The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time:
- In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless.
- PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time.
The most simple method is to configure the date/time manually, you can do it like this:
ASA1(config)# clock set 13:15:00 Dec 19 2014
Just use the clock set command and enter the correct time/date. You can verify it like this:
ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014
As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this:
ASA1(config)# clock timezone CET +1
Use the clock timezone command to change the timezone. You can pick whatever name you want for the timezone but you have to specify the offset from UTC. CET is 1 hour ahead of UTC so that’s why I configured +1.
Here in the Netherlands (and most of central Europe) we use summertime, it’s called CEST (Central Europe Summer Time) and we have to tell the ASA when it starts and ends:
ASA1(config)# clock summer-time CEST recurring last Sun Mar 02:00 last Sun Oct 03:00
Summertime starts at the last sunday in march at 02:00 and ends on the last sunday in October, 03:00.
Instead of configuring the clock manually, it’s better to use a external NTP server to keep your clock synchronized. You can configure the NTP client on the ASA like this: