliance saves the configuration back to the server you identified in the context URL, except for an HTTP or HTTPS URL, which do not let you save the configuration to the server.


After the adaptive security appliance saves each context, the following message appears:

`Saving context `b' ... ( 1/3 contexts saved ) '
 
   

Sometimes, a context is not saved because of an error. See the following information for errors:

For contexts that are not saved because of low memory, the following message appears:

The context 'context a' could not be saved due to Unavailability of resources
 
   

For contexts that are not saved because the remote destination is unreachable, the following message appears:

The context 'context a' could not be saved due to non-reachability of destination
 
   

For contexts that are not saved because the context is locked, the following message appears:

Unable to save the configuration for the following contexts as these contexts are 
locked.
context `a' , context `x' , context `z' .
 
   

A context is only locked if another user is already saving the configuration or in the process of deleting the context.

For contexts that are not saved because the startup configuration is read-only (for example, on an HTTP server), the following message report is printed at the end of all other messages:

Unable to save the configuration for the following contexts as these contexts have 
read-only config-urls:
context `a' , context `b' , context `c' .
 
   

For contexts that are not saved because of bad sectors in the flash memory, the following message appears:

The context 'context a' could not be saved due to Unknown errors
 
   

Copying the Startup Configuration to the Running Configuration

Copy a new startup configuration to the running configuration using one of the following options.

Command
Purpose
copy startup-config running-config

Merges the startup configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results.

reload

Reloads the adaptive security appliance, which loads the startup configuration and discards the running configuration.

clear configure all
copy startup-config running-config

Loads the startup configuration and discards the running configuration without requiring a reload.


Viewing the Configuration

The following commands let you view the running and startup configurations.

Command
Purpose
show running-config

Views the running configuration.

show running-config command

Views the running configuration of a specific command.

show startup-config

Views the startup configuration.


Clearing and Removing Configuration Settings

To erase settings, enter one of the following commands.

Command
Purpose
clear configure configurationcommand 
[level2configurationcommand]

Clears all the configuration for a specified command. If you only want to clear the configuration for a specific version of the command, you can enter a value for level2configurationcommand.

For example, to clear the configuration for all aaa commands, enter the following command:

hostname(config)# clear configure aaa
 
        

To clear the configuration for only aaa authentication commands, enter the following command:

hostname(config)# clear configure aaa authentication
no configurationcommand 
[level2configurationcommand] qualifier

Disables the specific parameters or options of a command. In this case, you use the no command to remove the specific configuration identified by qualifier.

For example, to remove a specific nat command, enter enough of the command to identify it uniquely as follows:

hostname(config)# no nat (inside) 1
write erase

Erases the startup configuration.

clear configure all

Erases the running configuration.

Note In multiple context mode, if you enter clear configure all from the system configuration, you also remove all contexts and stop them from running. The context configuration files are not erased, and remain in their original location.


Creating Text Configuration Files Offline

This guide describes how to use the CLI to configure the adaptive security appliance; when you save commands, the changes are written to a text file. Instead of using the CLI, however, you can edit a text file directly on your PC and paste a configuration at the configuration mode command-line prompt in its entirety, or line by line. Alternatively, you can download a text file to the adaptive security appliance internal flash memory. See Chapter 76 "Managing Software and Configurations," for information on downloading the configuration file to the adaptive security appliance.

In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the following example is "hostname(config)#":

hostname(config)# context a
 
   

In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows:

context a
 
   

For additional information about formatting the file, see "Using the Command-Line Interface."

Applying Configuration Changes to Connections

When you make security policy changes to the configuration, all new connections use the new security policy. Existing connections continue to use the policy that was configured at the time of the connection establishment. To ensure that all connections use the new policy, you need to disconnect the current connections so they can reconnect using the new policy. To disconnect connections, enter one of the following commands:

Command
Purpose
clear local-host [ip_address] [all]

This command reinitalizes per-client run-time states such as connection limits and embryonic limits. As a result, this command removes any connection that uses those limits. See the show local-host all command to view all current connections per host.

With no arguments, this command clears all affected through-the-box connections. To also clear to-the-box connections (including your current management session), use the all keyword. To clear connections to and from a particular IP address, use the ip_address argument.

clear conn [all] [protocol {tcp | udp}] 
[address src_ip[-src_ip] [netmask mask]] 
[port src_port[-src_port]] [address 
dest_ip[-dest_ip] [netmask mask]] [port 
dest_port[-dest_port]] 

This command terminates connections in any state. See the show conn command to view all current connections.

With no arguments, this command clears all through-the-box connections. To also clear to-the-box connections (including your current management session), use the all keyword. To clear specific connections based on the source IP address, destination IP address, port, and/or protocol, you can specify the desired options.

clear xlate [arguments] 

This command clears dynamic NAT sessions; static sessions are not affected. As a result, it removes any connections using those NAT sessions.

With no arguments, this command clears all NAT sessions. See the Cisco ASA 5500 Series Command Reference for more information about the arguments available.