CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.2

Sets the login password. There is no default password.

You can enter passwd or password. The password is a case-sensitive password of up to 16 alphanumeric and special characters. You can use any character in the password except a question mark or a space.

The password is saved in the configuration in encrypted form, so you cannot view the original password after you enter it. If for some reason you need to copy the password to another ASA but do not know the original password, you can enter the passwd command with the encrypted password and the encrypted keyword. Normally, you only see this keyword when you enter the show running-config passwd command.

enable password password

Changes the enable password. By default, the enable password is blank.

The password argument is a case-sensitive password of up to 16 alphanumeric and special characters. You can use any character in the password except a question mark or a space.

This command changes the password for the highest privilege level (15). If you configure local command authorization, you can set enable passwords for each privilege level from 0 to 15 using the following syntax:

enable password password level number

The password is saved in the configuration in encrypted form, so you cannot view the original password after you enter it. Enter the enable password command without a password to set the password to the default, which is blank.

hostname name

farscape(config)#

Specifies the hostname for the ASA or for a context. The default hostname is “asa.”

This name can be up to 63 characters. The hostname must start and end with a letter or digit, and have only letters, digits, or a hyphen.

domain-name name

ciscoasa(config)# domain-name example.com

Specifies the domain name for the ASA.

The default domain name is default.domain.invalid.

Removal of the default Telnet password

9.0(2)/9.1(2)

To improve security for management access to the ASA, the default login password for Telnet was removed; you must manually set the password before you can log in using Telnet. Note : The login password is only used for Telnet if you do not configure Telnet user authentication (the aaa authentication telnet console command).

Formerly, when you cleared the password, the ASA restored the default of “cisco.” Now when you clear the password, the password is removed.

The login password is also used for Telnet sessions from the switch to the ASASM (see the session command). For initial ASASM access, you must use the service-module session command, until you set a login password.

We modified the following command: passwd.

Step 1

clock timezone zone [ - ] hours [ minutes ]

ciscoasa(config)# clock timezone PST -8

Sets the time zone. By default, the time zone is UTC and the daylight saving time date range is from 2:00 a.m. on the first Sunday in April to 2:00 a.m. on the last Sunday in October.

Where zone specifies the time zone as a string, for example, PST for Pacific Standard Time.

The [ - ] hours value sets the number of hours of offset from UTC. For example, PST is -8 hours.

The minutes value sets the number of minutes of offset from UTC.

Step 2

To change the date range for daylight saving time from the default, enter one of the following commands. The default recurring date range is from 2:00 a.m. on the second Sunday in March to 2:00 a.m. on the first Sunday in November.

clock summer-time zone date { day month | month day } year hh : mm { day month | month day } year hh : mm [ offset ]

ciscoasa(config)# clock summer-time PDT 1 April 2010 2:00 60

Sets the start and end dates for daylight saving time as a specific date in a specific year. If you use this command, you need to reset the dates every year.

The zone value specifies the time zone as a string, for example, PDT for Pacific Daylight Time.

The day value sets the day of the month, from 1 to 31. You can enter the day and month as April 1 or as 1 April, for example, depending on your standard date format.

The month value sets the month as a string. You can enter the day and month as April 1 or as 1 April, depending on your standard date format.

The year value sets the year using four digits, for example, 2004. The year range is 1993 to 2035.

The hh:mm value sets the hour and minutes in 24-hour time.

The offset value sets the number of minutes to change the time for daylight saving time. By default, the value is 60 minutes.

clock summer-time zone recurring [ week weekday month hh : mm week weekday month hh : mm ] [ offset ]

ciscoasa(config)# clock summer-time PDT recurring first Monday April 2:00 60

Specifies the start and end dates for daylight saving time, in the form of a day and time of the month, and not a specific date in a year.

This command enables you to set a recurring date range that you do not need to change yearly.

The zone value specifies the time zone as a string, for example, PDT for Pacific Daylight Time.

The week value specifies the week of the month as an integer between 1 and 4 or as the words first or last. For example, if the day might fall in the partial fifth week, then specify last.

The weekday value specifies the day of the week: Monday, Tuesday, Wednesday, and so on.

The month value sets the month as a string.

The hh:mm value sets the hour and minutes in 24-hour time.

The offset value sets the number of minutes to change the time for daylight savings time. By default, the value is 60 minutes.

Step 1

ntp authenticate

ciscoasa(config)# ntp authenticate

Enables authentication with an NTP server.

Step 2

ntp trusted-key key_id

ciscoasa(config)# ntp trusted-key 1

Specifies an authentication key ID to be a trusted key, which is required for authentication with an NTP server.

The key_id argument is a value between 1 and 4294967295. You can enter multiple trusted keys for use with multiple servers.

Step 3

ntp authentication-key key_id md5 key

hostname(config)# ntp authentication-key 1 md5 aNiceKey

Sets a key to authenticate with an NTP server.

The key_id argument is the ID you set in Step 2 using the ntp trusted-key command, and the key argument is a string up to 32 characters long.

Step 4

ntp server ip_address [ key key_id ] [ source interface_name ] [ prefer ]

hostname(config)# ntp server 10.1.1.1 key 1 prefer

Identifies an NTP server.

The key_id argument is the ID you set in Step 2 using the ntp trusted-key command.

The source interface_name keyword-argument pair identifies the outgoing interface for NTP packets if you do not want to use the default interface in the routing table. Because the system does not include any interfaces in multiple context mode, specify an interface name defined in the admin context.

The prefer keyword sets this NTP server as the preferred server if multiple servers have similar accuracy. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one. If servers are of similar accuracy, then the prefer keyword specifies which of those servers to use. However, if a server is significantly more accurate than the preferred one, the ASA uses the more accurate one. For example, the ASA uses a server of stratum 2 over a server of stratum 3 that is preferred.

You can identify multiple servers; the ASA uses the most accurate server.

Note In multiple context mode, set the time in the system configuration only.

clock set hh : mm : ss { month day | day month } year

hostname# clock set 20:54:00 april 1 2004

Sets the date time manually.

The hh : mm : ss argument sets the hour, minutes, and seconds in 24-hour time. For example, enter 20:54:00 for 8:54 pm.

The day value sets the day of the month, from 1 to 31. You can enter the day and month as april 1 or as 1 april, for example, depending on your standard date format.

The month value sets the month. Depending on your standard date format, you can enter the day and month as april 1 or as 1 april.

The year value sets the year using four digits, for example, 2004. The year range is from 1993 to 2035.

The default time zone is UTC. If you change the time zone after you enter the clock set command using the clock timezone command, the time automatically adjusts to the new time zone.

This command sets the time in the hardware chip, and does not save the time in the configuration file. This time endures reboots. Unlike the other clock commands, this command is a privileged EXEC command. To reset the clock, you need to set a new time with the clock set command.

ASAv

Standard or Premium License.

All other models

Base License.

Step 1

key config-key password-encryption [ new_passphrase [ old_passphrase ]]

Sets the passphrase used for generating the encryption key. The passphrase must be between 8 and 128 characters long. All characters except a backspace and double quotes are accepted for the passphrase.

If you do not enter the new passphrase in the command, you are prompted for it.

To change the passphrase, you must enter the old passphrase.

see Examples for examples of the interactive prompts.

Note Use the interactive prompts to enter passwords to avoid having the passwords logged in the command history buffer.

Use the no key config-key password-encrypt command with caution, because it changes the encrypted passwords into plain text passwords. You can use the no form of this command when downgrading to a software version that does not support password encryption.

Step 2

Enables password encryption. As soon as password encryption is enabled and the master passphrase is available, all the user passwords will be encrypted. The running configuration will show the passwords in the encrypted format.

If the passphrase is not configured at the time that password encryption is enabled, the command will succeed in anticipation that the passphrase will be available in the future.

If you later disable password encryption using the no password encryption aes command, all existing encrypted passwords are left unchanged, and as long as the master passphrase exists, the encrypted passwords will be decrypted, as required by the application.

Step 3

write memory

Saves the runtime value of the master passphrase and the resulting configuration. If you do not enter this command, passwords in startup configuration may still be visible if they were not saved with encryption previously.

In addition, in multiple context mode the master passphrase is changed in the system context configuration. As a result, the passwords in all contexts will be affected. If the write memory command is not entered in the system context mode, but not in all user contexts, then the encrypted passwords in user contexts may be stale. Alternatively, use the write memory all command in the system context to save all configurations.

Step 1

no key config-key password-encryption [ old_passphrase ]]

Removes the master passphrase.

If you do not enter the passphrase in the command, you are prompted for it.

Step 2

write memory

Saves the runtime value of the master passphrase and the resulting configuration. The non-volatile memory containing the passphrase will be erased and overwritten with the 0xFF pattern.

In multiple mode, the master passphrase is changed in the system context configuration. As a result, the passwords in all contexts will be affected. If the write memory command is not entered in the system context mode, but not in all user contexts, then the encrypted passwords in user contexts may be stale. Alternatively, use the write memory all command in the system context to save all configurations.

Step 1

write erase

Removes the master key and the configuration that includes the encrypted passwords.

Step 2

reload

Reloads the ASA with the startup configuration, without any master key or encrypted passwords.

Master Passphrase

8.3(1)

We introduced this feature. The master passphrase allows you to securely store plain text passwords in encrypted format and provides a key that is used to universally encrypt or mask all passwords, without changing any functionality.

We introduced the following commands: key config-key password-encryption, password encryption aes, clear configure password encryption aes, show running-config password encryption aes, show password encryption.

Password Encryption Visibility

8.4(1)

We modified the show password encryption command.

Step 1

hostname(config)# dns domain-lookup inside

Enables the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands.

Step 2

Specifies the DNS server group that the ASA uses for outgoing requests.

Other DNS server groups can be configured for VPN tunnel groups. See the tunnel-group command in the command reference for more information.

Step 3

Specifies one or more DNS servers. You can enter all six IP addresses in the same command, separated by spaces, or you can enter each command separately. The ASA tries each DNS server in order until it receives a response.

ciscoasa (config)# no service password-recovery

Disables password recovery.

Step 1

ciscoasa# copy running-config backup.cfg

Copies the running configuration to a backup file on the ASAv.

Step 2

ciscoasa# reload

Restarts the ASAv.

Step 3

GNU GRUB version 2.0(12)4

GNU GRUB version 2.0(12)4

bootflash: /asa100123-20-smp-k8.bin with no configuration load

From the GNU GRUB menu, press the down arrow, choose the < filename > with no configuration load option, then press Enter. The filename is the default boot image filename on the ASAv. The default boot image is never automatically booted through the fallback command.

Boots the selected boot image.

Step 4

ciscoasa (config)# copy backup.cfg running-config

Copies the backup configuration file to the running configuration.

Step 5

ciscoasa (config)# enable password cisco123

Resets the password.

Step 6

ciscoasa (config)# write mem

Saves the new configuration.

asp rule-engine transactional-commit option

ciscoasa(config)# asp rule-engine

transactional-commit access-group

Enables the transactional commit model for the rule engine for the selected policies. Options include:

• access-group —Access rules applied globally or to interfaces.