11
- July
2011
Posted By : Gom Jabbar
The Setup Prompt on the Cisco ASA

Mr.Burns: Use the amnesia ray!
Smithers: You mean the revolver, sir?
Mr.Burns: Precisely. Be sure to wipe your own memory clear when you’re finished.

The Simpsons, 5F05 (Lisa the Skeptic)

When the Cisco ASA boots up, it looks for a boot image and a startup config file. This file is located at disk0:/.private/startup-config, which is not accessible from the console. (However, you can remove the flash drive and attach it to a compact flash card reader and access the hidden files that way.)

The startup config can get corrupted, or you can do a write erase in global config mode, and poof it’s gone. If the ASA does not find a valid startup config when it boots, it will load the first boot image that it finds on flash, and then prompt for some very basic human-supplied config via the console. You can also manually initiate the setup prompt by using the setup command in global config mode:

ciscoasa# conf t
ciscoasa(config)# setup
Pre-configure Firewall now through interactive prompts [yes]?
Firewall Mode [Routed]:
Enable password []:
Allow password recovery [yes]?
Clock (UTC):
  Year [2011]:
  Month [Jul]:
  Day [11]:
  Time [03:35:43]:
Inside IP address:
Address required
Inside IP address: 192.168.2.1
Inside network mask:
Mask required
Inside network mask: 255.255.255.0
Host name:
Name required
Host name: ciscoasa
Domain name:
Name required
Domain name: gomjabbar.com
IP address of host running Device Manager:

The following configuration will be used:
Enable password:
Allow password recovery: yes
Clock (UTC): 03:35:43 Jul 11 2011
Firewall Mode: Routed
Inside IP address: 192.168.2.1
Inside network mask: 255.255.255.0
Host name: ciscoasa
Domain name: gomjabbar.com

Use this configuration and write to flash? y

You can hit ENTER to accept the defaults for most of the questions, but the setup prompt will insist on user input for a few of the questions. In the example above, The setup prompt will provide acceptable default values in square brackets after most of the questions, but it will insist on user-supplied values for some of the questions. The information that must be supplied:

  • Inside interface IP address
  • Inside interface subnet mask
  • Hostname
  • Domain name

ASDM access is not enabled if you do not supply an IP address (of a management workstation that will use the ASDM) for this question:

IP address of host running Device Manager:

Specifically, the http server enable command is not configured. Only console access is allowed in this case.

However, if an IP address is supplied (e.g. 192.168.2.2), the ASA will be configured with:

http server enable
http 192.168.2.2 255.255.255.255 inside

And from a host at 192.168.2.2, you will be able to open a HTTPS connection to the ASA’s inside interface to manage the ASA.

Excellent, Smithers.

Additional Information:

Http server enable command in the Cisco ASA 8.4 Command Reference.

Write erase command in the Cisco ASA 8.4 Command Reference.

Setup command in the Cisco ASA 8.4 Command Reference.

gomjabbar: Removing the Flash Memory from a Cisco ASA 5505.