A fresh Cisco ASA out of the box is mostly empty. There is a default enable password, an unconfigured Management0/0 interface, and the cli setup wizard prompting you to answer hostname/timezone/firewall mode questions. Most engineers cancel the wizard, paste a real config, save, and move on. This article walks the day-0 commands that get a brand-new ASA (hardware or ASAv) from "factory" to "ready for the rest of the cluster's tasks": hostname, enable secret, interfaces, default route, SSH for management, NTP, basic syslog, and a write to startup.
This is a Cisco ASA Fundamentals article. After running through these commands, the next steps are building out the inside/outside/DMZ zones, configuring static routes, and tightening the management plane.
Cancel the Setup Wizard
On first boot, the ASA console looks like this:
Pre-configure Firewall now through interactive prompts [yes]? no
Type no. The wizard is fine for someone who has never seen an ASA, but it asks 12 questions, sets defaults you will replace, and writes the result to startup. For any engineer with a target config in mind, it is faster to skip it.
If the ASA already booted with the wizard's answers and you want to start fresh:
ciscoasa# write erase
ciscoasa# reload
This wipes the startup config and reboots into a clean state.
Enable Mode, Hostname, Domain
The default enable password on a fresh ASA is empty (just press Enter). The first move is to set a real one and a hostname:
ciscoasa> enable
Password:
ciscoasa# configure terminal
ciscoasa(config)# hostname ASA-PERIM
ASA-PERIM(config)# domain-name pinglabz.lab
ASA-PERIM(config)# enable password Cisco1@3
For a real production ASA you would use a strong unique password and pair it with a hashed local user (covered in management hardening). For lab work, the CML default enable password Cisco1@3 is what PyATS expects, which is why every ASA in the PingLabz lab uses it.
The hostname propagates to every prompt and to the cert subject if you generate a self-signed identity certificate. Set it before any cert work.
Bring Up the Data Interfaces
Three interfaces, three roles. Everything else in the cluster builds on this baseline:
ASA-PERIM(config)# interface GigabitEthernet0/0
ASA-PERIM(config-if)# description Outside-to-ISP
ASA-PERIM(config-if)# nameif outside
ASA-PERIM(config-if)# security-level 0
ASA-PERIM(config-if)# ip address 203.0.113.2 255.255.255.252
ASA-PERIM(config-if)# no shutdown
!
ASA-PERIM(config)# interface GigabitEthernet0/1
ASA-PERIM(config-if)# description Inside-to-LAN
ASA-PERIM(config-if)# nameif inside
ASA-PERIM(config-if)# security-level 100
ASA-PERIM(config-if)# ip address 10.10.0.254 255.255.255.0
ASA-PERIM(config-if)# no shutdown
!
ASA-PERIM(config)# interface GigabitEthernet0/2
ASA-PERIM(config-if)# description DMZ
ASA-PERIM(config-if)# nameif dmz
ASA-PERIM(config-if)# security-level 50
ASA-PERIM(config-if)# ip address 192.168.50.1 255.255.255.0
ASA-PERIM(config-if)# no shutdown
Two reminders that bite IOS engineers: ASA interfaces ship in shutdown, so no shutdown is mandatory. Without nameif, NAT and ACL refuse to bind to the interface. See interfaces and VLAN trunks for the full anatomy.
Default Route to the ISP
ASA-PERIM(config)# route outside 0.0.0.0 0.0.0.0 203.0.113.1 1
One static line. The trailing 1 is administrative distance (default for static; lower beats higher if you also have a learned default). For multi-WAN and tracked-route patterns, see static routing.
Verify reachability:
ASA-PERIM# ping 203.0.113.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Outside next-hop reachable. Now confirm the interface table looks right:
ASA-PERIM# show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 203.0.113.2 YES manual up up
GigabitEthernet0/1 10.10.0.254 YES manual up up
GigabitEthernet0/2 192.168.50.1 YES manual up up
Management0/0 unassigned YES unset administratively down down
Three data interfaces up. Management0/0 still down because we have not configured it yet (and most ASAs are managed in-band over the inside interface anyway).
SSH for Management
Telnet and SSH on the ASA are configured by the same pattern: a per-interface allow-list of source subnets. Skip telnet entirely on a real network; SSH only.
ASA-PERIM(config)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be:
Keypair generation process begin. Please wait...
!
ASA-PERIM(config)# username admin password Cisc0_Admin! privilege 15
ASA-PERIM(config)# aaa authentication ssh console LOCAL
ASA-PERIM(config)# ssh 10.10.0.0 255.255.255.0 inside
ASA-PERIM(config)# ssh version 2
ASA-PERIM(config)# ssh timeout 30
Walk through it:
crypto key generate rsacreates the host key SSH needs. 2048 modulus minimum; 4096 is fine if you do not mind the extra second on key gen.username admin ... privilege 15creates a local privileged user.aaa authentication ssh console LOCALtells the ASA to authenticate SSH against the local user database.ssh 10.10.0.0 255.255.255.0 insidepermits SSH from the inside subnet only. Without ansshpermit line for an interface, no SSH can land there. This is the ASA's built-in SSH ACL.ssh version 2disables SSHv1.
The full hardening pass (key sizes, idle timeouts, AAA server-groups, mgmt ACLs, console banners) lives in management hardening. The block above is the absolute minimum to get a remote shell.
Time: Clock and NTP
Wrong clocks break certificate validation, syslog correlation, and AAA. Set the timezone and at least one NTP source on day 0.
ASA-PERIM(config)# clock timezone UTC 0
ASA-PERIM(config)# ntp server 10.10.0.10 source inside prefer
ASA-PERIM(config)# ntp server 10.10.0.11 source inside
UTC is the right answer for a network device unless you have a reason. If you must run local time, set clock summer-time for DST. Verify after a few minutes:
ASA-PERIM# show ntp associations
address ref clock st when poll reach delay offset disp
*~10.10.0.10 127.127.1.0 8 5 64 377 1.2 0.342 1.502
~10.10.0.11 127.127.1.0 8 11 64 377 1.5 -0.118 1.221
* master (synced)
ASA-PERIM# show clock
01:23:45.789 UTC Sun May 10 2026
The asterisk on the first line says we are synced to that peer. Stratum (st) 8 is the upstream's stratum; the ASA itself sits at stratum 9 once synced.
Basic Syslog
Logging is so important that it gets its own article. The day-0 minimum is to enable logging, log to the buffer for ad-hoc reads, and ship to a remote syslog server for retention.
ASA-PERIM(config)# logging enable
ASA-PERIM(config)# logging timestamp
ASA-PERIM(config)# logging buffered informational
ASA-PERIM(config)# logging host inside 10.10.0.30 17/514
The four lines: turn logging on, prepend timestamps, keep the most recent buffer in RAM at severity informational and above, and send all messages to 10.10.0.30 over UDP/514. After the change, show logging immediately shows the new buffer filling up.
DNS for the ASA
The ASA needs DNS for FQDN-based ACLs, AnyConnect FQDN-aware features, and any feature that needs to resolve external names (ntp by FQDN, license server, etc.).
ASA-PERIM(config)# dns domain-lookup inside
ASA-PERIM(config)# dns server-group DefaultDNS
ASA-PERIM(config-dns-server-group)# name-server 10.10.0.10
ASA-PERIM(config-dns-server-group)# name-server 10.10.0.11
ASA-PERIM(config-dns-server-group)# domain-name pinglabz.lab
The interface in dns domain-lookup INTERFACE tells the ASA which interface to source DNS queries from. If you also want internet-resolved DNS for outside-bound features, add dns domain-lookup outside with a public resolver in the server group.
Minimum-Viable NAT + ACL for Outbound Traffic
Inside hosts cannot reach the internet until you (a) PAT them to the outside interface and (b) the security-level model lets the traffic out. The PAT rule:
ASA-PERIM(config)# object network INSIDE-NET
ASA-PERIM(config-network-object)# subnet 10.10.0.0 255.255.255.0
ASA-PERIM(config-network-object)# nat (inside,outside) dynamic interface
That single object PATs the entire inside subnet to the outside interface IP for any outbound flow. Because inside is security-level 100 and outside is 0, the implicit allow-from-higher-to-lower rule lets the flow out without an explicit ACL. Security levels covers exactly when you need an explicit ACL and when the implicit rules are enough.
For inbound DMZ-publishing, you would add a static NAT and an ACL (covered in Static NAT for the DMZ).
Default Inspection (Already On)
Out of the box the ASA has a default global inspection policy that turns on inspection for ICMP, FTP, DNS, SIP, ESMTP, and a handful of other protocols. You do not need to configure anything for ICMP echo replies to come back through the firewall on day 0; the default inspect icmp is what makes that work. The full MPF and inspection engines walkthrough covers customization.
Verify the default policy is in place:
ASA-PERIM# show service-policy global
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 4218, lock fail 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: icmp, packet 1244, lock fail 0, drop 0, reset-drop 0
Inspect: sip, packet 0, lock fail 0, drop 0, reset-drop 0
...
If show service-policy global returns nothing, someone removed the default policy. Restore it (or add the bits you actually need) per the inspection-engines article.
Save the Config (Otherwise Reboots Lose It)
The single most-forgotten command on the ASA. Running config is in RAM; startup config is in flash. The two diverge silently until you reboot and lose hours of work.
ASA-PERIM# write memory
Building configuration...
Cryptochecksum: 4e7f9c2a 1b3d8e6f a9c5b417 d2e8f039
[OK]
Or the equivalent copy running-config startup-config. Make this a reflex after every change. Upgrade and backup covers automating off-box backups so you do not lose the config to a flash failure.
Post-Bootstrap Checklist
By the end of this article, the ASA has:
- A real hostname and enable secret.
- Three named interfaces with security levels and IPs (inside/outside/dmz).
- A default route to the upstream ISP.
- SSH from the inside subnet, with a privileged local user.
- Working NTP and a sane timezone.
- Buffered + remote syslog.
- DNS for the ASA itself.
- Minimum-viable PAT for inside hosts to reach the internet.
- Default inspection (ICMP, DNS, etc.) on, which means pings get replies.
- Saved startup config.
That is the floor. Everything else in the cluster (DMZ publishing, AnyConnect, failover, MPF tuning, multi-context) builds on top.
Sanity Check Before You Walk Away
Three commands that catch 90% of "I bootstrapped this ASA an hour ago and it does not work" calls:
ASA-PERIM# show interface ip brief ! All data interfaces "up/up"?
ASA-PERIM# show route ! Default route present?
ASA-PERIM# show xlate count ! At least one xlate after sending traffic from inside?
If the first two are clean and you see xlates appear after running a ping from inside-host to 8.8.8.8, the day-0 build works. If not, run packet-tracer for the failing flow and follow the phase output to the rule that is dropping the packet.
Key Takeaways
Day-0 ASA bootstrap is small but ordered. Hostname and enable secret first, then interfaces (do not forget nameif and no shutdown), then a default route, then SSH for remote access, then NTP, syslog, and DNS for the box itself. PAT for inside hosts and a saved config close out the build.
The two most-skipped steps that cause future debugging pain are setting the timezone (always UTC unless you have a reason) and writing memory after the build. Make both reflexes.
Next: Cisco ASA Inside/Outside/DMZ Configuration Walkthrough takes the same baseline and turns it into a publishing edge with a real DMZ web server, ACLs, and traffic flowing in both directions. The full reading order is on the Cisco ASA pillar.
