Configuring the Hostname, Domain Name, Passwords, and Other Basic Settings
This chapter describes how to configure basic settings on your ASA 1000V that are typically required for a functioning configuration and includes the following sections:
•Configuring the Hostname, Domain Name, and Passwords
•Setting the Date and Time
•Configuring the Master Passphrase
•Configuring the DNS Server
Configuring the Hostname, Domain Name, and Passwords
This section describes how to change the device name and passwords and includes the following topics:
•Setting the Hostname, Domain Name, and the enable and Telnet Passwords
Setting the Hostname, Domain Name, and the enable and Telnet Passwords
To set the hostname and domain name and set the enable and Telnet passwords, perform the following steps:
Step 1 In ASDM, choose Configuration > Device Setup > Device Name/Password.
Step 2 Enter the hostname. The default hostname depends on your platform.
The hostname appears in the command line prompt, and if you establish sessions to multiple devices, the hostname helps you keep track of where you enter commands. The hostname is also used in syslog messages.
Step 3 Enter the domain name. The default domain name is default.domain.invalid.
The ASA 1000V appends the domain name as a suffix to unqualified names. For example, if you set the domain name to "example.com," and specify a syslog server by the unqualified name of "jupiter," then the ASA 1000V qualifies the name to "jupiter.example.com."
Step 4 Change the privileged mode (enable) password.
The enable password lets you access privileged EXEC mode after you log in. Also, this password is used to access ASDM as the default user, which is blank. The default user shows as "enable_15" in the User Accounts pane. (If you configure user authentication for enable access, then each user has a separate password, and this enable password is not used. In addition, you can configure authentication for HTTP/ASDM access.)
Step 5 Enter the old password.
Step 6 Enter the new password.
Step 7 Confirm the new password.
Step 8 Change the login password to access the platform console.
The Telnet password sets the login password. By default, it is "cisco." This password applies to both Telnet and SSH access. The login password lets you access EXEC mode if you connect to the ASA 1000V using a Telnet or SSH session. (If you configure user authentication for Telnet or SSH access, then each user has a separate password, and this login password is not used.)
Step 9 Enter the old password.
Step 10 Enter the new password.
Step 11 Confirm the new password.
Step 12 Click Apply to save your changes.
Setting the Date and Time
This section includes the following topics:
•Setting the Date and Time Using an NTP Server
•Setting the Date and Time Manually
Setting the Date and Time Using an NTP Server
To obtain the date and time from an NTP server, perform the following steps:
Use the Configuration > Device Setup > System Time > NTP pane to define NTP servers for setting the time dynamically on the ASA 1000V. The time displays in the status bar at the bottom of the main ASDM window. Time derived from an NTP server overrides any time set manually in the Clock pane.
NTP is used to implement a hierarchical system of servers that provide a precisely synchronized time among network systems. This kind of accuracy is required for time-sensitive operations, such as validating CRLs, which include a precise time stamp. You can configure multiple NTP servers. The ASA 1000V chooses the server with the lowest stratum—a measure of how reliable the data is.
Adding or Editing the NTP Server Configuration
To add or edit an NTP server, perform the following steps:
Step 1 In ASDM, choose Configuration > Device Setup > System Time > NTP.
Step 2 Click Add to display the Add NTP Server Configuration dialog box.
Step 3 Enter the NTP server IP address.
Step 4 Check the Preferred check box to set this server as a preferred server. NTP uses an algorithm to determine which server is the most accurate and synchronizes to it. If servers are of similar accuracy, then the preferred server is used. However, if a server is significantly more accurate than the preferred one, the ASA 1000V uses the more accurate one.
Step 5 Choose the interface from the drop-down list. This setting specifies the outgoing interface for NTP packets. If the interface is blank, then the ASA 1000V uses the default interface according to the routing table.
Step 6 Choose the key number from the drop-down list. This setting specifies the key ID for this authentication key, which enables you to use MD5 authentication to communicate with the NTP server. The NTP server packets must also use this key ID. If you have previously configured a key ID for another server, you can select it from the list; otherwise, enter a number between 1 and 4294967295.
Step 7 Check the Trusted check box to set this authentication key as a trusted key, which is required for authentication to succeed.
Step 8 Enter the key value to set the authentication key, which is a string that can be up to 32 characters long.
Step 9 Re-enter the key value to make sure that you enter it correctly twice.
Step 10 Click OK.
Step 11 Check the Enable NTP authentication check box to turn on NTP authentication.
Step 12 Click Apply to save your changes.
Setting the Date and Time Manually
To set the date and time manually, perform the following steps:
Use the Configuration > Device Setup > System Time > Clock pane to manually set the date and time for the ASA 1000V. The time is based on a 24-hour clock and displays in the status bar at the bottom of the main ASDM pane.
To dynamically set the time using an NTP server, see the Configuration > Device Setup > System Time > NTP pane; time derived from an NTP server overrides any time set manually in the Clock pane.
To manually set the date and time for the ASA 1000V, perform the following steps:
Step 1 In ASDM, choose Configuration > Device Setup > System Time > Clock.
Step 2 Choose the time zone from the drop-down list. This setting specifies the time zone as GMT plus or minus the appropriate number of hours. If you select the Eastern Time, Central Time, Mountain Time, or Pacific Time zone, then the time adjusts automatically for daylight savings time, from 2:00 a.m. on the second Sunday in March to 2:00 a.m. on the first Sunday in November.
Step 3 Click the Date drop-down list to display a calendar. Then find the correct date using the following methods:
•Click the name of the month to display a list of months, then click the desired month. The calendar updates to that month.
•Click the year to change the year. Use the up and down arrows to scroll through the years, or type a year in the entry field.
•Click the arrows to the right and left of the month and year to scroll the calendar forward and backward one month at a time.
•Click a day on the calendar to set the date.
Step 4 Enter the time manually in hours, minutes, and seconds.
Step 5 Click Update Display Time to update the time shown in the bottom right corner of the ASDM pane. The current time updates automatically every ten seconds.
Configuring the Master Passphrase
This section describes how to configure the master passphrase and includes the following topics:
•Information About the Master Passphrase
•Adding or Changing the Master Passphrase
•Disabling the Master Passphrase
•Recovering the Master Passphrase
Information About the Master Passphrase
The master passphrase feature allows you to securely store plain text passwords in encrypted format. The master passphrase provides a key that is used to universally encrypt or mask all passwords, without changing any functionality. Features that implement the master passphrase include the following:
Adding or Changing the Master Passphrase
This section describes how to add or change the master passphrase.
•If failover is enabled but no failover shared key is set, an error message appears if you change the master passphrase, informing you that you must enter a failover shared key to protect the master passphrase changes from being sent as plain text.
In the Configuration > Device Management > High Availability > Failover pane, enter any character in the Shared Key field or 32 hexadecimal numbers (0-9A-Fa-f) if a failover hexadecimal key is selected, except a backspace. Then click Apply.
To add or change the master passphrase, perform the following steps:
Step 1 Choose Configuration > Device Management > Advanced > Master Passphrase.
Step 2 Check the Advanced Encryption Standard (AES) password encryption check box.
If no master passphrase is in effect, a warning message appears when you click Apply. You can click OK or Cancel to continue.
If you later disable password encryption, all existing encrypted passwords are left unchanged, and as long as the master passphrase exists, the encrypted passwords will be decrypted as required by the application.
Step 3 Check the Change the encryption master passphrase check box to enable you to enter and confirm your new master passphrases. By default, they are disabled.
Your new master passphrase must be between 8 and 128 characters long.
If you are changing an existing passphrase, you must enter the old passphrase before you can enter a new one.
To delete the master passphrase, leave the New and Confirm master passphrase fields blank.
Step 4 Click Apply.
When you click Apply, warning messages appear under the following conditions:
•The Change the encryption master passphrase field is enabled, and the new master passphrase field is empty. The no key configuration-key password-encrypt command is then sent to the device.
•The old master passphrase does not match the hash value in the show password encryption command output.
•You use non-portable characters, particularly those with the high-order bit set in an 8-bit representation.
•A master passphrase and failover are in effect, then an error message appears in an attempt to remove the failover shared key.
•Encryption is disabled, but a new or replacement master passphrase is supplied.
Step 5 Click OK or Cancel to continue.
Disabling the Master Passphrase
Disabling the master passphrase reverts encrypted passwords into plain text passwords. Removing the passphrase might be useful if you downgrade to a previous software version that does not support encrypted passwords.
Step 1 You must know the current master passphrase to disable it. If you do not know the passphrase, see the "Recovering the Master Passphrase" section. Choose Configuration > Device Management > Advanced > Master Passphrase.
Step 2 Check the Advanced Encryption Standard (AES) password encryption check box.
If no master passphrase is in effect, a warning statement appears when you click Apply. Click OK or Cancel to continue.
Step 3 Check the Change the encryption master passphrase check box.
Step 4 Enter the old master passphrase in the Old master passphrase field. You must provide the old master passphrase to disable it.
Step 5 Leave the New master passphrase and the Confirm master passphrase fields empty.
Step 6 Click Apply.
Recovering the Master Passphrase
You cannot recover the master passphrase.
If the master passphrase is lost or unknown, you can remove it using the write erase command followed by the reload command. These commands remove the master key and the configuration that includes the encrypted passwords.
Configuring the DNS Server
Some ASA 1000V features require use of a DNS server to access external servers by domain name; for example, the Botnet Traffic Filter feature requires a DNS server to access the dynamic database server and to resolve entries in the static database. Other features, such as the ping or traceroute command, let you enter a name that you want to ping or traceroute, and the ASA 1000V can resolve the name by communicating with a DNS server.
Note The ASA 1000V has limited support for using the DNS server, depending on the feature. For these features, to resolve the server name to an IP address, you must enter the IP address manually by adding the server name in the Configuration > Firewall > Objects > Network Object/Groups pane.
Make sure that you configure the appropriate routing for any interface on which you enable DNS domain lookup so you can reach the DNS server. See the "Information About Routing" section for more information about routing.
Step 1 In the ASDM main application window, choose Configuration > Device Management > DNS > DNS Client.
Step 2 In the DNS Setup area, choose one of the following options:
•Configure one DNS server group.
•Configure multiple DNS server groups.
Step 3 Click Add to display the Add DNS Server Group dialog box.
Step 4 Specify up to six addresses to which DNS requests can be forwarded. The ASA 1000V tries each DNS server in order until it receives a response.
Note You must first enable DNS on at least one interface before you can add a DNS server. The DNS Lookup area shows the DNS status of an interface. A False setting indicates that DNS is disabled. A True setting indicates that DNS is enabled.
Step 5 Enter the name of each configured DNS server group.
Step 6 Enter the IP addresses of the configured servers, and click Add to include them in the server group. To remove a configured server from the group, click Delete.
Step 7 To change the sequence of the configured servers, click Move Up or Move Down.
Step 8 In the Other Settings area, enter the number of seconds between 1 and 30 to wait before trying the next DNS server in the list. The default wait time is 2 seconds. Each time the ASA 1000V retries the list of servers, the timeout time doubles.
Step 9 Enter the number of seconds to wait before trying the next DNS server in the group.
Step 10 Enter a valid DNS domain name for the group of configured servers.
Step 11 Click OK to close the Add DNS Server Group dialog box.
The new DNS server settings appear.
Step 12 To change these settings, click Edit to display the Edit DNS Server Group dialog box.
Step 13 Make your desired changes, then click OK to close the Edit DNS Server Group dialog box.
The revised DNS server settings appear.
Step 14 To enable a DNS server group to receive DNS requests, click Set Active.
Step 15 In the DNS Guard area, to enforce one DNS response per query, check the Enable DNS Guard on all interfaces check box. If DNS inspection is enabled, this setting is ignored on the selected interface.
Step 16 Click Apply to save your changes, or click Reset to discard those changes and enter new ones.