Setting Up the System Clock

One of the most important tasks when setting the security appliance is to verify that the clock settings are accurate. The security appliances can timestamp the syslog messages using the system clock before sending them to the configured types if logging timestamp is enabled, as discussed in the "Enabling Logging" section. The system clock is also checked when the VPN tunnels, using PKI, are being negotiated to verify the validity of the certificate presented by the VPN peer. The security appliance supports two methods to adjust the system clock:

• Manual clock adjustment using clock set

• Automatic clock adjustment using the Network Time Protocol

Manual Clock Adjustment Using clock set

Similar to a Cisco IOS router, the security appliance allows the use of the clock set command to adjust the system clock. After setting the clock, the security appliance updates the system memory powered by a battery on the motherboard. Consequently, if the security appliance is rebooted, the time setting does not need to be reconfigured. The complete command syntax is as follows:

clock set hh:mm:ss {month day | day month} year

Table 4-6 describes the syntax.

Table 4-6. The clock set Command Syntax

Syntax	Syntax Description
hh:mm:ss	Specifies the time in hour, minutes, and seconds using the 24-hour time format
month	Specifies the time in month, such as January or February
day	Sets the day of the month, an integer from 1 to 31
year	Sets the time in hour as a four-digit number ranging between 1993 and 2035

In Example 4-22, the clock on the security appliance is updated to use the current time of 23:30 and the current date is August 5, 2005.

Example 4-22. Setting the System Clock

Chicago# clock set 23:30:00 august 5 2005

To check the current time on the security appliance, use the show clock command, as shown in Example 4-23.

Example 4-23. Output of show clock

Chicago# show clock

23:30:05.142 UTC Fri Aug 5 2005

Automatic Clock Adjustment Using the Network Time Protocol

Cisco ASA provides support for the Network Time Protocol (NTP) to synchronize the system clock with an NTP server. The device administrator does not need to update the system clock manually because the security appliance overrides the manual clock setting when it synchronizes the time with the NTP server. Setting up an NTP server is important when an organization uses certificates (PKI) to authenticate users and devices on the network.

NTP is set up by using the ntp commands, as shown in the following command syntaxes:

ntp server ip_address [key key_id] [source interface_name] [prefer]

ntp authenticate

ntp authentication-key key_id md5 md5_key

ntp trusted-key key_id

Table 4-7 lists and describes the options in the ntp command.

Table 4-7. The ntp Command Arguments

Syntax	Syntax Description
server	Keyword to specify the IP address of the NTP server
ip_address	Specifies the actual IP address of the NTP server
key	Optional keyword to specify the authentication key
key_id	Specifies the authentication key number, between 1 and 4,294,967,295
source	Optional keyword to specify the source of the NTP packets
interface_name	Specifies the name of the interface to source the packets destined to the NTP server
prefer	If multiple NTP servers are specified, the security appliance chooses the NTP server with this keyword.
authenticate	Keyword to enable NTP authentication
authentication-key	Keyword to specify the authentication key to authenticate to an NTP server
md5	Keyword to enable MD5 authentication
md5_key	Specifies the actual key, up to 35 characters, used for MD5 authentication
trusted-key	Keyword to specify an authentication key for all the configured NTP servers

Example 4-24 shows how to configure two NTP servers located on the inside interface. The server at 192.168.10.200 is a preferred server, while the server at 192.168.10.201 is the secondary NTP server. Both servers use an authentication key of 919919. They require an MD5 authentication key of cisco123 to successfully authenticate the security appliance.

Example 4-24. Configuration of NTP Server

Chicago(config)# ntp authentication-key 919919 md5 cisco123

Chicago(config)# ntp authenticate

Chicago(config)# ntp server 192.168.10.200 key 123456 source inside prefer

Chicago(config)# ntp server 192.168.10.201 key 123456 source inside

To verify whether the system clock is synchronized with the NTP server, use the show ntp status command, as shown in Example 4-25.

Example 4-25. Output of show ntp status

Chicago(config)# show ntp status

Clock is synchronized, stratum 9, reference is 192.168.10.200

nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6

reference time is c69e0e0b.1dfbb8db (23:35:51.117 UTC Fri Aug 5 2005)

clock offset is -11.9016 msec, root delay is 7.02 msec

root dispersion is 15902.56 msec, peer dispersion is 15890.63 msec

Time Zones and Daylight Savings Time

Cisco ASA supports displaying the system time in the correct time zone. It maintains the system clock in Universal Time, Coordinated (UTC) but shows it in the configured time zone. Use the clock timezone command followed by the name of the time zone to set the time zone on the security appliance, as shown in Example 4-26. The configured time zone is Eastern Standard Time (EST), which is 5 hours behind UTC time.

Example 4-26. Setting Time Zone

Chicago(config)# clock timezone EST -5

The security appliance can automatically display the system clock in daylight savings time (DST) if it is configured to do so using the clock summer-time command. The security appliance enables you to set the DST in two formats:

• Using specific date and time settings

• Using recurring date and time settings

The command syntax for both formats is as follows:

clock summer-time zone date {day month | month day} year hh:mm {day month | month day}

   year hh:mm [offset]

clock summer-time zone recurring [week weekday month hh:mm week weekday month hh:mm]

   [offset]

By using the clock summer-time date option, you can specify to start and end DST on a specific day and time. For example, you can specify to always start DST at 2 a.m., April 1 and end at 2 a.m., October 31 of every year, as illustrated in Example 4-27. The offset indicates the number of minutes to add or remove from DST. The default is 60 minutes.

Example 4-27. Setting DST Using the Date Format

Chicago(config)# clock summer-time EST date Apr 1 2005 2:00 Oct 31 2035 2:00 60

Alternatively, you can use the clock summer-time recurring option to specify the day and time based on the day of the week. For example, you can set a policy to always start DST at 5 a.m. on the first Sunday of April and end it at 5 a.m. on the last Sunday of October, as shown in Example 4-28. If no day and time settings are specified, the security appliance uses a policy based on the U.S. DST rules (start DST at 2 a.m. on the first Sunday of April and end at 2 a.m. on the last Sunday of October).

Example 4-28. Setting DST Using the Recurring Format

Chicago(config)# clock summer-time EST recurring 1 Sun Apr 5:00 last Sun Oct 5:00