Basic Settings

This chapter describes how to configure basic settings on the ASA that are typically required for a functioning configuration.

Set the Hostname, Domain Name, and the Enable and Telnet Passwords

To set the hostname, domain name, and the enable and Telnet passwords, perform the following steps.

Before you begin

Before you set the hostname, domain name, and the enable and Telnet passwords, check the following requirements:

  • In multiple context mode, you can configure the hostname and domain name in both the system and context execution spaces.

  • For the enable and Telnet passwords, set them in each context; they are not available in the system. When you session to the ASASM from the switch in multiple context mode, the ASASM uses the login password you set in the admin context.

  • To change from the system to a context configuration, in the Configuration > Device List pane, double-click the context name under the active device IP address.

Procedure

Step 1

Choose Configuration > Device Setup > Device Name/Password.

Step 2

Enter the hostname. The default hostname is “ciscoasa.”

The hostname appears in the command line prompt, and if you establish sessions to multiple devices, the hostname helps you keep track of where you enter commands. The hostname is also used in syslog messages.

For multiple context mode, the hostname that you set in the system execution space appears in the command line prompt for all contexts. The hostname that you optionally set within a context does not appear in the command line; it can be used for a banner.

Step 3

Enter the domain name. The default domain name is default.domain.invalid.

The ASA appends the domain name as a suffix to unqualified names. For example, if you set the domain name to “example.com” and specify a syslog server by the unqualified name of “jupiter,” then the ASA qualifies the name to “jupiter.example.com.”

Step 4

Change the privileged mode (enable) password. The default password is blank.

The enable password lets you enter privileged EXEC mode if you do not configure enable authentication. The enable password also lets you log into ASDM with a blank username if you do not configure HTTP authentication.

  1. Check the Change the privileged mode password check box.

  2. Enter the old password (the default password is blank), new password, and then confirm the new password. Set a case-sensitive password of up to 32 characters long. It can be any combination of ASCII printable characters (character codes 32-126), with the exception of spaces and the question mark.

Step 5

Set the login password for Telnet access. There is no default password.

The login password is used for Telnet access when you do not configure Telnet authentication. You also use this password when accessing the ASASM from the switch with the session command.

  1. Check the Change the password to access the console of the security appliance check box.

  2. Enter the old password (for a new ASA, leave this field blank), new password, then confirm the new password. The password can be up to 16 characters long. It can be any combination of ASCII printable characters (character codes 32-126), with the exception of spaces and the question mark.

Step 6

Click Apply to save your changes.

Set the Date and Time


Note

Do not set the date and time for the ASASM or the Firepower 2100, 4100, or 9300; the ASA receives these settings from the chassis.

Set the Date and Time Using an NTP Server

NTP is used to implement a hierarchical system of servers that provide a precisely synchronized time among network systems. This kind of accuracy is required for time-sensitive operations, such as validating CRLs, which include a precise time stamp. You can configure multiple NTP servers. The ASA chooses the server with the lowest stratum—a measure of how reliable the data is.

Time derived from an NTP server overrides any time set manually.

Before you begin

In multiple context mode, you can set the time in the system configuration only.

Procedure

Step 1

Choose Configuration > Device Setup > System Time > NTP.

Step 2

Click Add to display the Add NTP Server Configuration dialog box.

Step 3

Enter the NTP server IPv4 IP Address.

You cannot enter a hostname for the server; the ASA does not support DNS lookup for the NTP server.
Step 4

(Optional) Check the Preferred check box to set this server as a preferred server.

NTP uses an algorithm to determine which server is the most accurate and synchronizes to it. If servers are of similar accuracy, then the preferred server is used. However, if a server is significantly more accurate than the preferred one, the ASA uses the more accurate one.

Step 5

(Optional) Choose the Interface from the drop-down list.

This setting specifies the outgoing interface for NTP packets. If the interface is blank, then the ASA uses the default admin context interface according to the management routing table.

Step 6

(Optional) Configure NTP authentication.

  1. Enter a Key Number between 1 and 4294967295, or choose an existing key number from the drop-down list if you previously created a key for another NTP server that you want to reuse.

    This setting specifies the key ID for this authentication key, which enables you to use MD5 authentication to communicate with the NTP server. The NTP server packets must also use this key ID.

  2. Check the Trusted check box.

  3. Enter the Key Value, which is a string up to 32 characters long, and then re-enter the key value.

  4. Click OK.

Step 7

Check the Enable NTP authentication check box to turn on NTP authentication.

Step 8

Click Apply to save your changes.

Set the Date and Time Manually

To set the date and time manually, perform the following steps:

Before you begin

In multiple context mode, you can set the time in the system configuration only.

Procedure

Step 1

Choose Configuration > Device Setup > System Time > Clock.

Step 2

Choose the time zone from the drop-down list. This setting specifies the time zone as GMT plus or minus the appropriate number of hours. If you select the Eastern Time, Central Time, Mountain Time, or Pacific Time zone, then the time adjusts automatically for daylight savings time, from 2:00 a.m. on the second Sunday in March to 2:00 a.m. on the first Sunday in November.

Note 

Changing the time zone on the ASA may drop the connection to intelligent SSMs.

Step 3

Click the Date drop-down list to display a calendar. Then find the correct date using the following methods:

  • Click the name of the month to display a list of months, then click the desired month. The calendar updates to that month.

  • Click the year to change the year. Use the up and down arrows to scroll through the years, or enter a year in the entry field.

  • Click the arrows to the right and left of the month and year to scroll the calendar forward and backward one month at a time.

  • Click a day on the calendar to set the date.

Step 4

Enter the time manually in hours, minutes, and seconds.

Step 5

Click Update Display Time to update the time shown in the bottom right corner of the ASDM pane. The current time updates automatically every ten seconds.

Configure the Master Passphrase

The master passphrase allows you to securely store plain text passwords in encrypted format and provides a key that is used to universally encrypt or mask all passwords, without changing any functionality. Features that use the master passphrase include the following:

  • OSPF

  • EIGRP

  • VPN load balancing

  • VPN (remote access and site-to-site)

  • Failover

  • AAA servers

  • Logging

  • Shared licenses

Add or Change the Master Passphrase

To add or change the master passphrase, perform the following steps.

Before you begin

  • This procedure will only be accepted in a secure session, for example by console, SSH, or ASDM via HTTPS.

  • If failover is enabled but no failover shared key is set, an error message appears if you change the master passphrase, informing you that you must enter a failover shared key to protect the master passphrase changes from being sent as plain text.

    Choose Configuration > Device Management > High Availability > Failover, enter any character in the Shared Key field or 32 hexadecimal numbers (0-9A-Fa-f) if a failover hexadecimal key is selected, except a backspace. Then click Apply.

  • Enabling or changing password encryption in Active/Standby failover causes a write standby , which replicates the active configuration to the standby unit. Without this replication, the encrypted passwords on the standby unit will differ even though they use the same passphrase; configuration replication ensures that the configurations are the same. For Active/Active failover, you must manually enter write standby . A write standby can cause traffic interruption in Active/Active mode, because the configuration is cleared on the secondary unit before the new configuration is synced. You should make all contexts active on the primary ASA using the failover active group 1 and failover active group 2 commands, enter write standby , and then restore the group 2 contexts to the secondary unit using the no failover active group 2 command.

Procedure

Step 1

Choose one of the following options:

  • In single context mode, choose Configuration > Device Management > Advanced > Master Passphrase.

  • In multiple context mode, choose Configuration > Device Management > Device Administration > Master Passphrase.

Step 2

Check the Advanced Encryption Standard (AES) password encryption check box.

If no master passphrase is in effect, a warning message appears when you click Apply. You can click OK or Cancel to continue.

If you later disable password encryption, all existing encrypted passwords are left unchanged, and as long as the master passphrase exists, the encrypted passwords will be decrypted, as required by the application.

Step 3

Check the Change the encryption master passphrase check box to enable you to enter and confirm your new master passphrases. By default, they are disabled.

Your new master passphrase must be between 8 and 128 characters long.

If you are changing an existing passphrase, you must enter the old passphrase before you can enter a new one.

Leave the New and Confirm master passphrase fields blank to delete the master passphrase.

Step 4

Click Apply.

Disable the Master Passphrase

Disabling the master passphrase reverts encrypted passwords into plain text passwords. Removing the passphrase might be useful if you downgrade to a previous software version that does not support encrypted passwords.

Before you begin

  • You must know the current master passphrase to disable it.

  • This procedure works only in a secure session; that is, by Telnet, SSH, or ASDM via HTTPS.

    To disable the master passphrase, perform the following steps:

Procedure

Step 1

Choose one of the following options:

  • In single context mode, choose Configuration > Device Management > Advanced > Master Passphrase.

  • In multiple context mode, choose Configuration > Device Management > Device Administration > Master Passphrase.

Step 2

Check the Advanced Encryption Standard (AES) password encryption check box.

If no master passphrase is in effect, a warning statement appears when you click Apply. Click OK or Cancel to continue.

Step 3

Check the Change the encryption master passphrase check box.

Step 4

Enter the old master passphrase in the Old master passphrase field. You must provide the old master passphrase to disable it.

Step 5

Leave the New master passphrase and the Confirm master passphrase fields empty.

Step 6

Click Apply.

Configure the DNS Server

You need to configure DNS servers so that the ASA can resolve host names to IP addresses. You also must configure DNS servers to use fully qualified domain names (FQDN) network objects in access rules.

Some ASA features require use of a DNS server to access external servers by domain name; for example, the Botnet Traffic Filter feature requires a DNS server to access the dynamic database server and to resolve entries in the static database. Other features, such as the ping or traceroute command, let you enter a name that you want to ping or traceroute, and the ASA can resolve the name by communicating with a DNS server. Many SSL VPN and certificate commands also support names.


Note

The ASA has limited support for using the DNS server, depending on the feature.

Before you begin

Make sure that you configure the appropriate routing and access rules for any interface on which you enable DNS domain lookup so you can reach the DNS server.

Procedure

Step 1

Choose Configuration > Device Management > DNS > DNS Client.

Step 2

Choose one of the following options in the DNS Setup area:

  • Configure one DNS server group—This option defines the servers in the DefaultDNS group.
  • Configure multiple DNS server groups—With this option, you should still configure the DefaultDNS group, which is the only one used for FQDN network object name resolution. Keep DefaultDNS as the active group. But you can also create additional groups for use in remote access SSL VPN group policies. Even if you configure the DefaultDNS group only, you must select this option if you want to alter the timeout and other characteristics used with the group.
Step 3

If you select Configure one DNS server group, configure the servers in the DefaultDNS group.

  1. In Primary DNS Server, enter the IP address of the DNS server that should be used whenever it is available.

  2. Click Add to add secondary DNS servers.

    You can add up to six DNS servers. The ASA tries each DNS server in order until it receives a response. Use the Move Up/Move Down buttons to put the servers in priority order.

  3. Enter a DNS domain name appended to the hostname if it is not fully-qualified.

Step 4

If you select Configure multiple DNS server groups, define the server group properties.

  1. Click Add to create a new group, or select a group and click Edit.

    The DefaultDNS group is always listed.

  2. Configure the group properties.

    • Server IP Address to Add, —Enter the IP address of a DNS server and click Add>>.

      You can add up to six DNS servers. The ASA tries each DNS server in order until it receives a response. Use the Move Up/Move Down buttons to put the servers in priority order.

    • Timeout—The number of seconds, from 1 to 30, to wait before trying the next DNS server. The default is 2 seconds. Each time the ASA retries the list of servers, this timeout doubles.

    • Retries—The number of times, from 0 to 10, to retry the list of DNS servers when the ASA does not receive a response.

    • Expire Entry Timer (DefaultDNS or active group only)—The number of minutes after a DNS entry expires (that is, the TTL has passed) that the entry is removed from the DNS lookup table. Removing an entry requires that the table be recompiled, so frequent removals can increase the processing load on the device. Because some DNS entries can have very short TTL (as short as three seconds), you can use this setting to virtually extend the TTL. The default is 1 minute (that is, the entry is removed one minute after the TTL has passed). The range is 1 to 65535 minutes. This option is used when resolving FQDN network objects only.

    • Poll Timer (DefaultDNS or active group only)—The time, in minutes, of the polling cycle used to resolve FQDN network/host objects to IP addresses. FQDN objects are resolved only if they are used in a firewall policy. The timer determines the maximum time between resolutions; the DNS entry's time-to-live (TTL) value is also used to determine when to update to IP address resolution, so individual FQDNs might be resolved more frequently than the polling cycle. The default is 240 (four hours). The range is 1 to 65535 minutes.

    • Domain Name—The domain name appended to the hostname if it is not fully-qualified.

  3. Click OK.

  4. If you have multiple groups, you can change the one used for DNS requests by selecting it and clicking Set Active.

Step 5

Ensure that at DNS lookup is enabled on at least one interface. In the DNS Lookup interface list, below the DNS server group table, click in the DNS Enabled column and select True to enable lookup on the interface.

Step 6

(Optional) Check the Enable DNS Guard on all interfaces check box to enforce one DNS response per query.

You can also set DNS Guard when configuring DNS inspection. For a given interface, the DNS Guard setting configured in DNS inspection takes precedence over this global setting. By default, DNS inspection is enabled on all interfaces with DNS Guard enabled.

Step 7

Click Apply to save your changes.

Configure the Hardware Bypass (Cisco ISA 3000)

You can enable the hardware bypass so that traffic continues to flow between an interface pair during a power outage. Supported interface pairs are copper GigabitEthernet 1/1 & 1/2; and GigabitEthernet 1/3 & 1/4. When the hardware bypass is active, no firewall functions are in place, so make sure you understand the risks of allowing traffic through. See the following hardware bypass guidelines:

  • This feature is only available on the Cisco ISA 3000 appliance.

  • If you have a fiber Ethernet model, only the copper Ethernet pair (GigabitEthernet 1/1 & 1/2) supports hardware bypass.

  • When the ISA 3000 loses power and goes into hardware bypass mode, only the supported interface pairs can communicate; when using the default configuration, inside1 <---> inside2, and outside1 <---> outside2 can no longer communicate. Any existing connections between these interfaces will be lost.

  • We suggest that you disable TCP sequence randomization (as described in this procedure). If randomization is enabled (the default), then when the hardware bypass is activated, TCP sessions will need to be re-established. By default, the ISA 3000 rewrites the initial sequence number (ISN) of TCP connections passing through it to a random number. When the hardware bypass is activated, the ISA 3000 is no longer in the data path and does not translate the sequence numbers; the receiving client receives an unexpected sequence number and drops the connection. Even with TCP sequence randomization disabled, some TCP connections will have to be re-established because of the link that is temporarily down during the switchover.

  • Cisco TrustSec connections on hardware bypass interfaces are dropped when hardware bypass is activated. When the ISA 3000 powers on and hardware bypass is deactivated, the connections are renegotiated.

  • When the hardware bypass is deactivated, and traffic resumes going through the ISA 3000 data path, some existing TCP sessions need to be re-established because of the link that is temporarily down during the switchover.

  • When hardware bypass is active, the Ethernet PHYs are disconnected, so the ASA is unable to determine the interface status. Interfaces may appear to be in a down state.

Before you begin

  • You must attach the hardware bypass interfaces to access ports on the switch. Do not attach them to trunk ports.

Procedure

Step 1

To configure hardware bypass, choose Configuration > Device Management > Hardware Bypass.

Step 2

Configure the hardware bypass to activate for each interface pair by checking the Enable Bypass during Power Down check box.

Step 3

(Optional) Configure each interface pair to remain in hardware bypass mode after the power comes back and the appliance boots up by checking the Enable Bypass after Power Up check box.

When the hardware bypass is deactivated, there is a brief connection interruption as the ASA takes over the flows. In this case, you need to manually turn off the hardware bypass when you are ready; this option lets you control when the brief interruption occurs.

Step 4

For an interface pair, manually activate or deactivate the hardware bypass by checking the Bypass Immediately check box.

Step 5

Click Apply.

Step 6

Disable TCP randomization. This example shows how to disable randomization for all traffic by adding the setting to the default configuration.

  1. Choose Configuration > Firewall > Service Policy.

  2. Select the sfrclass rule, and click Edit.

  3. Click Rule Actions, and then click Connection Settings.

  4. Uncheck the Randomize Sequence Number check box.

  5. Click OK, and then Apply.

Step 7

Click Save.

The behavior of hardware bypass after the system comes online is determined by the configuration setting in the startup configuration, so you must save your running configuration.

Adjust ASP (Accelerated Security Path) Performance and Behavior

The ASP is an implementation layer that puts your policies and configurations into action. It is not of direct interest except during troubleshooting with the Cisco Technical Assistance Center. However, there are a few behaviors related to performance and reliability that you can adjust.

Choose a Rule Engine Transactional Commit Model

By default, when you change a rule-based policy (such as access rules), the changes become effective immediately. However, this immediacy comes with a slight cost in performance. The performance cost is more noticeable for very large rule lists in a high connections-per-second environment, for example, when you change a policy with 25,000 rules while the ASA is handling 18,000 connections per second.

The performance is affected because the rule engine compiles rules to enable faster rule lookup. By default, the system also searches uncompiled rules when evaluating a connection attempt so that new rules can be applied; because the rules are not compiled, the search takes longer.

You can change this behavior so that the rule engine uses a transactional model when implementing rule changes, continuing to use the old rules until the new rules are compiled and ready for use. With the transactional model, performance should not drop during the rule compilation. The following table clarifies the behavioral difference.

Model

Before Compilation

During Compilation

After Compilation

Default

Matches old rules.

Match new rules.

(The rate for connections per second decreases.)

Matches new rules.

Transactional

Matches old rules.

Match old rules.

(The rate for connections per second is unaffected.)

Matches new rules.

An additional benefit of the transactional model is that, when replacing an ACL on an interface, there is no gap between deleting the old ACL and applying the new one. This feature reduces the chances that acceptable connections may be dropped during the operation.


Tip

If you enable the transactional model for a rule type, syslogs to mark the beginning and the end of the compilation are generated. These syslogs are numbered 780001 through 780004.

Use the following procedure to enable the transactional commit model for the rule engine.

Procedure

Choose Configuration > Device Management > Advanced > Rule Engine and select the desired options:

  • Access group—Access rules applied globally or to interfaces.
  • NAT—Network address translation rules.

Enable ASP Load Balancing

The ASP load balancing mechanism helps avoid the following issues:

  • Overruns caused by sporadic traffic spikes on flows

  • Overruns caused by bulk flows oversubscribing specific interface receive rings

  • Overruns caused by relatively heavily overloaded interface receive rings, in which a single core cannot sustain the load.

ASP load balancing allows multiple cores to work simultaneously on packets that were received from a single interface receive ring. If the system drops packets, and the show cpu command output is far less than 100%, then this feature may help your throughput if the packets belong to many unrelated connections.

Procedure

Step 1

To enable the automatic switching on and off of ASP load balancing, choose Configuration > Device Management > Advanced > ASP Load Balancing, and check the Dynamically enable or disable ASP load balancing based on traffic monitoring check box .

This option is not available on the ASAv; you must manually enable or disable ASP load balancing.

Step 2

To manually enable or disable ASP load balancing, check or uncheck the Enable ASP load balancing check box.

When you manually enable ASP load balancing, it is enabled until you manually disable it, even if you also have the Dynamic option enabled. Manually disabling ASP load balancing applies only if you manually enabled ASP load blancing. If you also enabled the Dynamic option, then the system reverts to automatically enabling or disabling ASP load balancing.

Monitoring the DNS Cache

The ASA provides a local cache of DNS information from external DNS queries that are sent for certain clientless SSL VPN and certificate commands. Each DNS translation request is first looked for in the local cache. If the local cache has the information, the resulting IP address is returned. If the local cache can not resolve the request, a DNS query is sent to the various DNS servers that have been configured. If an external DNS server resolves the request, the resulting IP address is stored in the local cache with its corresponding hostname.

See the following command for monitoring the DNS cache:

  • show dns-hosts

    This command shows the DNS cache, which includes dynamically learned entries from a DNS server as well as manually entered name and IP addresses using the name command.

History for Basic Settings

Feature Name

Platform Releases

Description

ISA 3000 hardware bypass

9.4(1.225)

The ISA 3000 supports a hardware bypass function to allow traffic to continue flowing through the appliance when there is a loss of power.

We introduced the following screen: Configuration > Device Management > Hardware Bypass

Automatic ASP Load Balancing

9.3(2)

You can now enable automatic switching on and off of the ASP load balancing feature.

Note 

The automatic feature is not supported on the ASAv; only manual enabling and disabling is supported.

We modified the following screen: Configuration > Device Management > Advanced > ASP Load Balancing

Removal of the default Telnet password

9.0(2)/9.1(2)

To improve security for management access to the ASA, the default login password for Telnet was removed; you must manually set the password before you can log in using Telnet.

Note 

The login password is only used for Telnet if you do not configure Telnet user authentication.

Previously, when you cleared the password, the ASA restored the default of “cisco.” Now when you clear the password, the password is removed.

The login password is also used for Telnet sessions from the switch to the ASASM (see the session command). For initial ASASM access, you must use the service-module session command, until you set a login password.

We did not modify any ASDM screens.

Password Encryption Visibility

8.4(1)

We modified the show password encryption command.

Master Passphrase

8.3(1)

We introduced this feature. The master passphrase allows you to securely store plain text passwords in encrypted format and provides a key that is used to universally encrypt or mask all passwords, without changing any functionality.

We introduced the following screens:

Configuration > Device Management > Advanced > Master Passphrase

Configuration > Device Management > Device Administration > Master Passphrase