CISCO ASA Series General Operations ASDM Configuration Guide 7.14 User Guide
- June 13, 2024
- Cisco
Table of Contents
ASA Series General Operations ASDM Configuration Guide 7.14
Product Information: Product Name: ASDM Book 1: Cisco ASA Series
General Operations ASDM Configuration Guide, 7.14 Product
Description: The ASDM Book 1 is a comprehensive guide for
configuring and managing the Cisco ASA Series firewalls using the
ASDM (Adaptive Security Device Manager) interface. It provides
detailed information on various operations, configurations, and
security features of the Cisco ASA firewalls. Manufacturer: Cisco
Systems, Inc. Headquarters: 170 West Tasman Drive San Jose, CA
95134-1706 USA Website: Cisco Website
Contact Information: Tel: 408 526-4000, 800 553-NETS (6387), Fax:
408 527-0883 Disclaimer: The specifications and information in this
manual are subject to change without notice. All statements,
information, and recommendations are believed to be accurate but
are presented without warranty of any kind. Users are responsible
for their application of any products. The software license and
limited warranty details can be found in the information packet
shipped with the product. Product Usage Instructions: 1. Getting
Started with the ASA: – Familiarize yourself with the ASDM Book 1
guide. – Ensure you have access to the Cisco ASA firewall and the
ASDM interface. – Follow the step-by-step instructions provided in
the guide to configure and manage the firewall. 2. Protecting from
IP Fragments: – Refer to Chapter 2 of the ASDM Book 1 guide for
detailed instructions on protecting your network from IP fragments.
– Learn how to apply HTTP, HTTPS, or FTP filtering to prevent
unwanted traffic. – Understand how to enable application inspection
for enhanced security. – Configure traffic routing to supported
hardware or software modules. – Apply Quality of Service (QoS)
policies to prioritize network traffic. – Set connection limits and
enable TCP normalization for better control over network
connections. – Enable threat detection to identify and mitigate
potential security threats. 3. Firewall Mode Overview: – Read the
guide’s overview of different firewall modes available in the Cisco
ASA Series. – Understand the concepts of stateful inspection, VPN
functionality, and security contexts. – Explore ASA clustering
capabilities for high availability and scalability. – Familiarize
yourself with special, deprecated, and legacy services. Note: The
above instructions provide a general overview of the product usage.
For detailed configuration steps and specific scenarios, refer to
the corresponding chapters and sections in the ASDM Book 1 guide.
For further assistance or to obtain the latest version of the
guide, visit the Cisco website or contact your Cisco
representative.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide,
7.14
Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA
http://www.cisco.com Tel: 408 526-4000
800 553-NETS (6387) Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE
SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND
RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED
WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL
RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET
FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE
INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A
COPY.
The Cisco implementation of TCP header compression is an adaptation of a
program developed by the University of California, Berkeley (UCB) as part of
UCB’s public domain version of the UNIX operating system. All rights reserved.
Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF
THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-
NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST
PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE
THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document
are not intended to be actual addresses and phone numbers. Any examples,
command display output, network topology diagrams, and other figures included
in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and
coincidental.
All printed copies and duplicate soft copies of this document are considered
uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are
listed on the Cisco website at www.cisco.com/go/offices.
The documentation set for this product strives to use bias-free language. For
purposes of this documentation set, bias-free is defined as language that does
not imply discrimination based on age, disability, gender, racial identity,
ethnic identity, sexual orientation, socioeconomic status, and
intersectionality. Exceptions may be present in the documentation due to
language that is hardcoded in the user interfaces of the product software,
language used based on standards documentation, or language that is used by a
referenced third-party product.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco
and/or its affiliates in the U.S. and other countries. To view a list of Cisco
trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party
trademarks mentioned are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and
any other company. (1721R)
© 2023 Cisco Systems, Inc. All rights reserved.
CONTENTS
PREFACE
PART I CHAPTER 1
About This Guide xlix Document Objectives xlix Related Documentation xlix
Document Conventions xlix Communications, Services, and Additional Information
li
Getting Started with the ASA 53
Introduction to the ASA 1 ASDM Requirements 1 ASDM Java Requirements 1 ASDM
Compatibility Notes 2 Hardware and Software Compatibility 5 VPN Compatibility
5 New Features 6 New Features in ASA 9.14(4)/ASDM 7.17(1) 6 New Features in
ASA 9.14(3)/ASDM 7.15(1.150) 6 New Features in ASA 9.14(2) 6 New Features in
ASA 9.14(1.30) 6 New Features in ASDM 7.14(1.48) 7 New Features in ASAv
9.14(1.6) 7 New Features in ASA 9.14(1)/ASDM 7.14(1) 7 Firewall Functional
Overview 10 Security Policy Overview 11 Permitting or Denying Traffic with
Access Rules 11 Applying NAT 11
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 iii
Contents
CHAPTER 2
Protecting from IP Fragments 11 Applying HTTP, HTTPS, or FTP Filtering 11
Applying Application Inspection 12 Sending Traffic to Supported Hardware or
Software Modules 12 Applying QoS Policies 12 Applying Connection Limits and
TCP Normalization 12 Enabling Threat Detection 12 Firewall Mode Overview 12
Stateful Inspection Overview 13 VPN Functional Overview 14 Security Context
Overview 15 ASA Clustering Overview 15 Special, Deprecated, and Legacy
Services 15
Getting Started 17 Access the Console for the Command-Line Interface 17 Access
the ASA Hardware or ISA 3000 Console 17 Access the Firepower 2100 Platform
Mode Console 18 Access the Firepower 1000, 2100 Appliance Mode Console 20
Access the ASA Console on the Firepower 4100/9300 Chassis 22 Access the
Software Module Console 23 Access the ASA 5506W-X Wireless Access Point
Console 24 Configure ASDM Access 24 Use the Factory Default Configuration for
ASDM Access 24 Customize ASDM Access 25 Start ASDM 27 Customize ASDM Operation
29 Install an Identity Certificate for ASDM 29 Increase the ASDM Configuration
Memory 29 Increase the ASDM Configuration Memory in Windows 29 Increase the
ASDM Configuration Memory in Mac OS 30 Factory Default Configurations 30
Restore the Factory Default Configuration 32 Restore the ASAv Deployment
Configuration 34
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 iv
CHAPTER 3
ASA 5506-X Series Default Configuration 35 ASA 5508-X and 5516-X Default
Configuration 37 ASA 5525-X through ASA 5555-X Default Configuration 38
Firepower 1010 Default Configuration 38 Firepower 1100 Default Configuration
40 Firepower 2100 Platform Mode Default Configuration 41 Firepower 2100
Appliance Mode Default Configuration 43 Firepower 4100/9300 Chassis Default
Configuration 44 ISA 3000 Default Configuration 45 ASAv Deployment
Configuration 46 Set the Firepower 2100 to Appliance or Platform Mode 48 Get
Started with the Configuration 50 Use the Command Line Interface Tool in ASDM
50 Use the Command Line Interface Tool 50 Show Commands Ignored by ASDM on the
Device 51 Apply Configuration Changes to Connections 52
ASDM Graphical User Interface 53 About the ASDM User Interface 53 Navigate the
ASDM User Interface 56 Menus 57 File Menu 57 View Menu 58 Tools Menu 59
Wizards Menu 60 Window Menu 61 Help Menu 61 Toolbar 62 ASDM Assistant 63
Status Bar 63 Connection to Device 64 Device List 64 Common Buttons 64
Keyboard Shortcuts 65
Contents
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 v
Contents
Find Function in ASDM Panes 67 Find Function in Rule Lists 68 Enable Extended
Screen Reader Support 68 Organizational Folder 69 Home Pane (Single Mode and
Context) 69
Device Dashboard Tab 69 Device Information Pane 70 Interface Status Pane 72
VPN Sessions Pane 72 Failover Status Pane 72 System Resources Status Pane 72
Traffic Status Pane 72 Latest ASDM Syslog Messages Pane 72
Firewall Dashboard Tab 73 Traffic Overview Pane 74 Top 10 Access Rules Pane 75
Top Usage Status Pane 75 Top Ten Protected Servers Under SYN Attack Pane 75
Top 200 Hosts Pane 76 Top Botnet Traffic Filter Hits Pane 76
Cluster Dashboard Tab 76 Cluster Firewall Dashboard Tab 78 Content Security
Tab 79 Intrusion Prevention Tab 80 ASA CX Status Tab 82 ASA FirePower Status
Tabs 82 Home Pane (System) 83 Define ASDM Preferences 84 Search with the ASDM
Assistant 86 Enable History Metrics 87 Unsupported Commands 87 Ignored and
View-Only Commands 87 Effects of Unsupported Commands 88 Discontinuous Subnet
Masks Not Supported 88
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 vi
Contents
CHAPTER 4
Interactive User Commands Not Supported by the ASDM CLI Tool 89
Licenses: Product Authorization Key Licensing 91 About PAK Licenses 91
Preinstalled License 91 Permanent License 91 Time-Based Licenses 92 Time-Based
License Activation Guidelines 92 How the Time-Based License Timer Works 92 How
Permanent and Time-Based Licenses Combine 92 Stacking Time-Based Licenses 93
Time-Based License Expiration 94 License Notes 94 AnyConnect Plus, AnyConnect
Apex, and AnyConnect VPN Only Licenses 94 Other VPN License 95 Total VPN
Sessions Combined, All Types 95 VPN Load Balancing 95 Legacy VPN Licenses 95
Encryption License 95 Carrier License 96 Total TLS Proxy Sessions 96 VLANs,
Maximum 97 Botnet Traffic Filter License 97 Shared AnyConnect Client Premium
Licenses (AnyConnect 3 and Earlier) 97 Failover or ASA Cluster Licenses 97
Failover License Requirements and Exceptions 97 ASA Cluster License
Requirements and Exceptions 98 How Failover or ASA Cluster Licenses Combine 99
Loss of Communication Between Failover or ASA Cluster Units 100 Upgrading
Failover Pairs 100 No Payload Encryption Models 101 Licenses FAQ 101
Guidelines for PAK Licenses 102 Configure PAK Licenses 103
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 vii
Contents
CHAPTER 5
Order License PAKs and Obtain an Activation Key 103 Obtain a Strong Encryption
License 105 Activate or Deactivate Keys 107 Configure a Shared License
(AnyConnect Client 3 and Earlier) 108 About Shared Licenses 108
About the Shared Licensing Server and Participants 108 Communication Issues
Between Participant and Server 109 About the Shared Licensing Backup Server
109 Failover and Shared Licenses 110 Maximum Number of Participants 111
Configure the Shared Licensing Server 112 Configure the Shared Licensing
Participant and the Optional Backup Server 112 Supported Feature Licenses Per
Model 113 Licenses Per Model 113 ASA 5506-X and ASA 5506W-X License Features
113 ASA 5506H-X License Features 114 ASA 5508-X License Features 115 ASA
5516-X License Features 116 ASA 5525-X License Features 116 ASA 5545-X License
Features 117 ASA 5555-X License Features 118 ISA 3000 License Features 119
Monitoring PAK Licenses 119 Viewing Your Current License 120 Monitoring the
Shared License 120 History for PAK Licenses 121
Licenses: Smart Software Licensing 127 About Smart Software Licensing 127
Smart Software Licensing for the ASA on the Firepower 4100/9300 Chassis 128
Smart Software Manager and Accounts 128 Offline Management 128 Permanent
License Reservation 129 Smart Software Manager On-Prem 130
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 viii
Contents
Licenses and Devices Managed per Virtual Account 130 Evaluation License 131
About Licenses by Type 132
AnyConnect Plus, AnyConnect Apex, and AnyConnect VPN Only Licenses 132 Other
VPN Peers 132 Total VPN Peers Combined, All Types 132 Encryption License 132
Carrier License 134 Total TLS Proxy Sessions 135 VLANs, Maximum 136 Botnet
Traffic Filter License 136 Failover or ASA Cluster Licenses 136 Failover
Licenses for the ASAv 136 Failover Licenses for the Firepower 1010 136
Failover Licenses for the Firepower 1100 137 Failover Licenses for the
Firepower 2100 138 Failover Licenses for the Firepower 4100/9300 139 ASA
Cluster Licenses for the Firepower 4100/9300 140 Prerequisites for Smart
Software Licensing 142 Smart Software Manager Regular and On-Prem
Prerequisites 142 Permanent License Reservation Prerequisites 142 License PIDs
143 Guidelines for Smart Software Licensing 146 Defaults for Smart Software
Licensing 146 ASAv: Configure Smart Software Licensing 147 ASAv: Configure
Regular Smart Software Licensing 147 ASAv: Configure Smart Software Manager
On-Prem Licensing 150 ASAv: Configure Utility Mode and MSLA Smart Software
Licensing 151 ASAv: Configure Permanent License Reservation 152 Install the
ASAv Permanent License 153 (Optional) Return the ASAv Permanent License 154
(Optional) Deregister the ASAv (Regular and On-Prem) 155 (Optional) Renew the
ASAv ID Certificate or License Entitlement (Regular and On-Prem) 156 Firepower
1000, 2100: Configure Smart Software Licensing 156
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide,
7.14 ix
Contents
CHAPTER 6
Firepower 1000, 2100: Configure Regular Smart Software Licensing 157 Firepower
1000, 2100: Configure Smart Software Manager On-Prem Licensing 160 Firepower
1000, 2100: Configure Permanent License Reservation 161
Install the Firepower 1000, 2100 Permanent License 162 (Optional) Return the
Firepower 1000, 2100 Permanent License 164 (Optional) Deregister the Firepower
1000, 2100 (Regular and On-Prem) 165 (Optional) Renew the Firepower 1000, 2100
ID Certificate or License Entitlement (Regular and On-Prem) 166 Firepower
4100/9300: Configure Smart Software Licensing 166 Licenses Per Model 167 ASAv
167 Firepower 1010 170 Firepower 1100 Series 170 Firepower 2100 Series 172
Firepower 4100 173 Firepower 9300 175 Monitoring Smart Software Licensing 175
Viewing Your Current License 176 Viewing Smart License Status 176 Viewing the
UDI 176 Smart Software Manager Communication 176 Device Registration and
Tokens 176 Periodic Communication with the Smart Software Manager 177 Out-of-
Compliance State 177 Smart Call Home Infrastructure 178 Smart License
Certificate Management 178 History for Smart Software Licensing 179
Logical Devices for the Firepower 4100/9300 183 About Interfaces 183 Chassis
Management Interface 183 Interface Types 184 FXOS Interfaces vs. Application
Interfaces 185 About Logical Devices 186
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 x
Contents
CHAPTER 7
Standalone and Clustered Logical Devices 186 Requirements and Prerequisites
for Hardware and Software Combinations 186 Guidelines and Limitations for
Logical Devices 187
Guidelines and Limitations for Interfaces 187 General Guidelines and
Limitations 188 Requirements and Prerequisites for High Availability 188
Configure Interfaces 188 Enable or Disable an Interface 189 Configure a
Physical Interface 189 Add an EtherChannel (Port Channel) 190 Configure
Logical Devices 192 Add a Standalone ASA 192 Add a High Availability Pair 195
Change an Interface on an ASA Logical Device 196 Connect to the Console of the
Application 197 History for Logical Devices 198
Transparent or Routed Firewall Mode 201 About the Firewall Mode 201 About
Routed Firewall Mode 201 About Transparent Firewall Mode 201 Using the
Transparent Firewall in Your Network 202 Management Interface 202 Passing
Traffic For Routed-Mode Features 202 About Bridge Groups 203 Bridge Virtual
Interface (BVI) 203 Bridge Groups in Transparent Firewall Mode 203 Bridge
Groups in Routed Firewall Mode 204 Passing Traffic Not Allowed in Routed Mode
205 Allowing Layer 3 Traffic 205 Allowed MAC Addresses 206 BPDU Handling 206
MAC Address vs. Route Lookups 206 Unsupported Features for Bridge Groups in
Transparent Mode 208
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xi
Contents
CHAPTER 8
Unsupported Features for Bridge Groups in Routed Mode 208 Default Settings 209
Guidelines for Firewall Mode 209 Set the Firewall Mode (Single Mode) 211
Examples for Firewall Mode 212
How Data Moves Through the ASA in Routed Firewall Mode 212 An Inside User
Visits a Web Server 212 An Outside User Visits a Web Server on the DMZ 213 An
Inside User Visits a Web Server on the DMZ 214 An Outside User Attempts to
Access an Inside Host 215 A DMZ User Attempts to Access an Inside Host 216
How Data Moves Through the Transparent Firewall 216 An Inside User Visits a
Web Server 217 An Inside User Visits a Web Server Using NAT 218 An Outside
User Visits a Web Server on the Inside Network 220 An Outside User Attempts to
Access an Inside Host 221
History for the Firewall Mode 222
Startup Wizard 225 Access the Startup Wizard 225 Guidelines for the Startup
Wizard 225 Startup Wizard Screens 225 Starting Point or Welcome 225 Basic
Configuration 226 Interface Screens 226 Outside Interface Configuration
(Routed Mode) 226 Outside Interface Configuration – PPPoE (Routed Mode, Single
Mode) 226 Management IP Address Configuration (Transparent Mode) 226 Other
Interfaces Configuration 226 Static Routes 226 DHCP Server 226 Address
Translation (NAT/PAT) 227 Administrative Access 227 IPS Basic Configuration
227
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xii
PART II CHAPTER 9
ASA CX Basic Configuration (ASA 5585-X) 227 ASA FirePOWER Basic Configuration
227 Time Zone and Clock Configuration 227 Auto Update Server (Single Mode) 227
Startup Wizard Summary 228 History for the Startup Wizard 228
High Availability and Scalability 231
Multiple Context Mode 233 About Security Contexts 233 Common Uses for Security
Contexts 233 Context Configuration Files 234 Context Configurations 234 System
Configuration 234 Admin Context Configuration 234 How the ASA Classifies
Packets 234 Valid Classifier Criteria 234 Classification Examples 235
Cascading Security Contexts 237 Management Access to Security Contexts 238
System Administrator Access 238 Context Administrator Access 238 Management
Interface Usage 238 About Resource Management 239 Resource Classes 239
Resource Limits 239 Default Class 240 Use Oversubscribed Resources 241 Use
Unlimited Resources 241 About MAC Addresses 242 MAC Addresses in Multiple
Context Mode 242 Automatic MAC Addresses 242 VPN Support 243
Contents
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xiii
Contents
CHAPTER 10
Licensing for Multiple Context Mode 243
Prerequisites for Multiple Context Mode 244
Guidelines for Multiple Context Mode 245
Defaults for Multiple Context Mode 246
Configure Multiple Contexts 246
Enable or Disable Multiple Context Mode 247
Enable Multiple Context Mode 247
Restore Single Context Mode 248
Configure a Class for Resource Management 249
Configure a Security Context 252
Assign MAC Addresses to Context Interfaces Automatically 254
Change Between Contexts and the System Execution Space 255
Manage Security Contexts 255
Remove a Security Context 255
Change the Admin Context 256
Change the Security Context URL 257
Reload a Security Context 258
Reload by Clearing the Configuration 258
Reload by Removing and Re-adding the Context 258
Monitoring Security Contexts 259
Monitor Context Resource Usage
259
View Assigned MAC Addresses 260
View MAC Addresses in the System Configuration 260
View MAC Addresses Within a Context 261
History for Multiple Context Mode 261
Failover for High Availability 267 About Failover 267 Failover Modes 267 Failover System Requirements 268 Hardware Requirements 268 Software Requirements 268 License Requirements 269 Failover and Stateful Failover Links 269
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xiv
Contents
Failover Link 269 Stateful Failover Link 270 Avoiding Interrupted Failover and
Data Links 271 MAC Addresses and IP Addresses in Failover 273 Stateless and
Stateful Failover 275 Stateless Failover 275 Stateful Failover 275 Bridge
Group Requirements for Failover 277 Bridge Group Requirements for Appliances,
ASAv 277 Failover Health Monitoring 278 Unit Health Monitoring 278 Interface
Monitoring 278 Failover Times 280 Configuration Synchronization 281 Running
Configuration Replication 281 File Replication 281 Command Replication 282
Config Sync Optimization 283 About Active/Standby Failover 284
Primary/Secondary Roles and Active/Standby Status 284 Active Unit
Determination at Startup 284 Failover Events 284 About Active/Active Failover
285 Active/Active Failover Overview 285 Primary/Secondary Roles and
Active/Standby Status for a Failover Group 286 Active Unit Determination for
Failover Groups at Startup 286 Failover Events 286 Licensing for Failover 287
Guidelines for Failover 288 Defaults for Failover 291 Configure Active/Standby
Failover 292 Configure Active/Active Failover 293 Configure Optional Failover
Parameters 294 Configure Failover Criteria and Other Settings 294
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide,
7.14 xv
Contents
CHAPTER 11
Configure Interface Monitoring and Standby Addresses 297 Configure Support for
Asymmetrically Routed Packets (Active/Active Mode) 298 Manage Failover 300
Modify the Failover Setup 300 Force Failover 302 Disable Failover 303 Restore
a Failed Unit 304 Re-Sync the Configuration 304 Monitoring Failover 304
Failover Messages 304
Failover Syslog Messages 305 Failover Debug Messages 305 SNMP Failover Traps
305 Monitoring Failover Status 305 System 305 Failover Group 1 and Failover
Group 2 306 History for Failover 306
Failover for High Availability in the Public Cloud 311 About Failover in the
Public Cloud 311 About Active/Backup Failover 312 Primary/Secondary Roles and
Active/Backup Status 312 Failover Connection 312 Polling and Hello Messages
312 Active Unit Determination at Startup 313 Failover Events 313 Guidelines
and Limitations 314 Licensing for Failover in the Public Cloud 315 Defaults
for Failover in the Public Cloud 315 About ASAv High Availability in Microsoft
Azure 316 About the Azure Service Principal 317 Configuration Requirements for
ASAv High Availability in Azure 317 Configure Active/Backup Failover 318
Configure Optional Failover Parameters 320
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xvi
Contents
CHAPTER 12
Configure Azure Route Tables 320 Manage Failover in the Public Cloud 321
Force Failover 321 Update Routes 322 Validate Azure Authentication 322 Monitor
Failover in the Public Cloud 323 Failover Status 323 Failover Messages 323
History for Failover in the Public Cloud 324
ASA Cluster 325 About ASA Clustering 325 How the Cluster Fits into Your
Network 325 Cluster Members 326 Bootstrap Configuration 326 Control and Data
Node Roles 326 Cluster Interfaces 326 Cluster Control Link 326 Configuration
Replication 327 ASA Cluster Management 327 Management Network 327 Management
Interface 327 Control Unit Management Vs. Data Unit Management 328 Crypto Key
Replication 328 ASDM Connection Certificate IP Address Mismatch 328 Inter-Site
Clustering 328 Licenses for ASA Clustering 329 Requirements and Prerequisites
for ASA Clustering 329 Guidelines for ASA Clustering 331 Configure ASA
Clustering 336 Back Up Your Configurations (Recommended) 337 Cable the Units
and Configure Interfaces 337 About Cluster Interfaces 337 Cable the Cluster
Units and Configure Upstream and Downstream Equipment 346
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xvii
Contents
Configure the Cluster Interface Mode on the Control Unit 346 (Recommended; Required in Multiple Context Mode) Configure Interfaces on the Control Unit 349 Create or Join a Cluster Using the High Availability Wizard 354 Customize the Clustering Operation 357 Configure Basic ASA Cluster Parameters 357 Configure Interface Health Monitoring and Auto-Rejoin Settings 361 Configure the Cluster TCP Replication Delay 362 Configure Inter-Site Features 363 Manage Cluster Nodes 366 Add a New Data Node from the Control Node 366 Become an Inactive Node 367 Deactivate a Data Node from the Control Node 368 Rejoin the Cluster 369 Leave the Cluster 369 Change the Control Node 371 Execute a Command Cluster-Wide 371 Monitoring the ASA Cluster 372 Monitoring Cluster Status 372 Capturing Packets Cluster-Wide 373 Monitoring Cluster Resources 373 Monitoring Cluster Traffic 373 Monitoring the Cluster Control Link 373 Monitoring Cluster Routing 373 Configuring Logging for Clustering 374 Examples for ASA Clustering 374 Sample ASA and Switch Configuration 374 ASA Configuration 374 Cisco IOS Switch Configuration 376 Firewall on a Stick 377 Traffic Segregation 379 Spanned EtherChannel with Backup Links (Traditional 8 Active/8 Standby) 381 OTV Configuration for Routed Mode Inter-Site Clustering 387 Examples for Inter-Site Clustering 390 Individual Interface Routed Mode North-South Inter-Site Example 390
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xviii
Contents
Spanned EtherChannel Routed Mode Example with Site-Specific MAC and IP
Addresses 391 Spanned EtherChannel Transparent Mode North-South Inter-Site
Example 392 Spanned EtherChannel Transparent Mode East-West Inter-Site Example
393 Reference for Clustering 394 ASA Features and Clustering 394 Unsupported
Features with Clustering 394 Centralized Features for Clustering 395 Features
Applied to Individual Nodes 396 AAA for Network Access and Clustering 396
Connection Settings and Clustering 397 FTP and Clustering 397 ICMP Inspection
and Clustering 397 Multicast Routing and Clustering 397 NAT and Clustering 397
Dynamic Routing and Clustering 399 SCTP and Clustering 401 SIP Inspection and
Clustering 402 SNMP and Clustering 402 STUN and Clustering 402 Syslog and
NetFlow and Clustering 402 Cisco TrustSec and Clustering 402 VPN and
Clustering 402 Performance Scaling Factor 403 Control Node Election 403 High
Availability Within the Cluster 403 Node Health Monitoring 404 Interface
Monitoring 404 Status After Failure 404 Rejoining the Cluster 405 Data Path
Connection State Replication 405 How the Cluster Manages Connections 406
Connection Roles 406 New Connection Ownership 408 Sample Data Flow for TCP 408
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide,
7.14 xix
Contents
CHAPTER 13
Sample Data Flow for ICMP and UDP 409 Rebalancing New TCP Connections Across
the Cluster 410 History for ASA Clustering 410
ASA Cluster for the Firepower 4100/9300 417 About Clustering on the Firepower
4100/9300 Chassis 417 Bootstrap Configuration 418 Cluster Members 418 Cluster
Control Link 418 Size the Cluster Control Link 419 Cluster Control Link
Redundancy 419 Cluster Control Link Reliability 420 Cluster Control Link
Network 420 Cluster Interfaces 420 Connecting to a Redundant Switch System 420
Configuration Replication 421 ASA Cluster Management 421 Management Network
421 Management Interface 421 Control Unit Management Vs. Data Unit Management
421 Crypto Key Replication 422 ASDM Connection Certificate IP Address Mismatch
422 Spanned EtherChannels (Recommended) 422 Inter-Site Clustering 423
Requirements and Prerequisites for Clustering on the Firepower 4100/9300
Chassis 423 Licenses for Clustering on the Firepower 4100/9300 Chassis 425
Licenses for Distributed S2S VPN 426 Clustering Guidelines and Limitations 426
Configure Clustering on the Firepower 4100/9300 Chassis 431 FXOS: Add an ASA
Cluster 431 Create an ASA Cluster 432 Add More Cluster Members 438 ASA: Change
the Firewall Mode and Context Mode 440 ASA: Configure Data Interfaces 440
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xx
Contents
ASA: Customize the Cluster Configuration 442 Configure Basic ASA Cluster
Parameters 442 Configure Interface Health Monitoring and Auto-Rejoin Settings
445 Configure the Cluster TCP Replication Delay 446 Configure Inter-Site
Features 447 Configure Distributed Site-to-Site VPN 450
FXOS: Remove a Cluster Unit 455 ASA: Manage Cluster Members 456
Become an Inactive Member 457 Deactivate a Data Unit from the Control Unit 457
Rejoin the Cluster 458 Change the Control Unit 459 Execute a Command Cluster-
Wide 459 ASA: Monitoring the ASA Cluster on the Firepower 4100/9300 chassis
461 Monitoring Cluster Status 461 Capturing Packets Cluster-Wide 461
Monitoring Cluster Resources 461 Monitoring Cluster Traffic 461 Monitoring the
Cluster Control Link 462 Monitoring Cluster Routing 462 Monitoring Distributed
S2S VPN 462 Configuring Logging for Clustering 462 Troubleshooting Distributed
S2S VPN 463 Examples for ASA Clustering 464 Firewall on a Stick 465 Traffic
Segregation 466 Spanned EtherChannel with Backup Links (Traditional 8 Active/8
Standby) 466 OTV Configuration for Routed Mode Inter-Site Clustering 469
Examples for Inter-Site Clustering 472
Spanned EtherChannel Routed Mode Example with Site-Specific MAC and IP
Addresses 472 Spanned EtherChannel Transparent Mode North-South Inter-Site
Example 473 Spanned EtherChannel Transparent Mode East-West Inter-Site Example
475 Reference for Clustering 475 ASA Features and Clustering 475
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide,
7.14 xxi
Contents
Unsupported Features with Clustering 476 Centralized Features for Clustering 476 Features Applied to Individual Units 478 AAA for Network Access and Clustering 478 Connection Settings 478 FTP and Clustering 478 ICMP Inspection 479 Multicast Routing and Clustering 479 NAT and Clustering 479 Dynamic Routing and Clustering 480 SCTP and Clustering 481 SIP Inspection and Clustering 481 SNMP and Clustering 481 STUN and Clustering 482 Syslog and NetFlow and Clustering 482 Cisco TrustSec and Clustering 482 VPN and Clustering on the Firepower eXtensible Operating System (FXOS) Chassis 482 Performance Scaling Factor 483 Control Unit Election 483 High Availability Within the Cluster 483 Chassis-Application Monitoring 483 Unit Health Monitoring 484 Interface Monitoring 484 Decorator Application Monitoring 484 Status After Failure 484 Rejoining the Cluster 485 Data Path Connection State Replication 485 How the Cluster Manages Connections 486 Connection Roles 486 New Connection Ownership 488 Sample Data Flow for TCP 488 Sample Data Flow for ICMP and UDP 489 History for ASA Clustering on the Firepower 4100/9300 490
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xxii
Contents
PART III CHAPTER 14
CHAPTER 15
Interfaces 497
Basic Interface Configuration 499 About Basic Interface Configuration 499
Auto-MDI/MDIX Feature 499 Management Interface 500 Management Interface
Overview 500 Management Slot/Port Interface 500 Use Any Interface for
Management-Only Traffic 501 Management Interface for Transparent Mode 501 No
Support for Redundant Management Interfaces 502 Management Interface
Characteristics for ASA Models 502 Guidelines for Basic Interface
Configuration 502 Default Settings for Basic Interface Configuration 503
Enable the Physical Interface and Configure Ethernet Parameters 504 Enable
Jumbo Frame Support (ASA Models, ASAv, ISA 3000) 505 Examples for Basic
Interfaces 506 Physical Interface Parameters Example 506 Multiple Context Mode
Example 506 History for Basic Interface Configuration 507
Basic Interface Configuration for Firepower 1010 Switch Ports 509 About
Firepower 1010 Switch Ports 509 Understanding Firepower 1010 Ports and
Interfaces 509 Auto-MDI/MDIX Feature 510 Guidelines and Limitations for
Firepower 1010 Switch Ports 510 Configure Switch Ports and Power Over Ethernet
512 Configure a VLAN Interface 512 Configure Switch Ports as Access Ports 512
Configure Switch Ports as Trunk Ports 513 Configure Power Over Ethernet 515
Monitoring Switch Ports 516 History for Switch Ports 516
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xxiii
Contents
CHAPTER 16
CHAPTER 17 CHAPTER 18
EtherChannel and Redundant Interfaces 517 About EtherChannels and Redundant
Interfaces 517 About Redundant Interfaces (ASA Platform Only) 517 Redundant
Interface MAC Address 518 About EtherChannels 518 Channel Group Interfaces 518
Connecting to an EtherChannel on Another Device 518 Link Aggregation Control
Protocol 519 Load Balancing 520 EtherChannel MAC Address 520 Guidelines for
EtherChannels and Redundant Interfaces 521 Default Settings for EtherChannels
and Redundant Interfaces Interfaces 523 Configure a Redundant Interface 523
Configure a Redundant Interface 523 Change the Active Interface 525 Configure
an EtherChannel 525 Add Interfaces to the EtherChannel 525 Customize the
EtherChannel 527 Examples for EtherChannels 529 History for EtherChannels and
Redundant Interfaces 529
VLAN Subinterfaces 531 About VLAN Subinterfaces 531 Licensing for VLAN
Subinterfaces 531 Guidelines and Limitations for VLAN Subinterfaces 532
Default Settings for VLAN Subinterfaces 533 Configure VLAN Subinterfaces and
802.1Q Trunking 533 Examples for VLAN Subinterfaces 535 History for VLAN
Subinterfaces 536
VXLAN Interfaces 537 About VXLAN Interfaces 537 VXLAN Encapsulation 537
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xxiv
Contents
CHAPTER 19
VXLAN Tunnel Endpoint 537 VTEP Source Interface 538 VNI Interfaces 538 VXLAN
Packet Processing 538 Peer VTEP 539 VXLAN Use Cases 539
VXLAN Bridge or Gateway Overview 539 VXLAN Bridge 540 VXLAN Gateway (Routed
Mode) 540 Router Between VXLAN Domains 540 Requirements and Prerequisites for
VXLAN Interfaces 542 Guidelines for VXLAN Interfaces 542 Default Settings for
VXLAN Interfaces 542 Configure VXLAN Interfaces 543 Configure the VTEP Source
Interface 543 Configure the VNI Interface 544 Allow Gateway Load Balancer
Health Checks 545 Examples for VXLAN Interfaces 545 Transparent VXLAN Gateway
Example 546 VXLAN Routing Example 548 History for VXLAN Interfaces 549
Routed and Transparent Mode Interfaces 551 About Routed and Transparent Mode
Interfaces 551 Security Levels 551 Dual IP Stack (IPv4 and IPv6) 552 31-Bit
Subnet Mask 552 31-Bit Subnet and Clustering 552 31-Bit Subnet and Failover
552 31-Bit Subnet and Management 553 31-Bit Subnet Unsupported Features 553
Guidelines and Limitations for Routed and Transparent Mode Interfaces 553
Configure Routed Mode Interfaces 555 Configure General Routed Mode Interface
Parameters 555
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xxv
Contents
CHAPTER 20
Configure PPPoE 558 Configure Bridge Group Interfaces 558
Configure the Bridge Virtual Interface (BVI) 559 Configure General Bridge
Group Member Interface Parameters 560 Configure a Management Interface for
Transparent Mode 561 Configure IPv6 Addressing 563 About IPv6 563
IPv6 Addressing 563 Modified EUI-64 Interface IDs 563 Configure the IPv6
Prefix Delegation Client 564 About IPv6 Prefix Delegation 564 Enable the IPv6
Prefix Delegation Client 566 Configure a Global IPv6 Address 567 (Optional)
Configure the Link-Local Addresses Automatically 569 (Optional) Configure the
Link-Local Addresses Manually 570 Configure IPv6 Neighbor Discovery 571 View
and Clear Dynamically Discovered Neighbors 573 Monitoring Routed and
Transparent Mode Interfaces 574 Interface Statistics and Information 574 DHCP
Information 575 Static Route Tracking 575 PPPoE 575 Dynamic ACLs 575 Examples
for Routed and Transparent Mode Interfaces 576 Transparent Mode Example with 2
Bridge Groups 576 Switched LAN Segment Example with 2 Bridge Groups 576
History for Routed and Transparent Mode Interfaces 579
Advanced Interface Configuration 583 About Advanced Interface Configuration
583 About MAC Addresses 583 Default MAC Addresses 583 Automatic MAC Addresses
584 About the MTU 585
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xxvi
CHAPTER 21
Path MTU Discovery 585 Default MTU 585 MTU and Fragmentation 585 MTU and Jumbo
Frames 586 About the TCP MSS 586 Default TCP MSS 586 Suggested Maximum TCP MSS
Setting 586 Inter-Interface Communication 587 Intra-Interface Communication
(Routed Firewall Mode) 587 Automatically Assign MAC Addresses in Multiple
Context Mode 587 Configure the Manual MAC Address, MTU, and TCP MSS 588 Allow
Same Security Level Communication 589 Monitoring the ARP and MAC Address Table
590 History for Advanced Interface Configuration 590
Traffic Zones 591 About Traffic Zones 591 Non-Zoned Behavior 591 Why Use
Zones? 591 Asymmetric Routing 592 Lost Route 592 Load Balancing 593 Per-Zone
Connection and Routing Tables 594 ECMP Routing 594 Non-Zoned ECMP Support 594
Zoned ECMP Support 595 How Connections Are Load-Balanced 595 Falling Back to a
Route in Another Zone 595 Interface-Based Security Policy 595 Supported
Services for Traffic Zones 595 Security Levels 596 Primary and Current
Interface for the Flow 596 Joining or Leaving a Zone 596 Intra-Zone Traffic
596
Contents
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14
xxvii
Contents
PART IV CHAPTER 22
CHAPTER 23
To- and From-the-Box Traffic 597 Overlapping IP Addresses Within a Zone 597
Prerequisites for Traffic Zones 597 Guidelines for Traffic Zones 598 Configure
a Traffic Zone 600 Monitoring Traffic Zones 600 Zone Information 600 Zone
Connections 601 Zone Routing 601 Example for Traffic Zones 602 History for
Traffic Zones 605
Basic Settings 607
Basic Settings 609 Set the Hostname, Domain Name, and the Enable and Telnet
Passwords 609 Set the Date and Time 610 Set the Date and Time Using an NTP
Server 611 Set the Date and Time Manually 612 Configure Precision Time
Protocol (ISA 3000) 613 Configure the Master Passphrase 614 Add or Change the
Master Passphrase 615 Disable the Master Passphrase 616 Configure the DNS
Server 617 Configure the Hardware Bypass and Dual Power Supply (Cisco ISA
3000) 619 Adjust ASP (Accelerated Security Path) Performance and Behavior 620
Choose a Rule Engine Transactional Commit Model 620 Enable ASP Load Balancing
621 Monitoring the DNS Cache 622 History for Basic Settings 622
DHCP and DDNS Services 627 About DHCP and DDNS Services 627 About the DHCPv4
Server 627
xxviii
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14
CHAPTER 24
DHCP Options 627 About the DHCPv6 Stateless Server 628 About the DHCP Relay
Agent 628
DHCP Relay Server Support on VTI 628 Guidelines for DHCP and DDNS Services 629
Configure the DHCP Server 631
Enable the DHCPv4 Server 631 Configure Advanced DHCPv4 Options 633 Configure
the DHCPv6 Stateless Server 633 Configure the DHCP Relay Agent 634 Configure
Dynamic DNS 636 Monitoring DHCP and DDNS Services 638 Monitoring DHCP Services
638 Monitoring DDNS Status 639 History for DHCP and DDNS Services 639
Digital Certificates 643 About Digital Certificates 643 Public Key
Cryptography 644 Certificate Scalability 644 Key Pairs 645 Trustpoints 645
Certificate Enrollment 645 Proxy for SCEP Requests 646 Revocation Checking 646
Supported CA Servers 646 CRLs 647 OCSP 648 Certificates and User Login
Credentials 649 User Login Credentials 649 Certificates 649 Guidelines for
Digital Certificates 650 Configure Digital Certificates 652 Configure
Reference Identities 652
Contents
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xxix
Contents
CHAPTER 25
How to Set Up Specific Certificate Types 654 Identity Certificates 654 Add or
Import an Identity Certificate 655 Export an Identity Certificate 658 Generate
a Certificate Signing Request 659 Install Identity Certificates 660 CA
Certificates 661 Add or Install a CA Certificate 661 Configure CA Certificates
for Revocation 662 Configure CRL Retrieval Policy 662 Configure CRL Retrieval
Methods 663 Configure OCSP Rules 663 Configure Advanced CRL and OCSP Settings
664 CA Server Management 665 Code Signer Certificate 665 Import a Code Signer
Certificate 665 Export a Code Signer Certificate 665
Set a Certificate Expiration Alert (for Identity or CA Certificates) 666
Monitoring Digital Certificates 667 History for Certificate Management 667
ARP Inspection and the MAC Address Table 669 About ARP Inspection and the MAC
Address Table 669 ARP Inspection for Bridge Group Traffic 669 MAC Address
Table 670 Default Settings 670 Guidelines for ARP Inspection and the MAC
Address Table 670 Configure ARP Inspection and Other ARP Parameters 671 Add a
Static ARP Entry and Customize Other ARP Parameters 671 Enable ARP Inspection
672 Customize the MAC Address Table for Bridge Groups 673 Add a Static MAC
Address for Bridge Groups 673 Configure MAC Address Learning 673 History for
ARP Inspection and the MAC Address Table 674
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xxx
Contents
PART V CHAPTER 26
CHAPTER 27
IP Routing 677
Routing Overview 679 Path Determination 679 Supported Route Types 680 Static
Versus Dynamic 680 Single-Path Versus Multipath 680 Flat Versus Hierarchical
680 Link-State Versus Distance Vector 681 Supported Internet Protocols for
Routing 681 Routing Table 682 How the Routing Table Is Populated 682
Administrative Distances for Routes 682 Backup Dynamic and Floating Static
Routes 684 How Forwarding Decisions Are Made 684 Dynamic Routing and Failover
684 Dynamic Routing and Clustering 685 Dynamic Routing in Spanned EtherChannel
Mode 685 Dynamic Routing in Individual Interface Mode 686 Dynamic Routing in
Multiple Context Mode 687 Route Resource Management 687 Routing Table for
Management Traffic 687 Management Interface Identification 688 Equal-Cost
Multi-Path (ECMP) Routing 689 Disable Proxy ARP Requests 689 Display the
Routing Table 690 History for Route Overview 690
Static and Default Routes 691 About Static and Default Routes 691 Default
Route 691 Static Routes 691 Route to null0 Interface to Drop Unwanted Traffic
692
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xxxi
Contents
CHAPTER 28 CHAPTER 29
Route Priorities 692 Transparent Firewall Mode and Bridge Group Routes 692
Static Route Tracking 692 Guidelines for Static and Default Routes 693
Configure Default and Static Routes 694 Configure a Default Route 694
Configure a Static Route 695 Configure Static Route Tracking 696 Monitoring a
Static or Default Route 697 Examples for Static or Default Routes 697 History
for Static and Default Routes 697
Policy Based Routing 699 About Policy Based Routing 699 Why Use Policy Based
Routing? 699 Equal-Access and Source-Sensitive Routing 700 Quality of Service
700 Cost Saving 700 Load Sharing 701 Implementation of PBR 701 Guidelines for
Policy Based Routing 701 Configure Policy Based Routing 702 History for Policy
Based Routing 704
Route Maps 707 About Route Maps 707 Permit and Deny Clauses 708 Match and Set
Clause Values 708 Guidelines for Route Maps 709 Define a Route Map 709
Customize a Route Map 711 Define a Route to Match a Specific Destination
Address 711 Configure Prefix Rules 712 Configure Prefix Lists 713
xxxii
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14
CHAPTER 30 CHAPTER 31
Configure the Metric Values for a Route Action 713 Example for Route Maps 714
History for Route Maps 715
Bidirectional Forwarding Detection Routing 717 About BFD Routing 717 BFD
Asynchronous Mode and Echo Function 717 BFD Session Establishment 718 BFD
Timer Negotiation 719 BFD Failure Detection 720 BFD Deployment Scenarios 720
Guidelines for BFD Routing 720 Configure BFD 721 Create the BFD Template 721
Configure BFD Interfaces 723 Configure BFD Maps 723 History for BFD Routing
724
BGP 725 About BGP 725 When to Use BGP 725 Routing Table Changes 725 BGP Path
Selection 727 BGP Multipath 727 Guidelines for BGP 728 Configure BGP 729
Enable BGP 729 Define the Best Path for a BGP Routing Process 730 Configure
Policy Lists 731 Configure AS Path Filters 732 Configure Community Rules 733
Configure IPv4 Address Family Settings 734 Configure IPv4 Family General
Settings 734 Configure IPv4 Family Aggregate Address Settings 734
Contents
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14
xxxiii
Contents
CHAPTER 32
Configure IPv4 Family Filtering Settings 735 Configure IPv4 Family BGP
Neighbor Settings 736 Configure IPv4 Network Settings 739 Configure IPv4
Redistribution Settings 739 Configure IPv4 Route Injection Settings 740
Configure IPv6 Address Family Settings 740 Configure IPv6 Family General
Settings 740 Configure IPv6 Family Aggregate Address Settings 741 Configure
IPv6 Family BGP Neighbor Settings 742 Configure IPv6 Network Settings 744
Configure IPv6 Redistribution Settings 745 Configure IPv6 Route Injection
Settings 745 Monitoring BGP 746 History for BGP 747
OSPF 749 About OSPF 749 OSPF Support for Fast Hello Packets 751 Prerequisites
for OSPF Support for Fast Hello Packets 751 About OSPF Support for Fast Hello
Packets 751 Implementation Differences Between OSPFv2 and OSPFv3 752
Guidelines for OSPF 752 Configure OSPFv2 754 Configure a Key Chain for
Authentication 755 Configure OSPFv2 Router ID 757 Manually Configure OSPF
Router-ID 757 Router ID Behaviour while Migrating 757 Customize OSPFv2 758
Redistribute Routes Into OSPFv2 758 Configure Route Summarization When
Redistributing Routes Into OSPFv2 760 Add a Route Summary Address 760 Add or
Edit an OSPF Summary Address 761 Configure Route Summarization Between OSPFv2
Areas 761 Configure OSPFv2 Interface Parameters 762
xxxiv
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14
Configure OSPFv2 Area Parameters 765 Configure OSPFv2 Filter Rules 766
Configure an OSPFv2 NSSA 766 Configure an IP Address Pool for Clustering
(OSPFv2 and OSPFv3) 767 Define Static OSPFv2 Neighbors 769 Configure Route
Calculation Timers 770 Log Neighbors Going Up or Down 770 Configure a Key
Chain for Authentication 771 Configure Filtering in OSPF 772 Configure a
Virtual Link in OSPF 773 Configure OSPFv3 775 Enable OSPFv3 775 Configure
OSPFv3 Interface Parameters 775 Configure OSPFv3 Area Parameters 777 Configure
a Virtual Link Neighbor 778 Configure OSPFv3 Passive Interfaces 779 Configure
OSPFv3 Administrative Distance 779 Configure OSPFv3 Timers 780 Define Static
OSPFv3 Neighbors 781 Send Syslog Messages 781 Suppress Syslog Messages 782
Calculate Summary Route Costs 782 Generate a Default External Route into an
OSPFv3 Routing Domain 783 Configure an IPv6 Summary Prefix 783 Redistribute
IPv6 Routes 784 Configure Graceful Restart 785 Configuring Graceful Restart
for OSPFv2 785
Configure Cisco NSF Graceful Restart for OSPFv2 786 Configure IETF NSF
Graceful Restart for OSPFv2 786 Configuring Graceful Restart for OSPFv3 787
Configuring Graceful Restart Wait Timer for OSPF 787 Remove the OSPFv2
Configuration 788 Remove the OSPFv3 Configuration 788 Example for OSPFv2 788
Contents
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xxxv
Contents
CHAPTER 33 CHAPTER 34
Examples for OSPFv3 790 Monitoring OSPF 792 History for OSPF 793
IS-IS 795 About IS-IS 795 About NET 795 IS-IS Dynamic Hostname 796 IS-IS PDU
Types 796 Operation of IS-IS on Multiaccess Circuits 797 IS-IS Election of the
Designated IS 798 IS-IS LSPDB Synchronization 799 IS-IS Shortest Path
Calculation 800 IS-IS Shutdown Protocol 801 Prerequisites for IS-IS 801
Guidelines for IS-IS 801 Configure IS-IS 802 Enable IS-IS Routing Globally 802
Enable IS-IS Authentication 803 Configure IS-IS LSP 804 Configure IS-IS
Summary Addresses 805 Configure IS-IS NET 807 Configure IS-IS Passive
Interfaces 807 Configure IS-IS Interfaces 808 Configure IS-IS IPv4 Address
Family 811 Configure IS-IS IPv6 Address Family 815 Monitoring IS-IS 817
History for IS-IS 817
EIGRP 819 About EIGRP 819 Guidelines for EIGRP 820 Configure an EIGRP Process
821 Configure EIGRP 822
xxxvi
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14
CHAPTER 35
Enable EIGRP 822 Enable EIGRP Stub Routing 823 Customize EIGRP 824 Define a
Network for an EIGRP Routing Process 824 Configure Interfaces for EIGRP 825
Configure Passive Interfaces 826 Configure the Summary Aggregate Addresses on
Interfaces 826 Change the Interface Delay Value 827 Enable EIGRP
Authentication on an Interface 828 Define an EIGRP Neighbor 829 Redistribute
Routes Into EIGRP 830 Filter Networks in EIGRP 831 Customize the EIGRP Hello
Interval and Hold Time 832 Disable Automatic Route Summarization 833 Configure
Default Information in EIGRP 834 Disable EIGRP Split Horizon 835 Restart the
EIGRP Process 835 Monitoring for EIGRP 836 History for EIGRP 837
Multicast Routing 839 About Multicast Routing 839 Stub Multicast Routing 839
PIM Multicast Routing 840 PIM Source Specific Multicast Support 840 PIM
Bootstrap Router (BSR) 840 PIM Bootstrap Router (BSR) Terminology 841
Multicast Group Concept 841 Multicast Addresses 841 Clustering 842 Guidelines
for Multicast Routing 842 Enable Multicast Routing 843 Customize Multicast
Routing 843 Configure Stub Multicast Routing and Forward IGMP Messages 843
Contents
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14
xxxvii
Contents
PART VI CHAPTER 36
Configure a Static Multicast Route 844 Configure IGMP Features 845
Disable IGMP on an Interface 845 Configure IGMP Group Membership 845 Configure
a Statically Joined IGMP Group 846 Control Access to Multicast Groups 847
Limit the Number of IGMP States on an Interface 847 Modify the Query Messages
to Multicast Groups 848 Change the IGMP Version 849 Configure PIM Features 849
Enable and Disable PIM on an Interface 849 Configure a Static Rendezvous Point
Address 850 Configure the Designated Router Priority 851 Configure and Filter
PIM Register Messages 851 Configure PIM Message Intervals 852 Configure a
Route Tree 852 Configure a Multicast Group 853 Filter PIM Neighbors 853
Configure a Bidirectional Neighbor Filter 854 Configure the ASA as a Candidate
BSR 855 Configure a Multicast Boundary 856 Monitoring for PIM 857 Example for
Multicast Routing 857 History for Multicast Routing 859
AAA Servers and the Local Database 861
AAA and the Local Database 863 About AAA and the Local Database 863
Authentication 863 Authorization 864 Accounting 864 Interaction Between
Authentication, Authorization, and Accounting 864 AAA Servers and Server
Groups 864
xxxviii
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14
CHAPTER 37 CHAPTER 38
About the Local Database 866 Fallback Support 867 How Fallback Works with
Multiple Servers in a Group 867 Guidelines for the Local Database 868 Add a
User Account to the Local Database 868 Test Local Database Authentication and
Authorization 869 Monitoring the Local Database 870 History for the Local
Database 870
RADIUS Servers for AAA 873 About RADIUS Servers for AAA 873 Supported
Authentication Methods 873 User Authorization of VPN Connections 874 Supported
Sets of RADIUS Attributes 874 Supported RADIUS Authorization Attributes 874
Supported IETF RADIUS Authorization Attributes 882 RADIUS Accounting
Disconnect Reason Codes 883 Guidelines for RADIUS Servers for AAA 884
Configure RADIUS Servers for AAA 884 Configure RADIUS Server Groups 885 Add a
RADIUS Server to a Group 887 Add an Authentication Prompt 889 Test RADIUS
Server Authentication and Authorization 889 Monitoring RADIUS Servers for AAA
890 History for RADIUS Servers for AAA 890
TACACS+ Servers for AAA 893 About TACACS+ Servers for AAA 893 TACACS+
Attributes 893 Guidelines for TACACS+ Servers for AAA 894 Configure TACACS+
Servers 895 Configure TACACS+ Server Groups 895 Add a TACACS+ Server to a
Group 896 Add an Authentication Prompt 897
Contents
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14
xxxix
Contents
CHAPTER 39
CHAPTER 40 CHAPTER 41
Test TACACS+ Server Authentication and Authorization 898 Monitoring TACACS+
Servers for AAA 898 History for TACACS+ Servers for AAA 899
LDAP Servers for AAA 901 About LDAP and the ASA 901 How Authentication Works
with LDAP 901 LDAP Hierarchy 902 Search the LDAP Hierarchy 902 Bind to an LDAP
Server 903 LDAP Attribute Maps 904 Guidelines for LDAP Servers for AAA 904
Configure LDAP Servers for AAA 905 Configure LDAP Attribute Maps 905 Configure
LDAP Server Groups 906 Add an LDAP Server to a Server Group 907 Test LDAP
Server Authentication and Authorization 909 Monitoring LDAP Servers for AAA
909 History for LDAP Servers for AAA 910
Kerberos Servers for AAA 911 Guidelines for Kerberos Servers for AAA 911
Configure Kerberos Servers for AAA 911 Configure Kerberos AAA Server Groups
911 Add Kerberos Servers to a Kerberos Server Group 912 Configure Kerberos Key
Distribution Center Validation 913 Monitor Kerberos Servers for AAA 914
History for Kerberos Servers for AAA 915
RSA SecurID Servers for AAA 917 About RSA SecurID Servers 917 Guidelines for
RSA SecurID Servers for AAA 917 Configure RSA SecurID Servers for AAA 918
Configure RSA SecurID AAA Server Groups 918
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xl
Contents
PART VII CHAPTER 42
Add RSA SecurID Servers to an SDI Server Group 918 Monitor RSA SecurID Servers
for AAA 919 History for RSA SecurID Servers for AAA 920
System Administration 921
Management Access 923 Configure Management Remote Access 923 Configure ASA
Access for HTTPS, Telnet, or SSH 923 Configure HTTPS Access for ASDM, Other
Clients 924 Configure SSH Access 925 Configure Telnet Access 930 Configure
HTTP Redirect for ASDM Access or Clientless SSL VPN 931 Configure Management
Access Over a VPN Tunnel 932 Configure Management Access for FXOS on Firepower
2100 Platform Mode Data Interfaces 932 Change the Console Timeout 934
Customize a CLI Prompt 934 Configure a Login Banner 935 Set a Management
Session Quota 936 Configure AAA for System Administrators 937 Configure
Management Authentication 937 About Management Authentication 937 Configure
Authentication for CLI, ASDM, and enable command Access 939 Configure ASDM
Certificate Authentication 940 Control CLI and ASDM Access with Management
Authorization 941 Configure Command Authorization 943 About Command
Authorization 943 Configure Local Command Authorization 945 Configure Commands
on the TACACS+ Server 946 Configure TACACS+ Command Authorization 949
Configure a Password Policy for Local Database Users 949 Change Your Password
951 Enable and View the Login History 951 Configure Management Access
Accounting 952
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xli
Contents
CHAPTER 43
Recover from a Lockout 953 Monitoring Device Access 954 History for Management
Access 955
Software and Configurations 961 Upgrade the Software 961 Load an Image Using
ROMMON (ASA 5506-X, 5508-X, and 5516-X, ISA 3000) 961 Upgrade the ROMMON Image
(ASA 5506-X, 5508-X, and 5516-X, ISA 3000) 963 Recover and Load an Image for
the ASA 5506W-X Wireless Access Point 964 Downgrade Your Software 965
Guidelines and Limitations for Downgrading 965 Incompatible Configuration
Removed After Downgrading 966 Downgrade the Firepower 1000, 2100 in Appliance
Mode 967 Downgrade the Firepower 2100 in Platform Mode 968 Downgrade the
Firepower 4100/9300 968 Downgrade the ASA 5500-X or ISA 3000 969 Manage Files
970 Configure File Access 970 Configure the FTP Client Mode 970 Configure the
ASA as a Secure Copy Server 971 Configure the ASA TFTP Client Path 972 Add
Mount Points 973 Access the File Management Tool 974 Transfer Files 975
Transfer Files Between Local PC and Flash 975 Transfer Files Between Remote
Server and Flash 975 Set the ASA Image, ASDM, and Startup Configuration 977
Back Up and Restore Configurations or Other Files 979 Perform a Complete
System Backup or Restoration 979 Before You Begin Backup or Restore 979 Back
Up the System 980 Restore the Backup 981 Configure Automatic Backup and
Restore (ISA 3000) 982 Configure Automatic Backup (ISA 3000) 982
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xlii
Contents
CHAPTER 44 CHAPTER 45
Configure Automatic Restore (ISA 3000) 983 Save the Running Configuration to a
TFTP Server 984 Schedule a System Restart 984 Configure Auto Update 985 About
Auto Update 985
Auto Update Client or Server 985 Auto Update Benefits 985 Auto Update Server
Support in Failover Configurations 986 Guidelines for Auto Update 987
Configure Communication with an Auto Update Server 988 Monitoring Auto Update
989 Monitoring the Auto Update Process 989 History for Software and
Configurations 991
Response Automation for System Events 993 About the EEM 993 Supported Events
993 Actions on Event Manager Applets 994 Output Destinations 994 Guidelines
for the EEM 994 Configure the EEM 995 Create an Event Manager Applet and
Configure Events 995 Configure an Action and Destinations for Output from an
Action 996 Run an Event Manager Applet 997 Track Memory Allocation and Memory
Usage 997 Monitoring the EEM 998 History for the EEM 998
Testing and Troubleshooting 999 Recover Enable and Telnet Passwords 999
Recover Passwords on the ASA 5500-X 999 Recover Passwords on the ASA 5506-X,
ASA 5508-X, ASA 5516-X, and ISA 3000 1001 Recover Passwords or Images on the
ASAv 1002 Disable Password Recovery for ASA or ISA 3000 Hardware 1004
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xliii
Contents
Configure and Run Captures with the Packet Capture Wizard 1004 Guidelines for
Packet Capture 1007 Ingress Traffic Selector 1008 Egress Traffic Selector 1008
Buffers 1009 Summary 1009 Run Captures 1009 Save Captures 1010
CPU Usage and Reporting 1010 vCPU Usage in the ASAv 1010 CPU Usage Example
1010 VMware CPU Usage Reporting 1011 ASAv and vCenter Graphs 1011 Amazon
CloudWatch CPU Usage Reporting 1012 ASAv and Amazon CloudWatch Graphs 1012
Azure CPU Usage Reporting 1012 ASAv and Azure Graphs 1013 Hyper-V CPU Usage
Reporting 1013 ASA Virtual and Hyper-V Graphs 1014
Test Your Configuration 1014 Test Basic Connectivity: Pinging Addresses 1014
What You Can Test Using Ping 1014 Choosing Between ICMP and TCP Ping 1015
Enable ICMP 1015 Ping Hosts 1016 Test ASA Connectivity Systematically 1017
Trace Routes to Hosts 1019 Make the ASA Visible on Trace Routes 1020 Determine
Packet Routes 1020 Using the Packet Tracer to Test Policy Configuration 1021
Monitoring Performance and System Resources 1022 Monitoring Performance 1022
Monitoring Memory Blocks 1023 Monitoring CPU 1024
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xliv
Contents
PART VIII CHAPTER 46
Monitoring Memory 1024 Monitoring Per-Process CPU Usage 1024 Monitoring
Connections 1025 History for Testing and Troubleshooting 1025
Monitoring 1027
Logging 1029 About Logging 1029 Logging in Multiple Context Mode 1030 Syslog
Message Analysis 1030 Syslog Message Format 1030 Severity Levels 1031 Syslog
Message Filtering 1032 Syslog Message Classes 1032 Sort Messages in the Log
Viewers 1035 Custom Message Lists 1035 Clustering 1035 Guidelines for Logging
1036 Configure Logging 1037 Enable Logging 1037 Configure an Output
Destination 1038 Send Syslog Messages to an External Syslog Server 1038 Send
Syslog Messages to the Internal Log Buffer 1041 Send Syslog Messages to an
E-mail Address 1044 Send Syslog Messages to the Console Port 1045 Send Syslog
Messages to a Telnet or SSH Session 1046 Configure Syslog Messages 1046
Configure Syslog Messaging 1046 Edit Syslog ID Settings 1047 Include a Device
ID in Non-EMBLEM Formatted Syslog Messages 1048 Include the Date and Time in
Syslog Messages 1048 Disable a Syslog Message 1048 Change the Severity Level
of a Syslog Message 1049
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xlv
Contents
CHAPTER 47
Block Syslog Messages on a Standby Unit 1049 Include the Device ID in Non-
EMBLEM Format Syslog Messages 1049 Create a Custom Event List 1050 Configure
Logging Filters 1051 Apply Message Filters to a Logging Destination 1051 Apply
Logging Filters 1051 Add or Edit a Syslog Message ID Filter 1052 Add or Edit a
Message Class and Severity Filter 1052 Send All Syslog Messages in a Class to
a Specified Output Destination 1053 Limit the Rate of Syslog Message
Generation 1053 Assign or Change Rate Limits for Individual Syslog Messages
1054 Add or Edit the Rate Limit for a Syslog Message 1054 Edit the Rate Limit
for a Syslog Severity Level 1055 Assign or Change Rate Limits for Dynamic
Logging 1055 Monitoring the Logs 1055 Filter Syslog Messages Through the Log
Viewers 1056 Edit Filtering Settings 1057 Issue Certain Commands Using the Log
Viewers 1058 History for Logging 1059
SNMP 1063 About SNMP 1063 SNMP Terminology 1063 SNMP Version 3 Overview 1064
Security Models 1064 SNMP Groups 1065 SNMP Users 1065 SNMP Hosts 1065
Implementation Differences Between the ASA and Cisco IOS Software 1065 SNMP
Syslog Messaging 1066 Application Services and Third-Party Tools 1066
Guidelines for SNMP 1066 Configure SNMP 1068 Configure an SNMP Management
Station 1069
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xlvi
CHAPTER 48 CHAPTER 49 CHAPTER 50
Configure SNMP Traps 1069 Configure Parameters for SNMP Version 1 or 2c 1071
Configure Parameters for SNMP Version 3 1072 Configure a Group of Users 1074
Monitoring SNMP 1075 History for SNMP 1076
Cisco Success Network and Telemetry Data 1081 About Cisco Success Network 1081
Supported Platforms and Required Configurations 1081 How Does ASA Telemetry
Data Reach the SSE Cloud 1082 Enable or Disable Cisco Success Network 1082
View ASA Telemetry Data 1083 Cisco Success Network – Telemetry Data 1083
Alarms for the Cisco ISA 3000 1091 About Alarms 1091 Alarm Input Interfaces
1092 Alarm Output Interface 1092 Defaults for Alarms 1093 Configure Alarms
1093 Monitoring Alarms 1094 History for Alarms 1096
Anonymous Reporting and Smart Call Home 1097 About Anonymous Reporting 1097
DNS Requirement 1098 About Smart Call Home 1098 Guidelines for Anonymous
Reporting and Smart Call Home 1099 Configure Anonymous Reporting and Smart
Call Home 1100 Configure Anonymous Reporting 1100 Configure Smart Call Home
1100 Configure Auto Import of Trustpool Certificates 1104 Monitoring Anonymous
Reporting and Smart Call Home 1104
Contents
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 xlvii
Contents
PART IX CHAPTER 51
History for Anonymous Reporting and Smart Call Home 1105
Reference 1107
Addresses, Protocols, and Ports 1109 IPv4 Addresses and Subnet Masks 1109
Classes 1109 Private Networks 1110 Subnet Masks 1110 Determine the Subnet Mask
1110 Determine the Address to Use with the Subnet Mask 1111 IPv6 Addresses
1113 IPv6 Address Format 1113 IPv6 Address Types 1114 Unicast Addresses 1114
Multicast Address 1116 Anycast Address 1117 Required Addresses 1117 IPv6
Address Prefixes 1118 Protocols and Applications 1118 TCP and UDP Ports 1119
Local Ports and Protocols 1123 ICMP Types 1124
xlviii
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14
About This Guide
The following topics explain how to use this guide. · Document Objectives, on
page xlix · Related Documentation, on page xlix · Document Conventions, on
page xlix · Communications, Services, and Additional Information, on page li
Document Objectives
The purpose of this guide is to help you configure general operations for the
Cisco ASA series using the Adaptive Security Device Manager (ASDM). This guide
does not cover every feature, but describes only the most common configuration
scenarios. Throughout this guide, the term “ASA” applies generically to
supported models, unless specified otherwise.
Note ASDM supports many ASA versions. The ASDM documentation and online help
includes all of the latest features supported by the ASA. If you are running
an older version of ASA software, the documentation might include features
that are not supported in your version. Please refer to the feature history
table for each chapter to determine when features were added. For the minimum
supported version of ASDM for each ASA version, see Cisco ASA Series
Compatibility.
Related Documentation
For more information, see Navigating the Cisco ASA Series Documentation at
http://www.cisco.com/go/asadocs.
Document Conventions
This document adheres to the following text, display, and alert conventions.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide,
7.14 xlix
About This Guide
About This Guide
Text Conventions Convention boldface
italic
monospace
{x | y | z}
[] [x | y | z] [] <> !, #
Indication
Commands, keywords, button labels, field names, and user-entered text appear
in boldface. For menu-based commands, the full path to the command is shown.
Variables, for which you supply values, are presented in an italic typeface.
Italic type is also used for document titles, and for general emphasis.
Terminal sessions and information that the system displays appear in monospace
type.
Required alternative keywords are grouped in braces and separated by vertical
bars.
Elements in square brackets are optional.
Optional alternative keywords are grouped in square brackets and separated by
vertical bars.
Default responses to system prompts are also in square brackets.
Non-printing characters such as passwords are in angle brackets.
An exclamation point (!) or a number sign (#) at the beginning of a line of
code indicates a comment line.
Reader Alerts This document uses the following for reader alerts:
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.
Tip Means the following information will help you solve a problem.
Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.
Timesaver Means the described action saves time. You can save time by performing the action described in the paragraph.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 l
About This Guide
Communications, Services, and Additional Information
Warning Means reader be warned. In this situation, you might perform an action
that could result in bodily injury.
Communications, Services, and Additional Information
· To receive timely, relevant information from Cisco, sign up at Cisco Profile
Manager. · To get the business impact you’re looking for with the technologies
that matter, visit Cisco Services. · To submit a service request, visit Cisco
Support. · To discover and browse secure, validated enterprise-class apps,
products, solutions and services, visit
Cisco Marketplace. · To obtain general networking, training, and certification
titles, visit Cisco Press. · To find warranty information for a specific
product or product family, access Cisco Warranty Finder.
Cisco Bug Search Tool Cisco Bug Search Tool (BST) is a web-based tool that
acts as a gateway to the Cisco bug tracking system that maintains a
comprehensive list of defects and vulnerabilities in Cisco products and
software. BST provides you with detailed defect information about your
products and software.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 li
Communications, Services, and Additional Information
About This Guide
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 lii
I P A R T
Getting Started with the ASA
· Introduction to the ASA, on page 1 · Getting Started, on page 17 · ASDM
Graphical User Interface, on page 53 · Licenses: Product Authorization Key
Licensing, on page 91 · Licenses: Smart Software Licensing, on page 127 ·
Logical Devices for the Firepower 4100/9300, on page 183 · Transparent or
Routed Firewall Mode, on page 201 · Startup Wizard, on page 225
1 C H A P T E R
Introduction to the ASA
The ASA provides advanced stateful firewall and VPN concentrator functionality
in one device as well as integrated services with add-on modules. The ASA
includes many advanced features, such as multiple security contexts (similar
to virtualized firewalls), clustering (combining multiple firewalls into a
single firewall), transparent (Layer 2) firewall or routed (Layer 3) firewall
operation, advanced inspection engines, IPsec VPN, SSL VPN, and clientless SSL
VPN support, and many more features.
Note ASDM supports many ASA versions. The ASDM documentation and online help
includes all of the latest features supported by the ASA. If you are running
an older version of ASA software, the documentation might include features
that are not supported in your version. Please refer to the feature history
table for each chapter to determine when features were added. For the minimum
supported version of ASDM for each ASA version, see Cisco ASA Compatibility.
See also Special, Deprecated, and Legacy Services, on page 15.
· ASDM Requirements, on page 1 · Hardware and Software Compatibility, on page
5 · VPN Compatibility, on page 5 · New Features, on page 6 · Firewall
Functional Overview, on page 10 · VPN Functional Overview, on page 14 ·
Security Context Overview, on page 15 · ASA Clustering Overview, on page 15 ·
Special, Deprecated, and Legacy Services, on page 15
ASDM Requirements
ASDM Java Requirements
You can install ASDM using Oracle JRE 8.0 (asdm-version.bin) or OpenJRE 1.8.x
(asdm-openjre-version.bin).
Note ASDM is not tested on Linux.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide,
7.14 1
ASDM Compatibility Notes
Getting Started with the ASA
Table 1: ASA and ASA FirePOWER: ASDM Operating System and Browser Requirements
Operating System
Browser
Firefox Safari Chrome
Microsoft Windows (English and Japanese):
Yes
· 10
Note
See Windows 10 in ASDM
Compatibility Notes, on page 2 if
you have problems with the ASDM
shortcut.
No
Yes
support
·8
·7
· Server 2016 and Server 2019 (ASA management only; ASDM management of the
FirePOWER module is not supported. You can alternatively use the FMC to manage
the FirePOWER module when using ASDM for ASA management.)
· Server 2012 R2
· Server 2012
· Server 2008
Oracle JRE
OpenJRE
8.0 version 8u261 or 1.8
later
Note
No support for Windows 7 32-bit
Apple OS X 10.4 and later
Yes
Yes Yes (64-bit 8.0 version 8u261 or 1.8
version later
only)
ASDM Compatibility Notes
The following table lists compatibility caveats for ASDM.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 2
Getting Started with the ASA
Conditions Windows 10
OS X
ASDM Compatibility Notes
Notes “This app can’t run on your PC” error message. When you install the ASDM
Launcher, Windows 10 might replace the ASDM shortcut target with the Windows
Scripting Host path, which causes this error. To fix the shortcut target: 1.
Choose Start > Cisco ASDM-IDM Launcher, and right-click
the Cisco ASDM-IDM Launcher application. 2. Choose More > Open file location.
Windows opens the directory with the shortcut icon. 3. Right click the
shortcut icon, and choose Properties. 4. Change the Target to:
C:WindowsSystem32wscript.exe invisible.vbs run.bat 5. Click OK.
On OS X, you may be prompted to install Java the first time you run ASDM;
follow the prompts as necessary. ASDM will launch after the installation
completes.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 3
ASDM Compatibility Notes
Conditions OS X 10.8 and later
Getting Started with the ASA
Notes You need to allow ASDM to run because it is not signed with an Apple
Developer ID. If you do not change your security preferences, you see an error
screen.
1. To allow ASDM to run, right-click (or Ctrl-Click) the Cisco ASDM-IDM Launcher icon, and choose Open.
2. You see a similar error screen; however, you can open ASDM from this screen. Click Open. The ASDM-IDM Launcher opens.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 4
Getting Started with the ASA
Hardware and Software Compatibility
Conditions
Notes
Requires Strong Encryption license (3DES/AES) on ASA
Note
Smart licensing models
allow initial access with
ASDM without the Strong
Encryption license.
ASDM requires an SSL connection to the ASA. You can request a 3DES license
from Cisco: 1. Go to www.cisco.com/go/license.
2. Click Continue to Product License Registration.
3. In the Licensing Portal, click Get Other Licenses next to the text field.
4. Choose IPS, Crypto, Other… from the drop-down list.
5. Type ASA in to the Search by Keyword field.
6. Select Cisco ASA 3DES/AES License in the Product list, and click Next.
7. Enter the serial number of the ASA, and follow the prompts to request a
3DES/AES license for the ASA.
· Self-signed certificate or an untrusted When the ASA uses a self-signed certificate or an untrusted
certificate
certificate, Firefox and Safari are unable to add security exceptions
· IPv6
when browsing using HTTPS over IPv6. See https://bugzilla.mozilla.org/show_bug.cgi?id=633001. This caveat
· Firefox and Safari
affects all SSL connections originating from Firefox or Safari to the ASA (including ASDM connections). To avoid this caveat,
configure a proper certificate for the ASA that is issued by a
trusted certificate authority.
· SSL encryption on the ASA must If you change the SSL encryption on the ASA to exclude both
include both RC4-MD5 and
RC4-MD5 and RC4-SHA1 algorithms (these algorithms are
RC4-SHA1 or disable SSL false start enabled by default), then Chrome cannot launch ASDM due to
in Chrome.
the Chrome “SSL false start” feature. We suggest re-enabling one
· Chrome
of these algorithms (see the Configuration > Device Management > Advanced > SSL Settings pane); or you can
disable SSL false start in Chrome using the
–disable-ssl-false-start flag according to Run Chromium with
flags.
Hardware and Software Compatibility
For a complete list of supported hardware and software, see Cisco ASA
Compatibility.
VPN Compatibility
See Supported VPN Platforms, Cisco ASA Series.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 5
New Features
Getting Started with the ASA
New Features
This section lists new features for each release.
Note New, changed, and deprecated syslog messages are listed in the syslog message guide.
New Features in ASA 9.14(4)/ASDM 7.17(1)
Released: February 2, 2022 There are no new features in this release.
New Features in ASA 9.14(3)/ASDM 7.15(1.150)
Released: June 15, 2021 There are no new features in this release.
New Features in ASA 9.14(2)
Released: November 9, 2020
Feature
Description
SNMP Features
SNMP polling over site-to-site VPN For secure SNMP polling over a site-to-site VPN, include the IP address of the outside interface in the crypto map access- list as part of the VPN configuration.
New Features in ASA 9.14(1.30)
Released: September 23, 2020
Feature
Description
Licensing Features
ASAv100 permanent license reservation
The ASAv100 now supports permanent license reservation using product ID L-ASAV100SR-K9=. Note: Not all accounts are approved for permanent license reservation.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 6
Getting Started with the ASA
New Features in ASDM 7.14(1.48)
New Features in ASDM 7.14(1.48)
Released: April 30, 2020
Feature
Description
Platform Features
Restore support for the ASA 5512-X, This ASDM release restores support for the ASA 5512-X, 5515-X, 5585-X, and ASASM
5515-X, 5585-X, and ASASM for when they are running 9.12 or earlier. The final ASA version for these models is 9.12. The
ASA 9.12 and earlier
original 7.13(1) and 7.14(1) releases blocked backwards compatibility with these models; this
version has restored compatibility.
New Features in ASAv 9.14(1.6)
Released: April 30, 2020
Note This release is only supported on the ASAv.
Feature Platform Features ASAv100 platform
Description
The ASAv virtual platform has added the ASAv100, a high-end performance model
that provides 20 Gbps Firewall throughput levels. The ASAv100 is a
subscription-based license, available in terms of 1 year, 3 years, or 5 years.
The ASAv100 is supported on VMware ESXi and KVM only.
New Features in ASA 9.14(1)/ASDM 7.14(1)
Released: April 6, 2020
Feature
Description
Platform Features
ASA for the Firepower 4112
We introduced the ASA for the Firepower 4112.
No modified screens.
Note
Requires FXOS 2.8(1).
Firewall Features
Ability to see port numbers in show The show access-list command now has the numeric keyword. You can use this to view port
access-list output.
numbers in the access control entries rather than names, for example, 80 instead of www.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 7
New Features in ASA 9.14(1)/ASDM 7.14(1)
Getting Started with the ASA
Feature
Description
The object-group icmp-type command is deprecated.
Although the command remains supported in this release, the object-group icmp- type command is deprecated and might be removed in a future release. Please change all ICMP-type objects to service object groups (object-group service) and specify service icmp within the object.
Kerberos Key Distribution Center (KDC) authentication.
You can import a keytab file from a Kerberos Key Distribution Center (KDC),
and the system can authenticate that the Kerberos server is not being spoofed
before using it to authenticate users. To accomplish KDC authentication, you
must set up a host/ASA_hostname service principal name (SPN) on the Kerberos
KDC, then export a keytab for that SPN. You then must upload the keytab to the
ASA, and configure the Kerberos AAA server group to validate the KDC.
New/Modified screens: Configuration > Device Management > Users/AAA > AAA
Kerberos, Configuration > Device Management > Users/AAA > AAA Server Groups
Add/Edit dialog box for Kerberos server groups.
High Availability and Scalability Features
Configuration sync to data units in parallel
The control unit now syncs configuration changes with data units in parallel
by default. Formerly, synching occurred sequentially.
New/Modified screens: Configuration > Device Management > High Availability
and Scalability > ASA Cluster > Cluster Configuration > Enable parallel
configuration replicate check box
Messages for cluster join failure or eviction added to show cluster history
New messages were added to the show cluster history command for when a cluster
unit either fails to join the cluster or leaves the cluster.
New/Modified commands: show cluster history
No modified screens.
Interface Features
Speed auto-negotation can be
You can now configure a Firepower 1100 or 2100 SFP interface to disable auto- negotiation.
disabled on 1GB fiber interfaces on For 10GB interfaces, you can configure the speed down to 1GB without auto-negotiation; you
the Firepower 1000 and 2100
cannot disable auto-negotiation for an interface with the speed set to 10GB.
New/Modified screens: Configuration > Device Settings > Interfaces > Edit Interface > Configure Hardware Properties > Speed
Administrative and Troubleshooting Features
New connection-data-rate command
The connection-data-rate command was introduced to provide an overview on data
rate of individual connections on the ASA. When this command is enabled, per-
flow data rate along with the existing connection information are provided.
This information helps to identify and block unwanted connections with high
data rates, thereby, ensuring an optimized CPU utilization.
New/Modified commands: conn data-rate,show conn data-rate, show conn detail,
clear conn data-rate
No modified screens.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 8
Getting Started with the ASA
New Features in ASA 9.14(1)/ASDM 7.14(1)
Feature
Description
HTTPS idle timeout setting
You can now set the idle timeout for all HTTPS connections to the ASA,
including ASDM, WebVPN, and other clients. Formerly, using the http server
idle-timeout command, you could only set the ASDM idle timeout. If you set
both timeouts, the new command takes precendence.
New/Modified screens: Configuration > Device Management > Management Access >
ASDM/HTTPS/Telnet/SSH > HTTP Settings > Connection Idle Timeout check box.
NTPv4 support
The ASA now supports NTPv4. No modified screens.
New clear logging counter command
The show logging command provides statistics of messages logged for each
logging category configured on the ASA. The clear logging counter command was
introduced to clear the logged counters and statistics.
New/Modified commands: clear logging counter
No modified screens.
Debug command changes for FXOS The debug fxos_parser command has been simplified to provide commonly-used
on the Firepower 1000 and 2100 in troubleshooting messages about FXOS. Other FXOS debug commands have been moved
Appliance mode
under the debug menu fxos_parser command.
New/Modified commands: debug fxos_parser, debug menu fxos_parser
No modified screens.
show tech-support command enhanced
The show ssl objects and show ssl errors command was added to the output of
the show tech-support command. New/Modified commands: show tech-support No
modified screens.
Also in 9.12(4).
Monitoring Features
Net-SNMP version 5.8 Support
The ASA is using Net-SNMP, a suite of applications used to implement SNMP v1,
SNMP v2c, and SNMP v3 using both IPv4 and IPv6.
New/Modified screens: Configuration > Device Management > Management Access >
SNMP
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 9
Firewall Functional Overview
Getting Started with the ASA
Feature SNMP OIDs and MIBs
Description
The ASA enhances support for the CISCO-REMOTE-ACCESS-MONITOR-MIB to track
rejected/failed authentications from RADIUS over SNMP. This feature implements
three SNMP OIDs:
· crasNumTotalFailures (total failures)
· crasNumSetupFailInsufResources (AAA and other internal failures)
· crasNumAbortedSessions (aborted sessions) objects
The ASA provides support for the Advanced Encryption Standard (AES) Cipher
Algorithm. This feature implements the following SNMP OIDs:
· usmAesCfb128Protocol
· usmNoPrivProtocol
SNMPv3 Authentication
You can now use SHA-256 HMAC for user authentication.
New/Modified screens: Configuration > Device Management > Management Access >
SNMP
debug telemetry command.
You can use the debug telemetry command, debug messages related to telemetry
are displayed. The debugs help to identify the cause for errors when
generating the telemetry report.
No modified screens.
VPN Features
DHCP Relay Server Support on VTI You can now configure DHCP relay server to
forward DHCP messages through VTI tunnel interface.
New/Modified screens: Configuration > Device Management > DHCP > DHCP Relay
IKEv2 Support for Multiple Peer Crypto Map
You can now configure IKEv2 with multi-peer crypto map–when a peer in a tunnel
goes down, IKEv2 attempts to establish the SA with the next peer in the list.
New/Modified screens: Configuration > Site-to-Site VPN > Advanced > Crypto
Maps > Create / Edit IPsec Rule > Tunnel Policy (Crypto Map) – Basic
Username Options for Multiple Certificate Authentication
In multiple certificate authentication, you can now specify from which
certificate, first (machine certificate) or second (user certificate), you
want the attributes to be used for aaa authentication. New/Modified screens:
· Connection Profile > Advanced > Authentication
· Connection Profile > Advanced > Secondary Authentication
Firewall Functional Overview
Firewalls protect inside networks from unauthorized access by users on an
outside network. A firewall can also protect inside networks from each other,
for example, by keeping a human resources network separate
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 10
Getting Started with the ASA
Security Policy Overview
from a user network. If you have network resources that need to be available
to an outside user, such as a web or FTP server, you can place these resources
on a separate network behind the firewall, called a demilitarized zone (DMZ).
The firewall allows limited access to the DMZ, but because the DMZ only
includes the public servers, an attack there only affects the servers and does
not affect the other inside networks. You can also control when inside users
access outside networks (for example, access to the Internet), by allowing
only certain addresses out, by requiring authentication or authorization, or
by coordinating with an external URL filtering server.
When discussing networks connected to a firewall, the outside network is in
front of the firewall, the inside network is protected and behind the
firewall, and a DMZ, while behind the firewall, allows limited access to
outside users. Because the ASA lets you configure many interfaces with varied
security policies, including many inside interfaces, many DMZs, and even many
outside interfaces if desired, these terms are used in a general sense only.
Security Policy Overview
A security policy determines which traffic is allowed to pass through the
firewall to access another network. By default, the ASA allows traffic to flow
freely from an inside network (higher security level) to an outside network
(lower security level). You can apply actions to traffic to customize the
security policy.
Permitting or Denying Traffic with Access Rules
You can apply access rules to limit traffic from inside to outside, or allow
traffic from outside to inside. For bridge group interfaces, you can also
apply an EtherType access rule to allow non-IP traffic.
Applying NAT
Some of the benefits of NAT include the following: · You can use private addresses on your inside networks. Private addresses are not routable on the Internet. · NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host. · NAT can resolve IP routing problems by supporting overlapping IP addresses.
Protecting from IP Fragments
The ASA provides IP fragment protection. This feature performs full reassembly
of all ICMP error messages and virtual reassembly of the remaining IP
fragments that are routed through the ASA. Fragments that fail the security
check are dropped and logged. Virtual reassembly cannot be disabled.
Applying HTTP, HTTPS, or FTP Filtering
Although you can use access lists to prevent outbound access to specific
websites or FTP servers, configuring and managing web usage this way is not
practical because of the size and dynamic nature of the Internet.
You can configure Cloud Web Security on the ASA, or install an ASA module that
provides URL and other filtering services, such as ASA CX or ASA FirePOWER.
You can also use the ASA in conjunction with an external product such as the
Cisco Web Security Appliance (WSA).
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 11
Applying Application Inspection
Getting Started with the ASA
Applying Application Inspection
Inspection engines are required for services that embed IP addressing
information in the user data packet or that open secondary channels on
dynamically assigned ports. These protocols require the ASA to do a deep
packet inspection.
Sending Traffic to Supported Hardware or Software Modules
Some ASA models allow you to configure software modules, or to insert hardware
modules into the chassis, to provide advanced services. These modules provide
additional traffic inspection and can block traffic based on your configured
policies. You can send traffic to these modules to take advantage of these
advanced services.
Applying QoS Policies
Some network traffic, such as voice and streaming video, cannot tolerate long
latency times. QoS is a network feature that lets you give priority to these
types of traffic. QoS refers to the capability of a network to provide better
service to selected network traffic.
Applying Connection Limits and TCP Normalization
You can limit TCP and UDP connections and embryonic connections. Limiting the
number of connections and embryonic connections protects you from a DoS
attack. The ASA uses the embryonic limit to trigger TCP Intercept, which
protects inside systems from a DoS attack perpetrated by flooding an interface
with TCP SYN packets. An embryonic connection is a connection request that has
not finished the necessary handshake between source and destination.
TCP normalization is a feature consisting of advanced TCP connection settings
designed to drop packets that do not appear normal.
Enabling Threat Detection
You can configure scanning threat detection and basic threat detection, and
also how to use statistics to analyze threats.
Basic threat detection detects activity that might be related to an attack,
such as a DoS attack, and automatically sends a system log message.
A typical scanning attack consists of a host that tests the accessibility of
every IP address in a subnet (by scanning through many hosts in the subnet or
sweeping through many ports in a host or subnet). The scanning threat
detection feature determines when a host is performing a scan. Unlike IPS scan
detection that is based on traffic signatures, the ASA scanning threat
detection feature maintains an extensive database that contains host
statistics that can be analyzed for scanning activity.
The host database tracks suspicious activity such as connections with no
return activity, access of closed service ports, vulnerable TCP behaviors such
as non-random IPID, and many more behaviors.
You can configure the ASA to send system log messages about an attacker or you
can automatically shun the host.
Firewall Mode Overview
The ASA runs in two different firewall modes:
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 12
Getting Started with the ASA
Stateful Inspection Overview
· Routed
· Transparent
In routed mode, the ASA is considered to be a router hop in the network. In
transparent mode, the ASA acts like a “bump in the wire,” or a “stealth
firewall,” and is not considered a router hop. The ASA connects to the same
network on its inside and outside interfaces in a “bridge group”. You might
use a transparent firewall to simplify your network configuration. Transparent
mode is also useful if you want the firewall to be invisible to attackers. You
can also use a transparent firewall for traffic that would otherwise be
blocked in routed mode. For example, a transparent firewall can allow
multicast streams using an EtherType access list. Routed mode supports
Integrated Routing and Bridging, so you can also configure bridge groups in
routed mode, and route between bridge groups and regular interfaces. In routed
mode, you can replicate transparent mode functionality; if you do not need
multiple context mode or clustering, you might consider using routed mode
instead.
Stateful Inspection Overview
All traffic that goes through the ASA is inspected using the Adaptive Security
Algorithm and either allowed through or dropped. A simple packet filter can
check for the correct source address, destination address, and ports, but it
does not check that the packet sequence or flags are correct. A filter also
checks every packet against the filter, which can be a slow process.
Note The TCP state bypass feature allows you to customize the packet flow.
A stateful firewall like the ASA, however, takes into consideration the state
of a packet: · Is this a new connection? If it is a new connection, the ASA
has to check the packet against access lists and perform other tasks to
determine if the packet is allowed or denied. To perform this check, the first
packet of the session goes through the “session management path,” and
depending on the type of traffic, it might also pass through the “control
plane path.” The session management path is responsible for the following
tasks: · Performing the access list checks
· Performing route lookups
· Allocating NAT translations (xlates)
· Establishing sessions in the “fast path”
The ASA creates forward and reverse flows in the fast path for TCP traffic;
the ASA also creates connection state information for connectionless protocols
like UDP, ICMP (when you enable ICMP inspection), so that they can also use
the fast path.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 13
VPN Functional Overview
Getting Started with the ASA
Note For other IP protocols, like SCTP, the ASA does not create reverse path
flows. As a result, ICMP error packets that refer to these connections are
dropped.
Some packets that require Layer 7 inspection (the packet payload must be
inspected or altered) are passed on to the control plane path. Layer 7
inspection engines are required for protocols that have two or more channels:
a data channel, which uses well-known port numbers, and a control channel,
which uses different port numbers for each session. These protocols include
FTP, H.323, and SNMP. · Is this an established connection? If the connection
is already established, the ASA does not need to re-check packets; most
matching packets can go through the “fast” path in both directions. The fast
path is responsible for the following tasks:
· IP checksum verification · Session lookup · TCP sequence number check · NAT
translations based on existing sessions · Layer 3 and Layer 4 header
adjustments
Data packets for protocols that require Layer 7 inspection can also go through
the fast path. Some established session packets must continue to go through
the session management path or the control plane path. Packets that go through
the session management path include HTTP packets that require inspection or
content filtering. Packets that go through the control plane path include the
control packets for protocols that require Layer 7 inspection.
VPN Functional Overview
A VPN is a secure connection across a TCP/IP network (such as the Internet)
that appears as a private connection. This secure connection is called a
tunnel. The ASA uses tunneling protocols to negotiate security parameters,
create and manage tunnels, encapsulate packets, transmit or receive them
through the tunnel, and unencapsulate them. The ASA functions as a
bidirectional tunnel endpoint: it can receive plain packets, encapsulate them,
and send them to the other end of the tunnel where they are unencapsulated and
sent to their final destination. It can also receive encapsulated packets,
unencapsulate them, and send them to their final destination. The ASA invokes
various standard protocols to accomplish these functions. The ASA performs the
following functions:
· Establishes tunnels · Negotiates tunnel parameters · Authenticates users ·
Assigns user addresses · Encrypts and decrypts data
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide,
7.14 14
Getting Started with the ASA
Security Context Overview
· Manages security keys
· Manages data transfer across the tunnel
· Manages data transfer inbound and outbound as a tunnel endpoint or router
The ASA invokes various standard protocols to accomplish these functions.
Security Context Overview
You can partition a single ASA into multiple virtual devices, known as
security contexts. Each context is an independent device, with its own
security policy, interfaces, and administrators. Multiple contexts are similar
to having multiple standalone devices. Many features are supported in multiple
context mode, including routing tables, firewall features, IPS, and
management; however, some features are not supported. See the feature chapters
for more information. In multiple context mode, the ASA includes a
configuration for each context that identifies the security policy,
interfaces, and almost all the options you can configure on a standalone
device. The system administrator adds and manages contexts by configuring them
in the system configuration, which, like a single mode configuration, is the
startup configuration. The system configuration identifies basic settings for
the ASA. The system configuration does not include any network interfaces or
network settings for itself; rather, when the system needs to access network
resources (such as downloading the contexts from the server), it uses one of
the contexts that is designated as the admin context. The admin context is
just like any other context, except that when a user logs into the admin
context, then that user has system administrator rights and can access the
system and all other contexts.
ASA Clustering Overview
ASA Clustering lets you group multiple ASAs together as a single logical
device. A cluster provides all the convenience of a single device (management,
integration into a network) while achieving the increased throughput and
redundancy of multiple devices. You perform all configuration (aside from the
bootstrap configuration) on the control unit only; the configuration is then
replicated to the member units.
Special, Deprecated, and Legacy Services
For some services, documentation is located outside of the main configuration
guides and online help. Special Services Guides
Special services allow the ASA to interoperate with other Cisco products; for
example, by providing a security proxy for phone services (Unified
Communications), or by providing Botnet traffic filtering in conjunction with
the dynamic database from the Cisco update server, or by providing WCCP
services for the Cisco Web Security Appliance. Some of these special services
are covered in separate guides:
· Cisco ASA Botnet Traffic Filter Guide
· Cisco ASA NetFlow Implementation Guide
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 15
Special, Deprecated, and Legacy Services
Getting Started with the ASA
· Cisco ASA Unified Communications Guide
· Cisco ASA WCCP Traffic Redirection Guide
· SNMP Version 3 Tools Implementation Guide
Deprecated Services
For deprecated features, see the configuration guide for your ASA version.
Similarly, for redesigned features such as NAT between Version 8.2 and 8.3 or
transparent mode interfaces between Version 8.3 and 8.4, refer to the
configuration guide for your version. Although ASDM is backwards compatible
with previous ASA releases, the configuration guide and online help only cover
the latest release.
Legacy Services Guide
Legacy services are still supported on the ASA, however there may be better
alternative services that you can use instead. Legacy services are covered in
a separate guide: Cisco ASA Legacy Feature Guide This guide includes the
following chapters:
· Configuring RIP
· AAA Rules for Network Access
· Using Protection Tools, which includes Preventing IP Spoofing (ip verify
reverse-path), Configuring the Fragment Size (fragment), Blocking Unwanted
Connections (shun), Configuring TCP Options (for ASDM), and Configuring IP
Audit for Basic IPS Support (ip audit).
· Configuring Filtering Services
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 16
2 C H A P T E R
Getting Started
This chapter describes how to get started with your ASA. · Access the Console
for the Command-Line Interface, on page 17 · Configure ASDM Access, on page 24
· Start ASDM, on page 27 · Customize ASDM Operation, on page 29 · Factory
Default Configurations, on page 30 · Set the Firepower 2100 to Appliance or
Platform Mode, on page 48 · Get Started with the Configuration, on page 50 ·
Use the Command Line Interface Tool in ASDM, on page 50 · Apply Configuration
Changes to Connections, on page 52
Access the Console for the Command-Line Interface
In some cases, you may need to use the CLI to configure basic settings for
ASDM access. For initial configuration, access the CLI directly from the
console port. Later, you can configure remote access using Telnet or SSH
according to Management Access, on page 923. If your system is already in
multiple context mode, then accessing the console port places you in the
system execution space.
Note For ASAv console access, see the ASAv quick start guide.
Access the ASA Hardware or ISA 3000 Console
Follow these steps to access the appliance console.
Procedure
Step 1
Connect a computer to the console port using the provided console cable, and
connect to the console using a terminal emulator set for 9600 baud, 8 data
bits, no parity, 1 stop bit, no flow control.
See the hardware guide for your ASA for more information about the console
cable.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 17
Access the Firepower 2100 Platform Mode Console
Getting Started with the ASA
Step 2 Step 3
Step 4
Press the Enter key to see the following prompt:
ciscoasa>
This prompt indicates that you are in user EXEC mode. Only basic commands are
available from user EXEC mode.
Access privileged EXEC mode. enable You are prompted to change the password
the first time you enter the enable command: Example:
ciscoasa> enable Password: The enable password is not set. Please set it now.
Enter Password: ** Repeat Password: ** ciscoasa#
All non-configuration commands are available in privileged EXEC mode. You can
also enter configuration mode from privileged EXEC mode. To exit privileged
mode, enter the disable, exit, or quit command.
Access global configuration mode. configure terminal Example:
ciscoasa# configure terminal ciscoasa(config)#
You can begin to configure the ASA from global configuration mode. To exit
global configuration mode, enter the exit, quit, or end command.
Access the Firepower 2100 Platform Mode Console
The Firepower 2100 console port connects you to the Firepower eXtensible
Operating System (FXOS CLI). From the FXOS CLI, you can then connect to the
ASA console, and back again. If you SSH to FXOS, you can also connect to the
ASA CLI; a connection from SSH is not a console connection, so you can have
multiple ASA connections from an FXOS SSH connection. Similarly, if you SSH to
the ASA, you can connect to the FXOS CLI.
Before you begin
You can only have one console connection at a time. When you connect to the
ASA console from the FXOS console, this connection is a persistent console
connection, not like a Telnet or SSH connection.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 18
Getting Started with the ASA
Access the Firepower 2100 Platform Mode Console
Procedure
Step 1 Step 2
Connect your management computer to the console port. The Firepower 2100 ships
with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-
USB cable to make the connection. Be sure to install any necessary USB serial
drivers for your operating system. Use the following serial settings:
· 9600 baud
· 8 data bits
· No parity
· 1 stop bit
You connect to the FXOS CLI. Enter the user credentials; by default, you can
log in with the admin user and the default password, Admin123.
Connect to the ASA: connect asa
Example:
firepower-2100# connect asa Attaching to Diagnostic CLI … Press ‘Ctrl+a then
d’ to detach. Type help or ‘?’ for a list of available commands. ciscoasa>
Step 3 Step 4
Access privileged EXEC mode. enable You are prompted to change the password
the first time you enter the enable command. Example:
ciscoasa> enable Password: The enable password is not set. Please set it now.
Enter Password: ** Repeat Password: ** ciscoasa#
All non-configuration commands are available in privileged EXEC mode. You can
also enter configuration mode from privileged EXEC mode. To exit privileged
mode, enter the disable, exit, or quit command.
Access global configuration mode. configure terminal Example:
ciscoasa# configure terminal ciscoasa(config)#
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 19
Access the Firepower 1000, 2100 Appliance Mode Console
Getting Started with the ASA
Step 5 Step 6
You can begin to configure the ASA from global configuration mode. To exit
global configuration mode, enter the exit, quit, or end command.
To return to the FXOS console, enter Ctrl+a, d. If you SSH to the ASA (after
you configure SSH access in the ASA), connect to the FXOS CLI.
connect fxos
You are prompted to authenticate for FXOS; use the default username: admin and
password: Admin123. To return to the ASA CLI, enter exit or type Ctrl-Shift-6,
x.
Example:
ciscoasa# connect fxos Connecting to fxos. Connected to fxos. Escape character
sequence is ‘CTRL-^X’.
FXOS 2.2(2.32) kp2110
kp2110 login: admin Password: Admin123 Last login: Sat Jan 23 16:20:16 UTC
2017 on pts/1 Successful login attempts for user ‘admin’ : 4 Cisco Firepower
Extensible Operating System (FX-OS) Software
[…] kp2110# kp2110# exit Remote card closed command session. Press any key to
continue. Connection with fxos terminated. Type help or ‘?’ for a list of
available commands. ciscoasa#
Access the Firepower 1000, 2100 Appliance Mode Console
The Firepower 1000, 2100 Appliance mode console port connects you to the ASA
CLI (unlike the Firepower 2100 Platform mode console, which connects you to
the FXOS CLI). From the ASA CLI, you can then connect to the FXOS CLI using
Telnet for troubleshooting purposes.
Procedure
Step 1
Connect your management computer to the console port. The Firepower 1000 ships
with a USB A-to-B serial cable. The Firepower 2100 ships with a DB-9 to RJ-45
serial cable, so you will need a third party serial-to-USB cable to make the
connection. Be sure to install any necessary USB serial drivers for your
operating system (see the Firepower 1010 hardware guide or Firepower 1100
hardware guide). Use the following serial settings:
· 9600 baud
· 8 data bits
· No parity
· 1 stop bit
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 20
Getting Started with the ASA
Access the Firepower 1000, 2100 Appliance Mode Console
Step 2
Step 3 Step 4
You connect to the ASA CLI. There are no user credentials required for console
access by default.
Access privileged EXEC mode. enable
You are prompted to change the password the first time you enter the enable
command. Example:
ciscoasa> enable Password: The enable password is not set. Please set it now.
Enter Password: ** Repeat Password: ** ciscoasa#
The enable password that you set on the ASA is also the FXOS admin user
password if the ASA fails to boot up, and you enter FXOS failsafe mode. All
non-configuration commands are available in privileged EXEC mode. You can also
enter configuration mode from privileged EXEC mode. To exit privileged EXEC
mode, enter the disable, exit, or quit command.
Access global configuration mode. configure terminal
Example:
ciscoasa# configure terminal ciscoasa(config)#
You can begin to configure the ASA from global configuration mode. To exit
global configuration mode, enter the exit, quit, or end command.
(Optional) Connect to the FXOS CLI. connect fxos [admin] · admin–Provides
admin-level access. Without this option, users have read-only access. Note
that no configuration commands are available even in admin mode.
You are not prompted for user credentials. The current ASA username is passed
through to FXOS, and no additional login is required. To return to the ASA
CLI, enter exit or type Ctrl-Shift-6, x. Within FXOS, you can view user
activity using the scope security/show audit-logs command. Example:
ciscoasa# connect fxos admin Connecting to fxos. Connected to fxos. Escape
character sequence is ‘CTRL-^X’. firepower# firepower# exit Connection with
FXOS terminated. Type help or ‘?’ for a list of available commands.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 21
Access the ASA Console on the Firepower 4100/9300 Chassis ciscoasa#
Getting Started with the ASA
Access the ASA Console on the Firepower 4100/9300 Chassis
For initial configuration, access the command-line interface by connecting to
the Firepower 4100/9300 chassis supervisor (either to the console port or
remotely using Telnet or SSH) and then connecting to the ASA security module.
Procedure
Step 1
Connect to the Firepower 4100/9300 chassis supervisor CLI (console or SSH),
and then session to the ASA: connect module slot {console | telnet} The
benefits of using a Telnet connection is that you can have multiple sessions
to the module at the same time, and the connection speed is faster. The first
time you access the module, you access the FXOS module CLI. You must then
connect to the ASA application. connect asa Example:
Firepower# connect module 1 console Firepower-module1> connect asa
asa>
Step 2 Step 3
Access privileged EXEC mode, which is the highest privilege level. enable You
are prompted to change the password the first time you enter the enable
command. Example:
asa> enable Password: The enable password is not set. Please set it now. Enter
Password: ** Repeat Password: ** asa#
All non-configuration commands are available in privileged EXEC mode. You can
also enter configuration mode from privileged EXEC mode. To exit privileged
mode, enter the disable, exit, or quit command.
Enter global configuration mode. configure terminal
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 22
Getting Started with the ASA
Access the Software Module Console
Step 4 Step 5
Example:
asa# configure terminal asa(config)#
To exit global configuration mode, enter the disable, exit, or quit command.
Exit the application console to the FXOS module CLI by entering Ctrl-a, d You
might want to use the FXOS module CLI for troubleshooting purposes. Return to
the supervisor level of the FXOS CLI. Exit the console: a) Enter ~
You exit to the Telnet application. b) To exit the Telnet application, enter:
telnet>quit
Exit the Telnet session: a) Enter Ctrl-], .
Access the Software Module Console
If you have a software module installed, such as the ASA FirePOWER module on
the ASA 5506-X, you can session to the module console.
Note You cannot access the hardware module CLI over the ASA backplane using
the session command.
Procedure
From the ASA CLI, session to the module: session {sfr | cxsc | ips} console
Example:
ciscoasa# session sfr console Opening console session with module sfr.
Connected to module sfr. Escape character sequence is ‘CTRL-^X’. Cisco ASA SFR
Boot Image 5.3.1 asasfr login: admin Password: Admin123
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 23
Access the ASA 5506W-X Wireless Access Point Console
Getting Started with the ASA
Access the ASA 5506W-X Wireless Access Point Console
To access the wireless access point console, perform the following steps.
Procedure
Step 1
From the ASA CLI, session to the access point: session wlan console Example:
ciscoasa# session wlan console opening console session with module wlan
connected to module wlan. Escape character sequence is `CTRL-^X’
ap>
Step 2
See the Cisco IOS Configuration Guide for Autonomous Aironet Access Points for information about the access point CLI.
Configure ASDM Access
This section describes how to access ASDM with a default configuration and how
to configure access if you do not have a default configuration.
Use the Factory Default Configuration for ASDM Access
With a factory default configuration, ASDM connectivity is pre-configured with
default network settings.
Procedure
Connect to ASDM using the following interface and network settings: · The
management interface depends on your model: · Firepower 1010–Management 1/1
(192.168.45.1), or inside Ethernet 1/2 through 1/8 (192.168.1.1). Management
hosts are limited to the 192.168.45.0/24 network, and inside hosts are limited
to the 192.168.1.0/24 network. · Firepower 1100, 2100 in Appliance Mode–Inside
Ethernet 1/2 (192.168.1.1), or Management 1/1 (from DHCP). Inside hosts are
limited to the 192.168.1.0/24 network. Management hosts are allowed from any
network. · Firepower 2100 in Platform Mode–Management 1/1 (192.168.45.1).
Management hosts are limited to the 192.168.45.0/24 network.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 24
Getting Started with the ASA
Customize ASDM Access
· Firepower 4100/9300–The Management type interface and IP address of your
choice defined when you deployed. Management hosts are allowed from any
network.
· ASA 5506-X, ASA 5506W-X–Inside GigabitEthernet 1/2 through 1/8, and wifi
GigabitEthernet 1/9 (192.168.10.1). Inside hosts are limited to the
192.168.1.0/24 network, and wifi hosts are limited to 192.168.10.0/24.
· ASA 5508-X, and ASA 5516-X–Inside GigabitEthernet 1/2 (192.168.1.1). Inside
hosts are limited to the 192.168.1.0/24 network.
· ASA 5525-X and higher–Management 0/0 (192.168.1.1). Management hosts are
limited to the 192.168.1.0/24 network.
· ASAv–Management 0/0 (set during deployment). Management hosts are limited to
the management network.
· ISA 3000–Management 1/1 (192.168.1.1). Management hosts are limited to the
192.168.1.0/24 network.
Note
If you change to multiple context mode, you can access ASDM from the admin context using
the network settings above.
Related Topics Factory Default Configurations, on page 30 Enable or Disable
Multiple Context Mode, on page 247 Start ASDM, on page 27
Customize ASDM Access
Use this procedure if one or more of the following conditions applies: · You
do not have a factory default configuration
· You want to change to transparent firewall mode
· You want to change to multiple context mode
For routed, single mode, for quick and easy ASDM access, we recommend applying
the factory default configuration with the option to set your own management
IP address. Use the procedure in this section only if you have special needs
such as setting transparent or multiple context mode, or if you have other
configuration that you need to preserve.
Note For the ASAv, you can configure transparent mode when you deploy, so this
procedure is primarily useful after you deploy if you need to clear your
configuration, for example.
Procedure
Step 1 Access the CLI at the console port.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 25
Customize ASDM Access
Getting Started with the ASA
Step 2 Step 3
Step 4 Step 5
(Optional) Enable transparent firewall mode: This command clears your
configuration. firewall transparent Configure the management interface:
interface interface_id nameif name security-level level no shutdown ip address
ip_address mask
Example:
ciscoasa(config)# interface management 0/0 ciscoasa(config-if)# nameif
management ciscoasa(config-if)# security-level 100 ciscoasa(config-if)# no
shutdown ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
The security-level is a number between 1 and 100, where 100 is the most
secure. (For directly-connected management hosts) Set the DHCP pool for the
management network:
dhcpd address ip_address-ip_address interface_name dhcpd enable interface_name
Example:
ciscoasa(config)# dhcpd address 192.168.1.2-192.168.1.254 management
ciscoasa(config)# dhcpd enable management
Make sure you do not include the interface address in the range. (For remote
management hosts) Configure a route to the management hosts: route
management_ifc management_host_ip mask gateway_ip 1 Example:
ciscoasa(config)# route management 10.1.1.0 255.255.255.0 192.168.1.50 1
Step 6 Step 7
Enable the HTTP server for ASDM: http server enable Allow the management
host(s) to access ASDM: http ip_address mask interface_name Example:
ciscoasa(config)# http 192.168.1.0 255.255.255.0 management
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 26
Getting Started with the ASA
Start ASDM
Step 8 Step 9
Save the configuration: write memory
(Optional) Set the mode to multiple mode: mode multiple When prompted, confirm
that you want to convert the existing configuration to be the admin context.
You are then prompted to reload the ASA.
Examples
The following configuration converts the firewall mode to transparent mode,
configures the Management 0/0 interface, and enables ASDM for a management
host:
firewall transparent interface management 0/0
ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no
shutdown
dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management
http server enable http 192.168.1.0 255.255.255.0 management
Related Topics Restore the Factory Default Configuration, on page 32 Set the
Firewall Mode (Single Mode), on page 211 Access the ASA Hardware or ISA 3000
Console, on page 17 Start ASDM, on page 27
Start ASDM
You can start ASDM using two methods: · ASDM-IDM Launcher–The Launcher is an
application downloaded from the ASA using a web browser that you can use to
connect to any ASA IP address. You do not need to re-download the launcher if
you want to connect to other ASAs.
· Java Web Start–For each ASA that you manage, you need to connect with a web
browser and then save or launch the Java Web Start application. You can
optionally save the shortcut to your computer; however you need separate
shortcuts for each ASA IP address.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 27
Start ASDM
Getting Started with the ASA
Note If you use web start, clear the Java cache or you might lose changes to
some pre-login policies such as Hostscan. This problem does not occur if you
use the launcher.
Within ASDM, you can choose a different ASA IP address to manage; the
difference between the Launcher and Java Web Start functionality rests
primarily in how you initially connect to the ASA and launch ASDM. This
section describes how to connect to ASDM initially, and then launch ASDM using
the Launcher or the Java Web Start. ASDM stores files in the local
Users
Procedure
Step 1 Step 2 Step 3
On the computer that you specified as the ASDM client, enter the following URL:
Note
Be sure to specify https://, and not http:// or just the IP address (which defaults to HTTP); the
ASA does not automatically forward an HTTP request to HTTPS.
The ASDM launch page appears with the following buttons: · Install ASDM Launcher and Run ASDM · Run ASDM · Run Startup Wizard
To download the Launcher:
a) Click Install ASDM Launcher and Run ASDM. b) Leave the username and
password fields empty (for a new installation), and click OK. With no HTTPS
authentication configured, you can gain access to ASDM with no username and
the enable password, which is blank by default. When you enter the enable
command at the CLI for the first time, you are prompted to change the
password; this behavior is not enforced when you log into ASDM. We suggest
that you change the enable password as soon as possible so that it does not
remain blank; see Set the Hostname, Domain Name, and the Enable and Telnet
Passwords, on page 609. Note: If you enabled HTTPS authentication, enter your
username and associated password. Even without authentication, if you enter a
username and password at the login screen (instead of leaving the username
blank), ASDM checks the local database for a match. c) Save the installer to
your computer, and then start the installer. The ASDM-IDM Launcher opens
automatically after installation is complete. d) Enter the management IP
address, the same username and password (blank for a new installation), and
then click OK.
To use Java Web Start:
a) Click Run ASDM or Run Startup Wizard. b) Save the shortcut to your computer
when prompted. You can optionally open it instead of saving it. c) Start Java
Web Start from the shortcut.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 28
Getting Started with the ASA
Customize ASDM Operation
d) Accept any certificates according to the dialog boxes that appear. The
Cisco ASDM-IDM Launcher appears.
e) Leave the username and password fields empty (for a new installation), and
click OK. With no HTTPS authentication configured, you can gain access to ASDM
with no username and the enable password, which is blank by default. When you
enter the enable command at the CLI for the first time, you are prompted to
change the password; this behavior is not enforced when you log into ASDM. We
suggest that you change the enable password as soon as possible so that it
does not remain blank; see Set the Hostname, Domain Name, and the Enable and
Telnet Passwords, on page 609. Note: If you enabled HTTPS authentication,
enter your username and associated password. Even without authentication, if
you enter a username and password at the login screen (instead of leaving the
username blank), ASDM checks the local database for a match.
Customize ASDM Operation
You can install an identity certificate to successfully launch ASDM as well as
increase the ASDM heap memory so it can handle larger configurations.
Install an Identity Certificate for ASDM
When using Java 7 update 51 and later, the ASDM Launcher requires a trusted
certificate. An easy approach to fulfill the certificate requirements is to
install a self-signed identity certificate. You can use Java Web Start to
launch ASDM until you install a certificate. See the following document to
install a self-signed identity certificate on the ASA for use with ASDM, and
to register the certificate with Java. http://www.cisco.com/go/asdm-
certificate
Increase the ASDM Configuration Memory
ASDM supports a maximum configuration size of 512 KB. If you exceed this
amount you may experience performance issues. For example, when you load the
configuration, the status dialog box shows the percentage of the configuration
that is complete, yet with large configurations it stops incrementing and
appears to suspend operation, even though ASDM might still be processing the
configuration. If this situation occurs, we recommend that you consider
increasing the ASDM system heap memory.
Increase the ASDM Configuration Memory in Windows
To increase the ASDM heap memory size, edit the run.bat file by performing the
following procedure.
Procedure
Step 1 Step 2 Step 3
Go to the ASDM installation directory, for example C:Program Files (x86)Cisco
SystemsASDM.
Edit the run.bat file with any text editor.
In the line that starts with “start javaw.exe”, change the argument prefixed
with “-Xmx” to specify your desired heap size. For example, change it to
-Xmx768M for 768 MB or -Xmx1G for 1 GB.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 29
Increase the ASDM Configuration Memory in Mac OS
Getting Started with the ASA
Step 4 Save the run.bat file.
Increase the ASDM Configuration Memory in Mac OS
To increase the ASDM heap memory size, edit the Info.plist file by performing
the following procedure.
Procedure
Step 1 Step 2
Step 3
Right-click the Cisco ASDM-IDM icon, and choose Show Package Contents.
In the Contents folder, double-click the Info.plist file. If you have
Developer tools installed, it opens in the Property List Editor. Otherwise, it
opens in TextEdit.
Under Java > VMOptions, change the string prefixed with “-Xmx” to specify your
desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for
1 GB.
Step 4 If this file is locked, you see an error such as the following:
Step 5
Click Unlock and save the file.
If you do not see the Unlock dialog box, exit the editor, right-click the
Cisco ASDM-IDM icon, choose Copy Cisco ASDM-IDM, and paste it to a location
where you have write permissions, such as the Desktop. Then change the heap
size from this copy.
Factory Default Configurations
The factory default configuration is the configuration applied by Cisco to new
ASAs.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 30
Getting Started with the ASA
Factory Default Configurations
· ASA 5506-X–The factory default configuration enables a functional
inside/outside configuration. You can manage the ASA using ASDM from the
inside interfaces, which are placed in a bridge group using Integrated Routing
and Bridging.
· ASA 5508-X and 5516-X–The factory default configuration enables a functional
inside/outside configuration. You can manage the ASA using ASDM from the
inside interface.
· ASA 5525-X through ASA 5555-X–The factory default configuration configures
an interface for management so that you can connect to it using ASDM, with
which you can then complete your configuration.
· Firepower 1010–The factory default configuration enables a functional
inside/outside configuration. You can manage the ASA using ASDM from either
the management interface or the inside switch ports.
· Firepower 1100–The factory default configuration enables a functional
inside/outside configuration. You can manage the ASA using ASDM from either
the management interface or the inside interface.
· Firepower 2100–Platform mode (the default):The factory default configuration
enables a functional inside/outside configuration. You can manage the ASA
using the Firepower Chassis Manager and ASDM from the management interface.
Appliance mode–If you change to appliance mode, the factory default
configuration enables a functional inside/outside configuration. You can
manage the ASA using ASDM from either the management interface or the inside
interface.
· Firepower 4100/9300 chassis–When you deploy the standalone or cluster of
ASAs, the factory default configuration configures an interface for management
so that you can connect to it using ASDM, with which you can then complete
your configuration.
· ASAv–Depending on your hypervisor, as part of deployment, the deployment
configuration (the initial virtual deployment settings) configures an
interface for management so that you can connect to it using ASDM, with which
you can then complete your configuration. You can also configure failover IP
addresses. You can also apply a “factory default” configuration if desired.
· ISA 3000–The factory default configuration is an almost-complete transparent
firewall mode configuration with all inside and outside interfaces on the same
network; you can connect to the management interface with ASDM to set the IP
address of your network. Hardware bypass is enabled for two interface pairs,
and all traffic is sent to the ASA FirePOWER module in Inline Tap Monitor-Only
Mode. This mode sends a duplicate stream of traffic to the ASA FirePOWER
module for monitoring purposes only.
For appliances, the factory default configuration is available only for routed
firewall mode and single context mode, except for the ISA 3000, where the
factory default configuration is only available in transparent mode. For the
ASAv and the Firepower 4100/9300 chassis, you can choose transparent or routed
mode at deployment.
Note In addition to the image files and the (hidden) default configuration,
the following folders and files are standard in flash memory: log/,
crypto_archive/, and coredumpinfo/coredump.cfg. The date on these files may
not match the date of the image files in flash memory. These files aid in
potential troubleshooting; they do not indicate that a failure has occurred.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 31
Restore the Factory Default Configuration
Getting Started with the ASA
Restore the Factory Default Configuration
This section describes how to restore the factory default configuration. Both
CLI and ASDM procedures are provided. For the ASAv, this procedure erases the
deployment configuration and applies the same factory default configuration as
for the ASA 5525-X.
Note On the Firepower 4100/9300, restoring the factory default configuration
simply erases the configuration; to restore the default configuration, you
must re-deploy the ASA from the supervisor.
Before you begin This feature is available only in routed firewall mode,
except for the ISA 3000, where this command is only supported in transparent
mode. In addition, this feature is available only in single context mode; an
ASA with a cleared configuration does not have any defined contexts to
configure automatically using this feature.
Procedure
Step 1
Restore the factory default configuration: configure factory-default [ip_address [mask]] Example:
ciscoasa(config)# configure factory-default 10.1.1.1 255.255.255.0
Note
This command does not clear the currently-set mode, Appliance or Platform, for the Firepower
If you specify the ip_address, then you set the inside or management interface
IP address, depending on your model, instead of using the default IP address.
See the following model guidelines for which interface is set by the
ip_address option:
· Firepower 1010–Sets the management interface IP address. · Firepower
1100–Sets the inside interface IP address. · Firepower 2100 in Appliance
mode–Sets the inside interface IP address. · Firepower 2100 in Platform
mode–Sets the management interface IP address. · Firepower 4100/9300–No
effect. · ASAv–Sets the management interface IP address. · ASA 5506-X–Sets the
inside interface IP address. · ASA 5508-X and 5516-X–Sets the inside interface
IP address. · ASA 5525-X, 5545-X, 5555-X–Sets the management interface IP
address. · ISA 3000–Sets the management interface IP address.
ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14 32
Getting Started with the ASA
Restore the Factory Default Configuration
Step 2 Step 3
The http command uses the subnet you specify. Similarly, the dhcpd address
command range consists of all available addresses higher than the IP address
you specify. For example, if you specify 10.5.6.78 with a subnet mask of
255.255.255.0, then the DHCP address range will be 10.5.6.79-10.5.6.254.
For the Firepower 1000, and the Firepower 2100 in Appliance mode: This command
clears the boot system command, if present, along with the rest of the
configuration. This configuration change does not affect the image at bootup:
the currently-loaded image continues to be used.
For the Firepower 2100 in Platform mode: This model does not use the boot
system command; packages are managed by FXOS.
For all other models: This command clears the boot system command, if present,
along with the rest of the configuration. The boot system command lets you
boot from a specific image. The next time you reload the ASA after restoring
the factory configuration, it boots from the first image in internal flash
memory; if you do not have an image in internal flash memory, the ASA does not
boot.
Example:
docs-bxb-asa3(config)# configure factory-default 10.86.203.151 255.255.254.0
Based on the management IP address and mask, the DHCP address pool size is
reduced to 103 from the platform limit 256
WARNING: The boot system configuration will be cleared. The first image found
in disk0:/ will be used to boot the system on the next reload. Verify there is
a valid image on disk0:/ or the system will not boot.
Begin to apply factory-default configuration: Clear all configuration WARNING:
The new maximum-session limit will take effect after the running-config is
saved and the system boots next time. Command accepted WARNING: Local user
database is empty and there are still ‘aaa’ commands for ‘LOCAL’. Executing
command: interface management0/0 Executing command: nameif management INFO:
Security level for “management” set to 0 by default. Executing command: ip
address 10.86.203.151 255.255.254.0 Executing command: security-level 100
Executing command: no shutdown Executing command: exit Executing command: http
server enable Executing command: http 10.86.202.0 255.255.254.0 management
Executing command: dhcpd address 10.86.203.152-10.86.203.254 management
Executing command: dhcpd enable management Executing command: loggi