Overview
The last chapter focused on introducing you to the command-line interface (CLI) of the security appliances. Starting with this chapter and continuing through the remainder of this book, I will focus on how to configure your appliance to meet the requirements outlined in your security policy. This chapter will focus on creating a very basic configuration for your appliance. If you have configured Cisco IOS devices like routers and switches, the configuration of the appliances, as you will see, is somewhat similar. The topics in this chapter include
-
Using the setup script to place an initial, and very basic, configuration on an appliance
-
Using basic management commands to view, back up, and restore your appliance configuration
-
Entering commands to place a basic configuration on your appliance, including a name, passwords, a login banner, and interface parameters
-
Allowing remote access to your appliance using telnet and SSH, and testing connectivity with ping and traceroute
-
Viewing information about your appliance, including hardware and version information and CPU and memory utilization
-
Using a simple configuration example to pull together the information discussed in the chapter
Basic Management Commands
The security appliances use flash memory to store the OS, the ASDM image, and the appliance configuration file. As with IOS devices, whenever you make configuration changes, these changes affect only the configuration that is running in RAM—the configuration that the appliance is actively using (commonly called the running configuration, or running-config for short). You must manually enter a command to copy the configuration to flash in order to save it. This section covers the commands that you can use to manipulate your configuration files. Manipulating other files in flash is discussed in Chapter 26.
Viewing Configurations
On the security appliances, you have two locations for a configuration file:
-
RAM Commonly called the running-config
-
Flash Commonly called the startup-config
Viewing the Running-Config File
To view the configuration running in RAM, use the show running-config command, which requires you to be in either Privilege EXEC or Configuration mode to execute it:
bigdog# show running-config
: Saved
:
ASA Version 8.0(3)
!
hostname bigdog
domain-name dealgroup.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
<--output omitted--> Viewing the Startup-Config File
To view the startup-config file in flash, use the show startup-config command:
bigdog# show startup-config
: Saved
: Written by enable_1 at 09:47:01.816 UTC Thu Jul 17 2008
!
ASA Version 8.0(3)
!
hostname bigdog
domain-name dealgroup.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
<--output omitted--> You can store more than one configuration file in flash; however, the default file that is loaded on bootup is the startup-config file, unless you override this behavior. More on this topic is discussed in Chapter 26.
Viewing Partial Configurations
You also have the ability to view partial configurations or commands from the running-config file by using the show command:
ciscoasa# show {running-config | startup-config} command
Here’s an example of viewing the interface configurations in the running-config:
ciscoasa# show running-config interface
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
!
<--output omitted--> Copy Commands
The copy and write commands (covered in the next section) work in either Privilege EXEC or Configuration mode. The copy command works the same way it does on IOS devices: you need to specify a source and a destination. This command can be used to do the following:
- Back up the running-config configuration to flash
- Merge a configuration file with the running configuration
- Restore the startup configuration file in flash from a remote server
- Back up the running-config or startup-config to a remote server
- Copy an ASDM image to flash (discussed in Chapter 26)
- Copy an operating system to flash (discussed in Chapter 26)
Table 3-1 lists the copy commands for configuration files. When specifying a URL, use the following syntax:
file_type://destination_IP_or_name/[directory_name/]file_name
| Command | Explanation |
|---|---|
| copy running-config startup-config | Saves your active configuration file in RAM to flash |
| copy startup-config running-config | Merges the startup-config file in flash with the running-config in RAM |
| copy {running-config | startup-config} URL | Saves your running or startup configuration to the destination specified in the URL |
| copy URL {running-config | startup-config} | Copies the file from the URL to the running or startup configuration (merges with the running-config, but replaces the startup-config) |
Supported file types include
-
disk0 or flash Flash on the motherboard
-
disk1 The compact flash card on the ASA
-
ftp FTP server
-
smb Windows server
-
tftp TFTP server
Write Commands
The write commands are used to save, view, or remove your configuration file and were the commands used, along with the configure command, to perform these functions before the introduction of the copy command.
| Note | |
Table 3-2 lists the write commands.
| Command | Explanation |
|---|---|
| write memory | Saves your active configuration file in RAM to flash |
| write terminal | Views your configuration file in RAM (was used before the show running-config command was introduced, but is still supported) |
| write net URL | Saves your configuration file in RAM to a remote server |
| write erase | Erases your saved configuration file (startup-config) in flash |
| write standby | Copies the configuration file from RAM on this appliance to the RAM of the standby appliance when failover has been configured (discussed in Chapter 23) |
| Tip | A quick way of saving your running-config to the startup config is to use the abbreviated form of the write memory command (copy running-config startup-config): wr. |
One miscellaneous command that you should remember is the reload command. Use this command in either Privilege EXEC or Configuration mode to reboot your appliance. When rebooting, if you’ve made changes to your running-config and haven’t saved them, the appliance will prompt you to save or discard these changes to the startup-config file in flash.
Clear Commands
The clear command performs two functions on the appliance:
-
Resets the statistics for the specified process
-
Removes a configuration command or commands to the referenced process
For example, if you wanted to reset the statistics counters for an interface, you would use the following syntax:
ciscoasa# clear interface physical_if_name
If you wanted to remove or undo a configuration from your appliance, use the clear configure command (you must be in Configuration mode):
ciscoasa(config)# clear configure command
Use care when executing this command. For example, if you were to enter clear configure access-list, this would delete every access control list (ACL) on your appliance! You can qualify the command with which item you want to clear. For example, with an ACL, you could enter clear configure access-list ACL_ID, specifying the exact ACL you wish to delete. To reset the appliance configuration back to its factory defaults, use the clear configure all command.
| Note | Be very careful about using the clear configure command. The appliance does not prompt you to verify if you want to actually perform the action: the appliance just performs the action. If you want to delete a specific command such as an entry in an ACL, preface the command with the no parameter, which is the same way of doing it on an IOS device. |
