- About This Guide
- Index
- Glossary
-
- Configuring IPSec and ISAKMP
- Configuring L2TP over IPSec
- Setting General VPN Parameters
- Configuring Tunnel Groups, Group Policies, and Users
- Configuring IP Addresses for VPN
- Configuring Remote Access VPNs
- Configuring Network Admission Control
- Configuring Easy VPN on the ASA 5505
- Configuring the PPPoE Client
- Configuring LAN-to-LAN VPNs
- Configuring Clientless SSL VPN
- Configuring AnyConnect VPN Client Connections
- Configuring AnyConnect Host Scan
- Accessing the Appliance Command-Line Interface
- Configuring ASDM Access for Appliances
- Starting ASDM
- Factory Default Configurations
- Working with the Configuration
- Applying Configuration Changes to Connections
Getting Started
This chapter describes how to get started with your ASA. This chapter includes the following sections:
Accessing the Appliance Command-Line Interface
For initial configuration, access the CLI directly from the console port. Later, you can configure remote access using Telnet or SSH according to Chapter37, “Configuring Management Access” If your system is already in multiple context mode, then accessing the console port places you in the system execution space. See “Configuring Multiple Context Mode,” for more information about multiple context mode.
Detailed Steps
Step 1 Connect a PC to the console port using the provided console cable, and connect to the console using a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
See the hardware guide for your ASA for more information about the console cable.
Step 2 Press the Enter key to see the following prompt:
This prompt indicates that you are in user EXEC mode. Only basic commands are available from user EXEC mode.
Step 3 To access privileged EXEC mode, enter the following command:
All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode.
Step 4 Enter the enable password at the prompt.
By default, the password is blank, and you can press the Enter key to continue. See the “Configuring the Hostname, Domain Name, and Passwords” section to change the enable password.
The prompt changes to the following:
To exit privileged mode, enter the disable, exit, or quit command.
Step 5 To access global configuration mode, enter the following command:
The prompt changes to the following:
You can begin to configure the ASA from global configuration mode. To exit global configuration mode, enter the exit, quit, or end command.
Configuring ASDM Access for Appliances
ASDM access requires some minimal configuration so you can communicate over the network with a management interface. This section includes the following topics:
- Accessing ASDM Using the Factory Default Configuration
- Accessing ASDM Using a Non-Default Configuration (ASA 5505)
- Accessing ASDM Using a Non-Default Configuration (ASA 5510 and Higher)
Accessing ASDM Using the Factory Default Configuration
With a factory default configuration (see the “Factory Default Configurations” section), ASDM connectivity is preconfigured with default network settings. Connect to ASDM using the following interface and network settings:
– ASA 5505—The switch port to which you connect to ASDM can be any port, except for Ethernet 0/0.
– ASA 5510 and higher—The interface to which you connect to ASDM is Management 0/0.
- The default management address is 192.168.1.1.
- The clients allowed to access ASDM must be on the 192.168.1.0/24 network. The default configuration enables DHCP so your management station can be assigned an IP address in this range. To allow other client IP addresses to access ASDM, see the “Configuring ASA Access for ASDM, Telnet, or SSH” section.
To launch ASDM, see the “Starting ASDM” section.
Note To change to multiple context mode, see the “Enabling or Disabling Multiple Context Mode” section. After changing to multiple context mode, you can access ASDM from the admin context using the network settings above.
Accessing ASDM Using a Non-Default Configuration (ASA 5505)
If you do not have a factory default configuration, or want to change to transparent firewall mode, perform the following steps. See also the sample configurations in the “ASA 5505 Default Configuration” section.
Prerequisites
Access the CLI according to the “Accessing the Appliance Command-Line Interface” section.
Detailed Steps
|
|
|
---|---|---|
|
Enables transparent firewall mode. This command clears your configuration. See the “Setting the Firewall Mode” section for more information. |
|
Do one of the following to configure a management interface, depending on your mode: |
||
ip address ip_address [ mask ] hostname(config)# interface vlan 1 hostname(config-if)# ip address 192.168.1.1 255.255.255.0 |
Configures an interface in routed mode. The security-level is a number between 1 and 100, where 100 is the most secure. |
|
ip address ip_address [ mask ] hostname(config)# interface bvi 1 hostname(config-if)# ip address 192.168.1.1 255.255.255.0 hostname(config)# interface vlan 1 hostname(config-if)# bridge-group 1 |
Configures a bridge virtual interface and assigns a management VLAN to the bridge group. The security-level is a number between 1 and 100, where 100 is the most secure. |
|
hostname(config)# interface ethernet 0/1 |
Enables the management switchport and assigns it to the management VLAN. |
|
dhcpd address ip_address - ip_address hostname(config)# dhcpd address 192.168.1.5-192.168.1.254 inside |
Enables DHCP for the management host on the management interface network. Make sure you do not include the management address in the range. Note By default, the IPS module, if installed, uses 192.168.1.2 for its internal management address, so be sure not to use this address in the DHCP range. You can later change the IPS module management address using the ASA if required. |
|
|
||
http ip_address mask interface_name |
||
|
||
To launch ASDM, see the “Starting ASDM” section. |
Examples
The following configuration converts the firewall mode to transparent mode, configures the VLAN 1 interface and assigns it to BVI 1, enables a switchport, and enables ASDM for a management host:
dhcpd address 192.168.1.5-192.168.1.254 inside
Accessing ASDM Using a Non-Default Configuration (ASA 5510 and Higher)
If you do not have a factory default configuration, or want to change the firewall or context mode, perform the following steps.
Prerequisites
Access the CLI according to the “Accessing the Appliance Command-Line Interface” section.
Detailed Steps
|
|
|
---|---|---|
|
Enables transparent firewall mode. This command clears your configuration. See the “Setting the Firewall Mode” section for more information. |
|
hostname(config)# interface management 0/0 hostname(config-if)# ip address 192.168.1.1 255.255.255.0 hostname(config-if)# nameif management |
Configures the Management 0/0 interface. The security-level is a number between 1 and 100, where 100 is the most secure. |
|
dhcpd address ip_address - ip_address hostname(config)# dhcpd address 192.168.1.2-192.168.1.254 management |
Enables DHCP for the management host on the management interface network. Make sure you do not include the Management 0/0 address in the range. |
|
|
||
http ip_address mask interface_name |
||
|
||
|
Sets the mode to multiple mode. When prompted, confirm that you want to convert the existing configuration to be the admin context. You are then prompted to reload the ASASM. See “Configuring Multiple Context Mode,” for more information. |
|
To launch ASDM, see the “Starting ASDM” section. |
Examples
The following configuration converts the firewall mode to transparent mode, configures the Management 0/0 interface, and enables ASDM for a management host:
dhcpd address 192.168.1.2-192.168.1.254 management
Starting ASDM
You can start ASDM using two methods:
- ASDM-IDM Launcher (Windows only)—The Launcher is an application downloaded from the ASA using a web browser that you can use to connect to any ASA IP address. You do not need to re-download the launcher if you want to connect to other ASAs. The Launcher also lets you run a virtual ASDM in Demo mode using files downloaded locally.
- Java Web Start—For each ASA that you manage, you need to connect with a web browser and then save or launch the Java Web Start application. You can optionally save the application to your PC; however you need separate applications for each ASA IP address.
Note Within ASDM, you can choose a different ASA IP address to manage; the difference between the Launcher and Java Web Start application functionality rests primarily in how you initially connect to the ASA and launch ASDM.
This section describes how to connect to ASDM initially, and then launch ASDM using the Launcher or the Java Web Start application. This section includes the following topics:
- Connecting to ASDM for the First Time
- Starting ASDM from the ASDM-IDM Launcher
- Starting ASDM from the Java Web Start Application
- Using ASDM in Demo Mode
Note ASDM allows multiple PCs or workstations to each have one browser session open with the same ASA software. A single ASA can support up to five concurrent ASDM sessions in single, routed mode. Only one session per browser per PC or workstation is supported for a specified ASA. In multiple context mode, five concurrent ASDM sessions are supported per context, up to a maximum of 32 total connections for each ASA.
Connecting to ASDM for the First Time
To connect to ASDM for the first time to download the ASDM-IDM Launcher or Java Web Start application, perform the following steps:
Step 1 From a supported web browser on the ASA network, enter the following URL:
Where interface_ip_address is the management IP address of the ASA. See the “Configuring ASDM Access for Appliances” section for more information about management access.
See the ASDM release notes for your release for the requirements to run ASDM.
The ASDM launch page appears with the following buttons:
Step 2 To download the Launcher:
a. Click Install ASDM Launcher and Run ASDM.
b. Enter the username and password, and click OK. For a factory default configuration, leave these fields empty. With no HTTPS authentication configured, you can gain access to ASDM with no username and the enable password, which is blank by default. With HTTPS authentication enabled, enter your username and associated password.
c. Save the installer to your PC, and then start the installer. The ASDM-IDM Launcher opens automatically after installation is complete.
d. See the “Starting ASDM from the ASDM-IDM Launcher” section to use the Launcher to connect to ASDM.
Step 3 To use the Java Web Start application:
a. Click Run ASDM or Run Startup Wizard.
b. Save the application to your PC when prompted. You can optionally open it instead of saving it.
c. See the “Starting ASDM from the Java Web Start Application” section to use the Java Web Start application to connect to ASDM.
Starting ASDM from the ASDM-IDM Launcher
To start ASDM from the ASDM-IDM Launcher, perform the following steps.
Prerequisites
Download the ASDM-IDM Launcher according to the “Connecting to ASDM for the First Time” section.
Detailed Steps
Step 1 Start the ASDM-IDM Launcher application.
Step 2 Enter or choose the ASA IP address or hostname to which you want to connect. To clear the list of IP addresses, click the trash can icon next to the Device/IP Address/Name field.
Step 3 Enter your username and your password, and then click OK.
For a factory default configuration, leave these fields empty. With no HTTPS authentication configured, you can gain access to ASDM with no username and the enable password, which is blank by default. With HTTPS authentication enabled, enter your username and associated password.
If there is a new version of ASDM on the ASA, the ASDM Launcher automatically downloads the new version and requests that you update the current version before starting ASDM.
Starting ASDM from the Java Web Start Application
To start ASDM from the Java Web Start application, perform the following steps.
Prerequisites
Download the Java Web Start application according to the “Connecting to ASDM for the First Time” section.
Detailed Steps
Step 1 Start the Java Web Start application.
Step 2 Accept any certificates according to the dialog boxes that appear. The Cisco ASDM-IDM Launcher appears.
Step 3 Enter the username and password, and click OK. For a factory default configuration, leave these fields empty. With no HTTPS authentication configured, you can gain access to ASDM with no username and the enable password, which is blank by default. With HTTPS authentication enabled, enter your username and associated password.
Using ASDM in Demo Mode
The ASDM Demo Mode, a separately installed application, lets you run ASDM without having a live device available. In this mode, you can do the following:
- Perform configuration and selected monitoring tasks via ASDM as though you were interacting with a real device.
- Demonstrate ASDM or ASA features using the ASDM interface.
- Perform configuration and monitoring tasks with the CSC SSM.
- Obtain simulated monitoring and logging data, including real-time syslog messages. The data shown is randomly generated; however, the experience is identical to what you would see when you are connected to a real device.
This mode has been updated to support the following features:
- For global policies, an ASA in single, routed mode and intrusion prevention
- For object NAT, an ASA in single, routed mode and a firewall DMZ.
- For the Botnet Traffic Filter, an ASA in single, routed mode and security contexts.
- Site-to-Site VPN with IPv6 (Clientless SSL VPN and IPsec VPN)
- Promiscuous IDS (intrusion prevention)
- Unified Communication Wizard
This mode does not support the following:
- Saving changes made to the configuration that appear in the GUI.
- File or disk operations.
- Historical monitoring data.
- Non-administrative users.
- These features:
Save Running Configuration to Flash
Save Running Configuration to TFTP Server
Save Running Configuration to Standby Unit
Save Internal Log Buffer to Flash
– Configuration > Interface > Edit Interface > Renew DHCP Lease
– Configuring a standby device after failover
- Operations that cause a rereading of the configuration, in which the GUI reverts to the original configuration:
– Making changes in the Interface pane
To run ASDM in Demo Mode, perform the following steps:
Step 1 Download the ASDM Demo Mode installer, asdm-demo- version.msi, from the following location: http://www.cisco.com/cisco/web/download/index.html.
Step 2 Double-click the installer to install the software.
Step 3 Double-click the Cisco ASDM Launcher shortcut on your desktop, or open it from the Start menu.
Step 4 Check the Run in Demo Mode check box.
Factory Default Configurations
The factory default configuration is the configuration applied by Cisco to new ASAs.
- ASA 5505—The factory default configuration configures interfaces and NAT so that the ASA is ready to use in your network immediately.
- ASA 5510 and higher—The factory default configuration configures an interface for management so you can connect to it using ASDM, with which you can then complete your configuration.
The factory default configuration is available only for routed firewall mode and single context mode. See “Configuring Multiple Context Mode,” for more information about multiple context mode. See “Configuring the Transparent or Routed Firewall,” for more information about routed and transparent firewall mode. For the ASA 5505, a sample transparent mode configuration is provided in this section.
Note In addition to the image files and the (hidden) default configuration, the following folders and files are standard in flash memory: log/, crypto_archive/, and coredumpinfo/coredump.cfg. The date on these files may not match the date of the image files in flash memory. These files aid in potential troubleshooting; they do not indicate that a failure has occurred.
This section includes the following topics:
- Restoring the Factory Default Configuration
- ASA 5505 Default Configuration
- ASA 5510 and Higher Default Configuration
Restoring the Factory Default Configuration
This section describes how to restore the factory default configuration.
Limitations
This feature is available only in routed firewall mode; transparent mode does not support IP addresses for interfaces. In addition, this feature is available only in single context mode; an ASA with a cleared configuration does not have any defined contexts to configure automatically using this feature.
Detailed Steps
What to Do Next
See the “Working with the Configuration” section to start configuring the ASA.
ASA 5505 Default Configuration
The default configuration is available for routed mode only. This section describes the default configuration and also provides a sample transparent mode configuration that you can copy and paste as a starting point. This section includes the following topics:
ASA 5505 Routed Mode Default Configuration
The default factory configuration for the ASA 5505 configures the following:
- Interfaces—Inside (VLAN 1) and outside (VLAN 2).
- Switchports enabled and assigned—Ethernet 0/1 through 0/7 switch ports assigned to inside. Ethernet 0/0 assigned to outside.
- IP addresses— Outside address from DHCP; inside address set manually to 192.168.1.1/24.
- Network Address Translation (NAT)—All inside IP addresses are translated when accessing the outside using interface PAT.
- Traffic flow—IPv4 and IPv6 traffic allowed from inside to outside (this behavior is implicit on the ASA). Outside users are prevented from accessing the inside.
- DHCP server—Enabled for inside hosts, so a PC connecting to the inside interface receives an address between 192.168.1.5 and 192.168.1.254. DNS, WINS, and domain information obtained from the DHCP client on the outside interface is passed to the DHCP clients on the inside interface.
- Default route—Derived from DHCP.
- ASDM access—Inside hosts allowed.
Figure 3-1 shows the traffic flow for an ASA 5505 in routed mode.
Figure 3-1 ASA 5505 Routed Mode
The configuration consists of the following commands:
Note For testing purposes, you can allow ping from inside to outside by enabling ICMP inspection. Add the following commands to the default configuration:
ASA 5505 Transparent Mode Sample Configuration
When you change the mode to transparent mode, the configuration is erased. You can copy and paste the following sample configuration at the CLI to get started. This configuration uses the default configuration as a starting point. Note the following areas you may need to modify:
- IP addresses—The IP addresses configured should be changed to match the network to which you are connecting.
- Static routes—For some kinds of traffic, static routes are required. See the “MAC Address vs. Route Lookups” section.
- Figure 3-2 shows the traffic flow for an ASA 5505 in transparent mode.
Figure 3-2 ASA 5505 Transparent Mode
Note For testing purposes, you can allow ping from inside to outside by enabling ICMP inspection. Add the following commands to the sample configuration:
ASA 5510 and Higher Default Configuration
The default factory configuration for the ASA 5510 and higher configures the following:
- Management interface—Management 0/0 (management).
- IP address—The management address is 192.168.1.1/24.
- DHCP server—Enabled for management hosts, so a PC connecting to the management interface receives an address between 192.168.1.2 and 192.168.1.254.
- ASDM access—Management hosts allowed.
The configuration consists of the following commands:
Working with the Configuration
This section describes how to work with the configuration. The ASA loads the configuration from a text file, called the startup configuration. This file resides by default as a hidden file in internal flash memory. You can, however, specify a different path for the startup configuration. (For more information, see Chapter81, “Managing Software and Configurations”)
When you enter a command, the change is made only to the running configuration in memory. You must manually save the running configuration to the startup configuration for your changes to remain after a reboot.
The information in this section applies to both single and multiple security contexts, except where noted. Additional information about contexts is in Chapter6, “Configuring Multiple Context Mode”
This section includes the following topics:
- Saving Configuration Changes
- Copying the Startup Configuration to the Running Configuration
- Viewing the Configuration
- Clearing and Removing Configuration Settings
- Creating Text Configuration Files Offline
Saving Configuration Changes
This section describes how to save your configuration and includes the following topics:
Saving Configuration Changes in Single Context Mode
To save the running configuration to the startup configuration, enter the following command:
|
|
---|---|
|
Saves the running configuration to the startup configuration. Note The copy running-config startup-config command is equivalent to the write memory command. |
Saving Configuration Changes in Multiple Context Mode
You can save each context (and system) configuration separately, or you can save all context configurations at the same time. This section includes the following topics:
Saving Each Context and System Separately
To save the system or context configuration, enter the following command within the system or context:
Saving All Context Configurations at the Same Time
To save all context configurations at the same time, as well as the system configuration, enter the following command in the system execution space:
After the ASA saves each context, the following message appears:
Sometimes, a context is not saved because of an error. See the following information for errors:
- For contexts that are not saved because the remote destination is unreachable, the following message appears:
A context is only locked if another user is already saving the configuration or in the process of deleting the context.
- For contexts that are not saved because the startup configuration is read-only (for example, on an HTTP server), the following message report is printed at the end of all other messages:
- For contexts that are not saved because of bad sectors in the flash memory, the following message appears:
Copying the Startup Configuration to the Running Configuration
Copy a new startup configuration to the running configuration using one of the following options.
Viewing the Configuration
The following commands let you view the running and startup configurations.
|
|
---|---|
|
|
|
|
|
Clearing and Removing Configuration Settings
To erase settings, enter one of the following commands.
Creating Text Configuration Files Offline
This guide describes how to use the CLI to configure the ASA; when you save commands, the changes are written to a text file. Instead of using the CLI, however, you can edit a text file directly on your PC and paste a configuration at the configuration mode command-line prompt in its entirety, or line by line. Alternatively, you can download a text file to the ASA internal flash memory. See “Managing Software and Configurations,” for information on downloading the configuration file to the ASA.
In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the following example is “hostname(config)#”:
In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows:
For additional information about formatting the file, see Appendix A, “Using the Command-Line Interface.”
Applying Configuration Changes to Connections
When you make security policy changes to the configuration, all new connections use the new security policy. Existing connections continue to use the policy that was configured at the time of the connection establishment. show command output for old connections reflect the old configuration, and in some cases will not include data about the old connections.
For example, if you remove a QoS service-policy from an interface, then re-add a modified version, then the show service-policy command only displays QoS counters associated with new connections that match the new service policy; existing connections on the old policy no longer show in the command output.
To ensure that all connections use the new policy, you need to disconnect the current connections so they can reconnect using the new policy.
To disconnect connections, enter one of the following commands.