The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to get started with your ASA. This chapter includes the following sections:
For initial configuration, access the CLI directly from the console port. Later, you can configure remote access using Telnet or SSH according to Chapter43, “Management Access” If your system is already in multiple context mode, then accessing the console port places you in the system execution space. See “Multiple Context Mode,” for more information about multiple context mode.
Step 1 Connect a PC to the console port using the provided console cable, and connect to the console using a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
See the hardware guide for your ASA for more information about the console cable.
Step 2 Press the Enter key to see the following prompt:
This prompt indicates that you are in user EXEC mode. Only basic commands are available from user EXEC mode.
Step 3 To access privileged EXEC mode, enter the following command:
All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode.
Step 4 Enter the enable password at the prompt.
By default, the password is blank, and you can press the Enter key to continue. See Configuring the Hostname, Domain Name, and Passwords to change the enable password.
To exit privileged mode, enter the disable, exit, or quit command.
Step 5 To access global configuration mode, enter the following command:
The prompt changes to the following:
You can begin to configure the ASA from global configuration mode. To exit global configuration mode, enter the exit, quit, or end command.
For initial configuration, access the command-line interface by connecting to the switch (either to the console port or remotely using Telnet or SSH) and then connecting to the ASASM. This section describes how to access the ASASM CLI.
From the switch CLI, you can use two methods to connect to the ASASM:
– The connection is persistent across reloads and does not time out.
– You can stay connected through ASASM reloads and view startup messages.
– You can access ROMMON if the ASASM cannot load the image.
– No initial password configuration is required.
– The connection is slow (9600 baud).
– You can only have one console connection active at a time.
– You cannot use this command in conjunction with a terminal server where Ctrl-Shift-6, x is the escape sequence to return to the terminal server prompt. Ctrl-Shift-6, x is also the sequence to escape the ASASM console and return to the switch prompt. Therefore, if you try to exit the ASASM console in this situation, you instead exit all the way to the terminal server prompt. If you reconnect the terminal server to the switch, the ASASM console session is still active; you can never exit to the switch prompt. You must use a direct serial connection to return the console to the switch prompt. In this case, either change the terminal server or switch escape character in Cisco IOS software, or use the Telnet session command instead.
Note Because of the persistence of the console connection, if you do not properly log out of the ASASM, the connection may exist longer than intended. If someone else wants to log in, they will need to kill the existing connection. See Logging Out of a Console Session for more information.
Note You cannot connect using this method for a new ASASM; this method requires you to configure a Telnet login password on the ASASM (there is no default password). After you set a password using the passwd command, you can use this method.
– You can have multiple sessions to the ASASM at the same time.
– The Telnet session is a fast connection.
– The Telnet session is terminated when the ASASM reloads, and can time out.
– You cannot access the ASASM until it completely loads; you cannot access ROMMON.
– You must first set a Telnet login password; there is no default password.
For initial configuration, access the command-line interface by connecting to the switch (either to the switch console port or remotely using Telnet or SSH) and then connecting to the ASASM.
If your system is already in multiple context mode, then accessing the ASASM from the switch places you in the system execution space. See “Multiple Context Mode,” for more information about multiple context mode.
Later, you can configure remote access directly to the ASASM using Telnet or SSH according to Configuring ASA Access for ASDM, Telnet, or SSH.
|
|
|
---|---|---|
(Available for initial access.) service-module session [ switch { 1 | 2 }] slot number |
From the switch CLI, enter this command to gain console access to the ASASM. For a switch in a VSS, enter the switch argument. To view the module slot numbers, enter the show module command at the switch prompt. |
|
(Available after you configure a login password.) You are prompted for the login password: |
From the switch CLI, enter this command to Telnet to the ASASM over the backplane. For a switch in a VSS, enter the switch argument. Note The session slot processor 0 command, which is supported on other services modules, is not supported on the ASASM; the ASASM does not have a processor 0. To view the module slot numbers, enter the show module command at the switch prompt. Enter the login password to the ASASM. Set the password using the passwd command. There is no default password. |
|
|
Accesses privileged EXEC mode, which is the highest privilege level. Enter the enable password at the prompt. By default, the password is blank. To change the enable password, see Configuring the Hostname, Domain Name, and Passwords. To exit privileged EXEC mode, enter the disable, exit, or quit command. |
|
|
Accesses global configuration mode. To exit global configuration mode, enter the disable, exit, or quit command. |
If you do not log out of the ASASM, the console connection persists; there is no timeout. To end the ASASM console session and access the switch CLI, perform the following steps.
To kill another user’s active connection, which may have been unintentionally left open, see Killing an Active Console Connection.
Step 1 To return to the switch CLI, type the following:
You return to the switch prompt:
Note Shift-6 on US and UK keyboards issues the caret (^) character. If you have a different keyboard and cannot issue the caret (^) character as a standalone character, you can temporarily or permanently change the escape character to a different character. Use the terminal escape-character ascii_number command (to change for this session) or the default escape-character ascii_number command (to change permanently). For example, to change the sequence for the current session to Ctrl-w, x, enter terminal escape-character 23.
Because of the persistence of a console connection, if you do not properly log out of the ASASM, the connection may exist longer than intended. If someone else wants to log in, they will need to kill the existing connection.
Step 1 From the switch CLI, show the connected users using the show users command. A console user is called “con”. The Host address shown is 127.0.0. slot 0, where slot is the slot number of the module.
For example, the following command output shows a user “con” on line 0 on a module in slot 2:
Step 2 To clear the line with the console connection, enter the following command:
To end the Telnet session and access the switch CLI, perform the following steps.
Step 1 To return to the switch CLI, type exit from the ASASM privileged or user EXEC mode. If you are in a configuration mode, enter exit repeatedly until you exit the Telnet session.
You return to the switch prompt:
Note You can alternatively escape the Telnet session using the escape sequence Ctrl-Shift-6, x; this escape sequence lets you resume the Telnet session by pressing the Enter key at the switch prompt. To disconnect your Telnet session from the switch, enter disconnect at the switch CLI. If you do not disconnect the session, it will eventually time out according to the ASASM configuration.
By default, you can access the built-in VMware vSphere console. Alternatively, you can configure a network serial console, which has better capabilities, including copy and paste.
For initial configuration or troubleshooting, access the CLI from the virtual console provided through the VMware vSphere Web Client. You can later configure CLI remote access for Telnet or SSH according to Chapter43, “Management Access”
For the vSphere Web Client, install the Client Integration Plug-In, which is required for ASAv console access.
Step 1 In the VMware vSphere Web Client, right-click the ASAv instance in the Inventory, and choose Open Console. Or you can click Launch Console on the Summary tab.
Step 2 Click in the console and press Enter. Note: Press Ctrl + Alt to release the cursor.
If the ASAv is still starting up, you see bootup messages.
When the ASAv starts up for the first time, it reads parameters provided through the OVA file and adds them to the ASAv system configuration. It then automatically restarts the boot process until it is up and running. This double boot process only occurs when you first deploy the ASAv.
If you have not yet installed a license, you see the following message repeated until you enter the activation key:
After you deploy the ASAv, you must install a CPU license. Until you install a license, throughput is limited to 1 Mbps so that you can perform preliminary connectivity tests. A CPU license is required for regular operation. You also see the following messages repeated on the console until you install a license:
Step 3 You see the following prompt:
This prompt indicates that you are in user EXEC mode. Only basic commands are available from user EXEC mode.
Step 4 To access privileged EXEC mode, enter the following command:
Step 5 Press the Enter key to continue. By default, the password is blank. If you previously set an enable password, enter it instead of pressing Enter.
All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode.
To exit privileged mode, enter the disable, exit, or quit command.
Step 6 To access global configuration mode, enter the following command:
The prompt changes to the following:
You can begin to configure the ASAv from global configuration mode. To exit global configuration mode, enter the exit, quit, or end command.
For a better console experience, you can configure a network serial port singly or attached to a virtual serial port concentrator (vSPC) for console access. See the VMware vSphere documentation for details about each method. On the ASAv, you must send the console output to a serial port instead of to the virtual console. This section describes how to enable the serial port console.
Step 1 Configure a network serial port in VMware vSphere. See the VMware vSphere documentation.
Step 2 On the ASAv, create a file called “use_ttyS0” in the root directory of disk0. This file does not need to have any contents; it just needs to exist at this location:
The ASAv stops sending to the vSphere console, and instead sends to the serial console. See Using the VMware vSphere Console for information about privileged EXEC and global configuration modes.
Step 4 Telnet to the vSphere host IP address and the port number you specified when you added the serial port; or Telnet to the vSPC IP address and port.
ASDM access requires some minimal configuration so that you can communicate over the network with a management interface. This section includes the following topics:
With a factory default configuration (see Factory Default Configurations), ASDM connectivity is pre-configured with default network settings. Connect to ASDM using the following interface and network settings:
– ASA 5505—The switch port to which you connect to ASDM can be any port, except for Ethernet 0/0.
– ASA 5512-X and higher—The interface to which you connect to ASDM is Management 0/0.
– ASAv—The interface to which you connect to ASDM is Management 0/0.
– ASA 5505 and ASA 5512-X and higher—192.168.1.1.
– ASAv—You set the management interface IP address during deployment.
– ASA 5505 and ASA 5512-X and higher—Clients must be on the 192.168.1.0/24 network. The default configuration enables DHCP so that your management station can be assigned an IP address in this range.
– ASAv—You set the management client IP address during deployment. The ASAv does not act as the DHCP server for connected clients.
To launch ASDM, see Starting ASDM.
Note To change to multiple context mode, see Enabling or Disabling Multiple Context Mode. After changing to multiple context mode, you can access ASDM from the admin context using the network settings above.
Use this procedure if one or more of the following conditions applies:
See also the sample configurations in ASA 5505 Default Configuration.
Note For routed mode, for quick and easy ASDM access, we recommend applying the factory default configuration with the option to set your own management IP address (see Restoring the Factory Default Configuration). Use the procedure in this section only if you have special needs such as setting transparent mode, or if you have other configuration that you need to preserve.
Access the CLI at the console port according to the Accessing the Appliance Console.
|
|
|
---|---|---|
|
Enables transparent firewall mode. This command clears your configuration. See Setting the Firewall Mode for more information. |
|
Do one of the following to configure a management interface, depending on your mode: |
||
ip address ip_address [ mask ] ciscoasa(config)# interface vlan 1 ciscoasa(config-if)# nameif inside |
Configures an interface in routed mode. The security-level is a number between 1 and 100, where 100 is the most secure. |
|
ip address ip_address [ mask ] ciscoasa(config)# interface bvi 1 ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0 ciscoasa(config)# interface vlan 1 ciscoasa(config-if)# bridge-group 1 |
Configures a bridge virtual interface and assigns a management VLAN to the bridge group. The security-level is a number between 1 and 100, where 100 is the most secure. |
|
ciscoasa(config)# interface ethernet 0/1 |
Enables the management switchport and assigns it to the management VLAN. |
|
dhcpd address ip_address - ip_address ciscoasa(config)# dhcpd address 192.168.1.5-192.168.1.254 inside |
Sets the DHCP pool for the management network. Make sure you do not include the VLAN interface address in the range. Note By default, the IPS module, if installed, uses 192.168.1.2 for its internal management address, so be sure not to use this address in the DHCP range. You can later change the IPS module management address using the ASA if required. |
|
|
||
http ip_address mask interface_name |
||
|
||
To launch ASDM, see Starting ASDM. |
The following configuration converts the firewall mode to transparent mode, configures the VLAN 1 interface and assigns it to BVI 1, enables a switchport, and enables ASDM for a management host:
dhcpd address 192.168.1.5-192.168.1.254 inside
Use this procedure if one or more of the following conditions applies:
Note For routed, single mode, for quick and easy ASDM access, we recommend applying the factory default configuration with the option to set your own management IP address (see Restoring the Factory Default Configuration). Use the procedure in this section only if you have special needs such as setting transparent or multiple context mode, or if you have other configuration that you need to preserve.
Access the CLI at the console port according to the Accessing the Appliance Console or Accessing the ASAv Console.
|
|
|
---|---|---|
|
Enables transparent firewall mode. This command clears your configuration. See Setting the Firewall Mode for more information. |
|
ciscoasa(config)# interface management 0/0 ciscoasa(config-if)# nameif management ciscoasa(config-if)# security-level 100 |
Configures the Management 0/0 interface. The security-level is a number between 1 and 100, where 100 is the most secure. |
|
dhcpd address ip_address - ip_address ciscoasa(config)# dhcpd address 192.168.1.2-192.168.1.254 management |
Sets the DHCP pool for the management network. Make sure you do not include the Management 0/0 address in the range. |
|
route management_ifc management_host_ip mask gateway_ip 1 ciscoasa(config)# route management 10.1.1.0 255.255.255.0 192.168.1.50 |
||
|
||
http ip_address mask interface_name |
||
|
||
(Optional, ASA 5512-X and higher only) |
Sets the mode to multiple mode. When prompted, confirm that you want to convert the existing configuration to be the admin context. You are then prompted to reload the ASASM. See “Multiple Context Mode,” for more information. |
|
To launch ASDM, see Starting ASDM. |
The following configuration converts the firewall mode to transparent mode, configures the Management 0/0 interface, and enables ASDM for a management host:
dhcpd address 192.168.1.2-192.168.1.254 management
Because the ASASM does not have physical interfaces, it does not come pre-configured for ASDM access; you must configure ASDM access using the CLI on the ASASM. To configure the ASASM for ASDM access, perform the following steps.
|
|
|
---|---|---|
|
Enables transparent firewall mode. This command clears your configuration. See Setting the Firewall Mode for more information. |
|
Do one of the following to configure a management interface, depending on your mode: |
||
ip address ip_address [ mask ] ciscoasa(config)# interface vlan 1 ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0 |
Configures an interface in routed mode. The security-level is a number between 1 and 100, where 100 is the most secure. |
|
ip address ip_address [ mask ] ciscoasa(config)# interface bvi 1 ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0 ciscoasa(config)# interface vlan 1 ciscoasa(config-if)# bridge-group 1 |
Configures a bridge virtual interface and assigns a management VLAN to the bridge group. The security-level is a number between 1 and 100, where 100 is the most secure. |
|
(For directly-connected management hosts) dhcpd address ip_address - ip_address ciscoasa(config)# dhcpd address 192.168.1.2-192.168.1.254 inside |
Enables DHCP for the management host on the management interface network. Make sure you do not include the management address in the range. |
|
route management_ifc management_host_ip mask gateway_ip 1 ciscoasa(config)# route management 10.1.1.0 255.255.255.0 192.168.1.50 |
||
|
||
http ip_address mask interface_name |
||
|
||
|
Sets the mode to multiple mode. When prompted, confirm that you want to convert the existing configuration to be the admin context. You are then prompted to reload the ASASM. See “Multiple Context Mode,” for more information. |
|
To launch ASDM, see Starting ASDM. |
The following routed mode configuration configures the VLAN 1 interface and enables ASDM for a management host:
dhcpd address 192.168.1.3-192.168.1.254 inside
http 192.168.1.0 255.255.255.0 inside
The following configuration converts the firewall mode to transparent mode, configures the VLAN 1 interface and assigns it to BVI 1, and enables ASDM for a management host:
dhcpd address 192.168.1.3-192.168.1.254 inside
You can start ASDM using two methods:
Within ASDM, you can choose a different ASA IP address to manage; the difference between the Launcher and Java Web Start functionality rests primarily in how you initially connect to the ASA and launch ASDM.
ASDM allows multiple PCs or workstations to each have one browser session open with the same ASA software. A single ASA can support up to five concurrent ASDM sessions in single, routed mode. Only one session per browser per PC or workstation is supported for a specified ASA. In multiple context mode, five concurrent ASDM sessions are supported per context, up to a maximum of 32 total connections for each ASA.
This section describes how to connect to ASDM initially, and then launch ASDM using the Launcher or the Java Web Start.
Step 1 On the PC you specified as the ASDM client, enter the following URL:
The ASDM launch page appears with the following buttons:
Step 2 To download the Launcher:
a. Click Install ASDM Launcher and Run ASDM.
b. Leave the username and password fields empty (for a new installation), and click OK. With no HTTPS authentication configured, you can gain access to ASDM with no username and the enable password, which is blank by default. Note: If you enabled HTTPS authentication, enter your username and associated password.
c. Save the installer to your PC, and then start the installer. The ASDM-IDM Launcher opens automatically after installation is complete.
d. Enter the management IP address, leave the username and password blank (for a new installation), and then click OK. Note: If you enabled HTTPS authentication, enter your username and associated password.
a. Click Run ASDM or Run Startup Wizard.
b. Save the shortcut to your PC when prompted. You can optionally open it instead of saving it.
c. Start Java Web Start from the shortcut.
d. Accept any certificates according to the dialog boxes that appear. The Cisco ASDM-IDM Launcher appears.
e. Leave the username and password blank (for a new installation), and then click OK. Note: If you enabled HTTPS authentication, enter your username and associated password.
The factory default configuration is the configuration applied by Cisco to new ASAs.
The factory default configuration is available only for routed firewall mode and single context mode. See “Multiple Context Mode,” for more information about multiple context mode. See “Transparent or Routed Firewall Mode,” for more information about routed and transparent firewall mode. For the ASA 5505, a sample transparent mode configuration is provided in this section.
Note In addition to the image files and the (hidden) default configuration, the following folders and files are standard in flash memory: log/, crypto_archive/, and coredumpinfo/coredump.cfg. The date on these files may not match the date of the image files in flash memory. These files aid in potential troubleshooting; they do not indicate that a failure has occurred.
This section includes the following topics:
This section describes how to restore the factory default configuration.
Note On the ASASM, restoring the factory default configuration simply erases the configuration; there is no factory default configuration.
This feature is available only in routed firewall mode; transparent mode does not support IP addresses for interfaces. In addition, this feature is available only in single context mode; an ASA with a cleared configuration does not have any defined contexts to configure automatically using this feature.
See Working with the Configuration to start configuring the ASA.
This section describes how to restore the ASAv deployment configuration.
The default configuration is available for routed mode only. This section describes the default configuration and also provides a sample transparent mode configuration that you can copy and paste as a starting point. This section includes the following topics:
The default factory configuration for the ASA 5505 configures the following:
Figure 4-1 ASA 5505 Routed Mode
The configuration consists of the following commands:
Note For testing purposes, you can allow ping from inside to outside by enabling ICMP inspection. Add the following commands to the default configuration:
When you change the mode to transparent mode, the configuration is erased. You can copy and paste the following sample configuration at the CLI to get started. This configuration uses the default configuration as a starting point. Note the following areas you may need to modify:
Figure 4-2 ASA 5505 Transparent Mode
Note For testing purposes, you can allow ping from inside to outside by enabling ICMP inspection. Add the following commands to the sample configuration:
The default factory configuration for the ASA 5512-X and higher configures the following:
The configuration consists of the following commands:
When you deploy the ASAv, you can pre-set many parameters that let you connect to the Management 0/0 interface using ASDM. A typical configuration includes the following settings:
See the following configuration for a standalone unit:
See the following configuration for a primary unit in a failover pair:
This section describes how to work with the configuration. The ASA loads the configuration from a text file, called the startup configuration. This file resides by default as a hidden file in internal flash memory. You can, however, specify a different path for the startup configuration. (For more information, see Chapter44, “Software and Configurations”)
When you enter a command, the change is made only to the running configuration in memory. You must manually save the running configuration to the startup configuration for your changes to remain after a reboot.
The information in this section applies to both single and multiple security contexts, except where noted. Additional information about contexts is in Chapter7, “Multiple Context Mode”
This section includes the following topics:
This section describes how to save your configuration and includes the following topics:
To save the running configuration to the startup configuration, enter the following command:
|
|
---|---|
|
Saves the running configuration to the startup configuration. Note The copy running-config startup-config command is equivalent to the write memory command. |
You can save each context (and system) configuration separately, or you can save all context configurations at the same time. This section includes the following topics:
To save the system or context configuration, enter the following command within the system or context:
To save all context configurations at the same time, as well as the system configuration, enter the following command in the system execution space:
After the ASA saves each context, the following message appears:
Sometimes, a context is not saved because of an error. See the following information for errors:
A context is only locked if another user is already saving the configuration or in the process of deleting the context.
Copy a new startup configuration to the running configuration using one of the following options.
The following commands let you view the running and startup configurations.
|
|
---|---|
|
|
|
|
|
To erase settings, enter one of the following commands.
This guide describes how to use the CLI to configure the ASA; when you save commands, the changes are written to a text file. Instead of using the CLI, however, you can edit a text file directly on your PC and paste a configuration at the configuration mode command-line prompt in its entirety, or line by line. Alternatively, you can download a text file to the ASA internal flash memory. See “Software and Configurations,” for information on downloading the configuration file to the ASA.
In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the following example is “ciscoasa(config)#”:
In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows:
For additional information about formatting the file, see Appendix 51, “Using the Command-Line Interface.”
When you make security policy changes to the configuration, all new connections use the new security policy. Existing connections continue to use the policy that was configured at the time of the connection establishment. show command output for old connections reflect the old configuration, and in some cases will not include data about the old connections.
For example, if you remove a QoS service-policy from an interface, then re-add a modified version, then the show service-policy command only displays QoS counters associated with new connections that match the new service policy; existing connections on the old policy no longer show in the command output.
To ensure that all connections use the new policy, you need to disconnect the current connections so that they can reconnect using the new policy.
To disconnect connections, enter one of the following commands.
To reload the ASA, enter the following command:
|
|
---|---|
|
Note In multiple context mode, you can only reload from the system execution space. |