Cisco Adaptive Security Appliance (ASA) Initial Setup

A new Cisco Adaptive Security Appliance (ASA) automatically enters initial setup when it boots for the first time or if you erase the configuration. If your ASA does not enter setup mode, you can set up from Privileged EXEC mode. The following code shows the basic setup process, with responses you need to add in bold. Within just a few minutes, you can have your ASA up and running.

Pre-configure Firewall now through interactive prompts [yes]?
Firewall Mode [Routed]: 
Enable password [<use current password>]: enable
Allow password recovery [yes]?
Clock (UTC):
  Year [2011]:
  Month [Apr]:
  Day [16]:
  Time [13:16:14]:
Inside IP address: 192.168.1.12
Inside network mask: 255.255.255.0
Host name: ASAFirewall1
Domain name: edtetz.net
IP address of host running Device Manager: 192.168.1.123
The following configuration will be used:
Enable password: enable
Allow password recovery: yes
Clock (UTC): 13:16:14 Apr 16 2011
Firewall Mode: Routed
Inside IP address: 192.168.1.12
Inside network mask: 255.255.255.0
Host name: ASAFirewall1
Domain name: edtetz.net
IP address of host running Device Manager: 192.168.1.123
Use this configuration and write to flash? yes
INFO: Security level for "inside" set to 100 by default.
WARNING: http server is not yet enabled to allow ASDM access.
Cryptochecksum: 23d86fb3 f78f728a cd7f48cd 9faf22c0
1417 bytes copied in 2.40 secs (708 bytes/sec)
Type help or '?' for a list of available commands.

Notice how little information you need to enter to get basic management access to your ASA over the network (well, almost). The setup process has set up the internal IP address and configured an Access Control List (ACL) entry to allow only the IP address of the computer that ran the setup to manage the ASA from one host on your network, but it has not actually enabled access.

The message in setup actually tells you that the HTTP server has not been enabled. So prior to closing out this connection, you want to enable the HTTP server using the following commands:

ASAFirewall1> enable
Password: ******
ASAFirewall1# configure terminal
ASAFirewall1(config)# http server enable
ASAFirewall1(config)# copy running-config startup-config
Source filename [running-config]?
Cryptochecksum: 6431b60b a26d0b05 941fa189 e3edf475
1913 bytes copied in 1.740 secs (1913 bytes/sec)
ASAFirewall1(config)# end

From this point, you can connect your ASA to a switch and manage it from a device with the IP address you specified in the initial set up of the device.

The ASA 5505 places all switch ports into VLAN 1 (your Inside VLAN) by default, whereas the large ASA devices have a dedicated management interface or port. The management function can be configured to operate over the other interfaces on the ASA. After you have the management interface up for the Cisco Adaptive Security Device Manager (ASDM), you can run the Startup Wizard through the ASDM (even if you already set up the ASA on the command line).

The benefit to running the Startup Wizard is that you can go to the computer you identified as your management computer and point your web browser to the interface address of your ASA. (Note: You need to have Java installed on this computer.) Unless you install a valid certificate that matches the name of the ASA, you are presented with a certificate error.

image0.jpg
blog comments powered by Disqus
Advertisement

Inside Dummies.com

Dummies.com Sweepstakes

Win $500. Easy.