- About This Guide
-
- Introduction to the Security Appliance
- Getting Started
- Enabling Multiple Context Mode
- Configuring Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
- Configuring Ethernet Settings and Subinterfaces
- Adding and Managing Security Contexts
- Configuring Interface Parameters
- Configuring Basic Settings
- Configuring IP Routing
- Configuring Multicast Routing
- Configuring DHCP, DDNS, and WCCP Services
- Configuring IPv6
- Configuring AAA Servers and the Local Database
- Configuring Failover
-
- Firewall Mode Overview
- Identifying Traffic With Access Lists
- Applying NAT
- Permitting or Denying Network Access
- Applying AAA for Network Access
- Applying Filtering Services
- Using Modular Policy Framework
- Managing AIP SSM and CSC SSM
- Preventing Network Attacks
- Applying QoS Policies
- Applying Application Layer Protocol Inspection
- Configuring ARP Inspection and Bridging Parameters
-
- Configuring IPSec and ISAKMP
- Configuring L2TP over IPSec
- Setting General VPN Parameters
- Configuring Tunnel Groups, Group Policies, and Users
- Configuring IP Addresses for VPN
- Configuring Remote Access VPNs
- Configuring Network Admission Control
- Configuring Easy VPN on the ASA 5505
- Configuring the PPPoE Client
- Configuring LAN-to-LAN VPNs
- Configuring WebVPN
- Configuring SSL VPN Client
- Configuring Certificates
- Glossary
- Index
Configuring Basic Settings
This chapter describes how to configure basic settings on your security appliance that are typically required for a functioning configuration. This chapter includes the following sections:
•Setting the Management IP Address for a Transparent Firewall
Changing the Login Password
The login password is used for Telnet and SSH connections. By default, the login password is "cisco." To change the password, enter the following command:
hostname(config)# {passwd | password} password
You can enter passwd or password. The password is a case-sensitive password of up to 16 alphanumeric and special characters. You can use any character in the password except a question mark or a space.
The password is saved in the configuration in encrypted form, so you cannot view the original password after you enter it. Use the no password command to restore the password to the default setting.
Changing the Enable Password
The enable password lets you enter privileged EXEC mode. By default, the enable password is blank. To change the enable password, enter the following command:
hostname(config)# enable password password
The password is a case-sensitive password of up to 16 alphanumeric and special characters. You can use any character in the password except a question mark or a space.
This command changes the password for the highest privilege level. If you configure local command authorization, you can set enable passwords for each privilege level from 0 to 15.
The password is saved in the configuration in encrypted form, so you cannot view the original password after you enter it. Enter the enable password command without a password to set the password to the default, which is blank.
Setting the Hostname
When you set a hostname for the security appliance, that name appears in the command line prompt. If you establish sessions to multiple devices, the hostname helps you keep track of where you enter commands. The default hostname depends on your platform.
For multiple context mode, the hostname that you set in the system execution space appears in the command line prompt for all contexts. The hostname that you optionally set within a context does not appear in the command line, but can be used by the banner command $(hostname) token.
To specify the hostname for the security appliance or for a context, enter the following command:
hostname(config)# hostname name
This name can be up to 63 characters. A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen.
This name appears in the command line prompt. For example:
hostname(config)# hostname farscape
farscape(config)#
Setting the Domain Name
The security appliance appends the domain name as a suffix to unqualified names. For example, if you set the domain name to "example.com," and specify a syslog server by the unqualified name of "jupiter," then the security appliance qualifies the name to "jupiter.example.com."
The default domain name is default.domain.invalid.
For multiple context mode, you can set the domain name for each context, as well as within the system execution space.
To specify the domain name for the security appliance, enter the following command:
hostname(config)# domain-name name
For example, to set the domain as example.com, enter the following command:
hostname(config)# domain-name example.com
Setting the Date and Time
This section describes how to set the date and time, either manually or dynamically using an NTP server. Time derived from an NTP server overrides any time set manually. This section also describes how to set the time zone and daylight saving time date range.
Note In multiple context mode, set the time in the system configuration only.
This section includes the following topics:
•Setting the Time Zone and Daylight Saving Time Date Range
•Setting the Date and Time Using an NTP Server
•Setting the Date and Time Manually
Setting the Time Zone and Daylight Saving Time Date Range
By default, the time zone is UTC and the daylight saving time date range is from 2:00 a.m. on the first Sunday in April to 2:00 a.m. on the last Sunday in October. To change the time zone and daylight saving time date range, perform the following steps:
Step 1 To set the time zone, enter the following command in global configuration mode:
hostname(config)# clock timezone zone [-]hours [minutes]
Where zone specifies the time zone as a string, for example, PST for Pacific Standard Time.
The [-]hours value sets the number of hours of offset from UTC. For example, PST is -8 hours.
The minutes value sets the number of minutes of offset from UTC.
Step 2 To change the date range for daylight saving time from the default, enter one of the following commands.
The default recurring date range is from 2:00 a.m. on the first Sunday in April to 2:00 a.m. on the last Sunday in October.
•To set the start and end dates for daylight saving time as a specific date in a specific year, enter the following command:
hostname(config)# clock summer-time zone date {day month | month day} year hh:mm {day month | month day} year hh:mm [offset]
If you use this command, you need to reset the dates every year.
The zone value specifies the time zone as a string, for example, PDT for Pacific Daylight Time.
The day value sets the day of the month, from 1 to 31. You can enter the day and month as April 1 or as 1 April, for example, depending on your standard date format.
The month value sets the month as a string. You can enter the day and month as April 1 or as 1 April, for example, depending on your standard date format.
The year value sets the year using four digits, for example, 2004. The year range is 1993 to 2035.
The hh:mm value sets the hour and minutes in 24-hour time.
The offset value sets the number of minutes to change the time for daylight saving time. By default, the value is 60 minutes.
•To specify the start and end dates for daylight saving time, in the form of a day and time of the month, and not a specific date in a year, enter the following command.
hostname(config)# clock summer-time zone recurring [week weekday month hh:mm week weekday month hh:mm] [offset]
This command lets you set a recurring date range that you do not need to alter yearly.
The zone value specifies the time zone as a string, for example, PDT for Pacific Daylight Time.
The week value specifies the week of the month as an integer between 1 and 4 or as the words first or last. For example, if the day might fall in the partial fifth week, then specify last.
The weekday value specifies the day of the week: Monday, Tuesday, Wednesday, and so on.
The month value sets the month as a string.
The hh:mm value sets the hour and minutes in 24-hour time.
The offset value sets the number of minutes to change the time for daylight saving time. By default, the value is 60 minutes.
Setting the Date and Time Using an NTP Server
To obtain the date and time from an NTP server, perform the following steps:
Step 1 To configure authentication with an NTP server, perform the following steps:
a. To enable authentication, enter the following command:
hostname(config)# ntp authenticate
b. To specify an authentication key ID to be a trusted key, which is required for authentication with an NTP server, enter the following command:
hostname(config)# ntp trusted-key key_id
Where the key_id is between 1 and 4294967295. You can enter multiple trusted keys for use with multiple servers.
c. To set a key to authenticate with an NTP server, enter the following command:
hostname(config)# ntp authentication-key key_id md5 key
Where key_id is the ID you set in Step 1b using the ntp trusted-key command, and key is a string up to 32 characters in length.
Step 2 To identify an NTP server, enter the following command:
hostname(config)# ntp server ip_address [key key_id] [source interface_name] [prefer]
Where the key_id is the ID you set in Step 1b using the ntp trusted-key command.
The source interface_name identifies the outgoing interface for NTP packets if you do not want to use the default interface in the routing table. Because the system does not include any interfaces in multiple context mode, specify an interface name defined in the admin context.
The prefer keyword sets this NTP server as the preferred server if multiple servers have similar accuracy. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one. If servers are of similar accuracy, then the prefer keyword specifies which of those servers to use. However, if a server is significantly more accurate than the preferred one, the security appliance uses the more accurate one. For example, the security appliance uses a server of stratum 2 over a server of stratum 3 that is preferred.
You can identify multiple servers; the security appliance uses the most accurate server.
Note SNTP is not supported; only NTP is supported.
Setting the Date and Time Manually
To set the date time manually, enter the following command:
hostname# clock set hh:mm:ss {month day | day month} year
Where hh:mm:ss sets the hour, minutes, and seconds in 24-hour time. For example, set 20:54:00 for 8:54 pm.
The day value sets the day of the month, from 1 to 31. You can enter the day and month as april 1 or as 1 april, for example, depending on your standard date format.
The month value sets the month. Depending on your standard date format, you can enter the day and month as april 1 or as 1 april.
The year value sets the year using four digits, for example, 2004. The year range is 1993 to 2035.
The default time zone is UTC. If you change the time zone after you enter the clock set command using the clock timezone command, the time automatically adjusts to the new time zone.
This command sets the time in the hardware chip, and does not save the time in the configuration file. This time endures reboots. Unlike the other clock commands, this command is a privileged EXEC command. To reset the clock, you need to set a new time for the clock set command.
Setting the Management IP Address for a Transparent Firewall
Transparent firewall mode only
A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access.
For multiple context mode, set the management IP address within each context.
To set the management IP address, enter the following command:
hostname(config)# ip address ip_address [mask] [standby ip_address]
This address must be on the same subnet as the upstream and downstream routers. You cannot set the subnet to a host subnet (255.255.255.255). This address must be IPv4; the transparent firewall does not support IPv6.
The standby keyword and address is used for failover. See Chapter 14, "Configuring Failover," for more information.