Mr.Burns: Use the amnesia ray!
Smithers: You mean the revolver, sir?
Mr.Burns: Precisely. Be sure to wipe your own memory clear when you’re finished.
The Simpsons, 5F05 (Lisa the Skeptic)
When the Cisco ASA boots up, it looks for a boot image and a startup config file. This file is located at disk0:/.private/startup-config, which is not accessible from the console. (However, you can remove the flash drive and attach it to a compact flash card reader and access the hidden files that way.)
The startup config can get corrupted, or you can do a write erase in global config mode, and poof it’s gone. If the ASA does not find a valid startup config when it boots, it will load the first boot image that it finds on flash, and then prompt for some very basic human-supplied config via the console. You can also manually initiate the setup prompt by using the setup command in global config mode:
ciscoasa# conf t ciscoasa(config)# setup Pre-configure Firewall now through interactive prompts [yes]? Firewall Mode [Routed]: Enable password : Allow password recovery [yes]? Clock (UTC): Year : Month [Jul]: Day : Time [03:35:43]: Inside IP address: Address required Inside IP address: 192.168.2.1 Inside network mask: Mask required Inside network mask: 255.255.255.0 Host name: Name required Host name: ciscoasa Domain name: Name required Domain name: gomjabbar.com IP address of host running Device Manager: The following configuration will be used: Enable password: Allow password recovery: yes Clock (UTC): 03:35:43 Jul 11 2011 Firewall Mode: Routed Inside IP address: 192.168.2.1 Inside network mask: 255.255.255.0 Host name: ciscoasa Domain name: gomjabbar.com Use this configuration and write to flash? y
You can hit ENTER to accept the defaults for most of the questions, but the setup prompt will insist on user input for a few of the questions. In the example above, The setup prompt will provide acceptable default values in square brackets after most of the questions, but it will insist on user-supplied values for some of the questions. The information that must be supplied:
- Inside interface IP address
- Inside interface subnet mask
- Domain name
ASDM access is not enabled if you do not supply an IP address (of a management workstation that will use the ASDM) for this question:
IP address of host running Device Manager:
Specifically, the http server enable command is not configured. Only console access is allowed in this case.
However, if an IP address is supplied (e.g. 192.168.2.2), the ASA will be configured with:
http server enable http 192.168.2.2 255.255.255.255 inside
And from a host at 192.168.2.2, you will be able to open a HTTPS connection to the ASA’s inside interface to manage the ASA.