cli commands for asa
TRANSCRIPT
-
7/29/2019 Cli Commands for ASA
1/26
Basic PIX / ASA CLI Commands
PIX / ASA configuration and monitoring connections. Methods 1 and 2 use CLI commands.
1 Console connection. Serial Port , Rollover cable to device. Secure because you have to physically access the device. No
user password required, but privileged password maybe required.
2 Telnet or SSH remote connections. User password and privileged passwords required.
3 PDM or ASDM, GUI Java based web monitoring and configuration.
AAA or local based authentication can require a username and password for improved security.
CLI commands for console, telnet and SSH connections.
PIX> enable
Password: PIX# disable
PIX> help
Or
PIX> ?
PIX> en ?
PIX# help------
------
PIX# show ?
PIX# configure terminal
PIX(config)# show ?
PIX(config)# hostname
Name(config)# domain-name
Name(config)# console timeout
set to 0 and it does not timeoutName(config)# clock set hh:mm:ss day MONTH year
MONTH is configured by name
Name(config)# name
Name(config)# names
PIX# setup
Note: Not all commands are included in the PIX help, the ASAs help is better.
Note: Command editing is similar to the switch and router CLI, but some of the advanced editing features depend on the firewallsOS version. (Example tab command completion does not work in pre 7 OSs.) Enter a q to quit long displays.Note: Show commands can be used in privileged or configuration mode.
-
7/29/2019 Cli Commands for ASA
2/26
Factory Default and Config. Saving
Default Configurations
The PIX 501 and ASA 5505 were designed as SOHO devices. They come with a factory default configuration stored in flash. This
configuration sets up a basic usable configuration for the device (WAN DHCP client, LAN DHCP server and a basic usable
configuration for other areas). Other PIX and ASA also have a default configuration, but the main part of their configuration is to
setup the basic commands to allow ASDM connections to the management interface. At anytime the running-config can be resetback to the factory default with the following command:
Name(config)# configure factory-defaultThen the running-config needs to be saved in NVRAM.
Configuration File Saving, Viewing
Commands vary depending on the OS version, pre or post version 7.
Pre 7, use the write commands, some copy commands work.
Post, use the write or copy commands.
Name# write memory saves the running-config to startup-config
Name# write terminal views running-configName# write erase erases startup-config
Name# write standby running-config to standby failover firewall
Name# configure memory merges the two files into running-config
Name# show configure views the startup-config
Name# copy running-config startup-config saves the running-config to startup-config
Name# copy startup-config running-config merges the two files into running-configName# show running-config views the configuration in RAM
Name# show startup-config views the configuration in NVRAM
-
7/29/2019 Cli Commands for ASA
3/26
Passwords and Login Banners
Passwords
For security, all passwords are encrypted on Cisco firewalls.
User exec- not used for the console connection, used for telnet and SSH connections.
Name(config)# passwd
Privileged exec- used for moving from user to privileged mode on all connection types.
Name(config)# enable password
Login Banners
Name(config)# banner
- asdm, exec, login, motd
Motd- message displayed at beginning of all connectionsAsdm- message displayed post-login of an asdm connection
Exec- message displayed before the CLI prompt
Login- message displayed before the name and password prompts
-
7/29/2019 Cli Commands for ASA
4/26
Telnet and SSHRemote Connections
The device would have to be preconfigured through the console to bring up the interfaces and allow traffic into the device.
Telnet Setup
Telnet is not secure, and as such is typically only allowed from hosts on the high security interfaces.
Two things must be setup to allow telnet traffic to the device. A user password and a list of ip addresses for the devices allowed telnet
connections.
PIX(config)# passwd
PIX(config)# telnet
PIX(config)# telnet timeout
SSH Setup
SSH creates an encrypted secure connection and can be used from any interface.
SSH requires four things to be setup. A user password, host and domain names, public and private RSA keys must be generated and a
list of allowed ip addresses must be created.
PIX(config)# hostname
Name(config)# domain-name Name(config)# passwd
Name(config)# ca generate rsa key
512, 768, 1024, 2048 Higher adds security but uses more resources
Name(config)# ca save all
Name(config)# sh ca mypubkey rsa
Name(config)# ssh
Name(config)# ssh timeout
ASA is the same except for the key generation, key saving and display.ASA(config)# crypto key generate rsa
Follow and answer prompts.
ASA# write memory
ASA# show crypto key mypubkey rsa
Note: Unless a username and password are configured, SSH connections, PIX and ASA use a default username of pix and the user
password. (Up to OS 8.3).
ASA(config)# username password
ASA(config)# aaa authentication ssh console LOCAL ! Required for 8.4.2 or higher.
-
7/29/2019 Cli Commands for ASA
5/26
ASDMASDM (OS version 7 and later) PDM (OS version 6)
Web and Java based GUI for configuring and monitoring ASA or PIX devices.PDM was included in flash on the PIX 501, but was an option on the other models.
Starting with OS 7, ASDM was included and has been included in flash on all the ASAs.
A basic configuration must be completed on the device to allow Web access to the device through one or more of its network interfaces.
OS and ASDM, PDM versions are dependent on each other, updating one will usually require you to update the other.
Also not all versions of the Java component are compatible with different versions of PDM or ASDM. The PIX 501s were never updated toIOS version 7 or later, and thus never were updated to ASDM.
Our PIX 501 with PDM are only compatible with Java 1.4.1 or older.
ASDM is compatible with 1.4.2 and newer.
We will only do ASDM labs on the ASAs so that we wont have to keep changing and downgrading the Java component.
ASDM uses HTTPS (SSL) to protect the communications between the desktop and the appliance.
The factory default configuration on an ASA 5505 or PIX 501, allow for ASDM or PDM connections from hosts on the inside network.
Basic ASA configuration required before ASDM can be used:
ASA(config)# hostname
Name(config)# domain-name
Name(config)# enable password
Name(config)# interface
Name(config-if)# nameif Name(config-if)# ip address
Name(config-if)# security-level
Name(config-if)# speed
Name(config-if)# duplex
Name(config-if)# no shutdown
Name(config-if)# exit
Name(config)# http server enable [port#][port#] defaults to the standard value of 443, this option alls for changes.
Name(config)# http logical_if_nameHostname and domain-name are required, they used to generate the rsa key for SSL.
A username and password can also be configured to enhance the ASDM logon security.
ASA 5505 interface setting
Name(config)# interface vlan
Name(config-if)# nameif
Name(config-if)# ip address [snm]
Name(config-if)# security-level
Note: Leave physical interface settings at their default values ( Auto negotiate speed, duplexE0/0 vlan 2, all others vlan1, all ports no shutdown)
-
7/29/2019 Cli Commands for ASA
6/26
Interface Config. and PIX inter. HW Values
Interface configurations
Interface configurations are different between PIX and ASAs, and can be different between device models. For all the devices, there are
two distinct areas of interface configuration, physical and logical interfaces.
Physical- used to setup the physical properties of the interface
Speed, duplex, security level, IP address, shutdown, no shutdown, logical interface namePhysical interfaces Ethernet number (PIX e0 or e1) (ASA 5505 e0/0 to e0/7)
Devices with gigabit (g0/0 etc)
Prior to OS version 7.0, the physical interface setup was done in global configuration mode.
OS version 7 or later, the OS went into interface subcommand mode.
After the physical interface is setup and a logical name is assigned, all other interface commands are referenced to the logical name.
Note: because of the internal switch with VLANs the ASA 5505 is slightly different form the standard ASA config..
PIX 501 Interface Configuration
The PIX 501 does not work with VLANS.
Pix(config)# interface hardware-id hardware-speed [shutdown]Hardware-id
Ethernet 0 (typically the WAN port)
Ethernet 1 (typically the LAN port)
Hardware-speed
1000 auto (not available on the 501)
10baset (10M half-duplex)
10full (10M full-duplex)
100basetx (100M half-duplex)
100full (100M full-duplex)Auto (auto neg. speed and duplex)
Optional shutdown. Enter no shutdown to turn it on.501 default is on, all other PIX the default is shutdown.
-
7/29/2019 Cli Commands for ASA
7/26
PIX Interface Logical, Names and Security
Pix(config)# nameif hardware-id if-name security-level
Hardware-id - Same as above
If-name - Desired logical interface name, up to 48 characters, no spaces
501 factory-default
E0 outsideE1 inside
Security-level (Default traffic flow allowed, higher to lower, except when the traffic is a
reply to request from a higher level, or ACLs allow the flow).0 to 100 with 100 being the highest security level
501 default outside 0 (the name outside is the only name allowed
to be set to 0)
501 default inside 100 (the name inside is the only name allowed
to be set to 100)
Any other name can be set to values between 1 and 99.
Pix(config)# ip address ip_address snm (static)
Pix(config)# ip address dhcp setroute (dhcp client)(setroute accept def. route)
-
7/29/2019 Cli Commands for ASA
8/26
ASA Logical Config.
ASA 5505 Interface Configuration
The ASA 5505 includes an 8 port switch and thus has 8 physical ports.
Like most Cisco switches, by default all 8 ports would be assigned to VLAN 1.
Depending on the ASA license, the maximum number of VLANs is 3 or 20.
We have the basic license, which allows only 3 VLANs.The factory default configuration creates 2 VLANs, (1 and 2).
VLAN 1 is inside and VLAN 2 is outside, with the physical ports set to auto neg.
speed and duplex.
E0/0 is assigned to VLAN 2 and all others are in VLAN 1.
Note: The ASAs do not have limitations on the interface names and security levels.
Any name can be assigned 100 or 0. The default is for the inside to be set to
100 and all other interfaces set to 0.
Note: On both the ASAs and PIX, by default traffic is restricted between interfaces set
to the same security level.
ASA(config)# interface vlan
ASA(config-if)# nameif
ASA(config-if)# ip address [subnet_mask] (Static address)
ASA(config-if)# ip address dhcp setroute (dhcp client)
(setroute causes the ASA to accept a default route from the dhcp server)
ASA(config-if)# security-level
ASA(config-if)# [no] shutdown
Note: For the ASA 5505 the default is no shutdown, all other ASAs the default is shutdown.
-
7/29/2019 Cli Commands for ASA
9/26
ASA Interface Physical Settings and DMZ
ASA(config)# interface physical_name
ASA(config-if)# switchport access vlan
ASA(config-if)# speed
Value 10, 100, auto
ASA(config-if)# duplex Value auto, full, half
ASA(config-if)# [no] shutdown
On an ASA, to allow traffic flow between interfaces with the same security levels, enter the following command.
ASA(config)# same-security-traffic permit inter-interface
For a PIX, an ACL must be created to allow traffic between interfaces with the same security levels.
The DMZ configuration depends on the ASA 5505 license, Base or Security +. The Base only allows 3 VLANs and one of the VLANs and isrestricted for data flow to one other VLAN. The Security + license allows 20 VLANs and does not restrict the data flow. We are using the
Base license and the following example shows a restricted configuration.
Note, the inside and outside interfaces have already been given standard default settings.
ASA(config)# interface vlan 3
ASA(config-if)# ip address
ASA(config-if)# no forward interface vlan 1
ASA(config-if)# nameif dmz
ASA(config-if)# security-level ! Typically some mid-range value, 50, 60 or 70.
ASA(config-if)# no shut
ASA(config-if)# interface ethernet
ASA(config-if)# switchport access vlan 3
ASA(config-if)# no shut
Note: Normally static NAT would then be configured for the server installed on the DMZ.
-
7/29/2019 Cli Commands for ASA
10/26
Clear Commands
Clear Commands
Clear commands are used to perform two functions in the PIX or ASA.
1 Clear counters, statistics or tables for the specified device function.
2 Clear the specified configuration commands.Note: Individual clear commands have been added with different OS versions, with
many of them added in versions 7.0 to 7.2. As such, they will not all be available
on our PIX 501s using version 6.3.Examples:
ASA# clear conn (clears the connection table)
ASA# clear interface e0 (clears the interface statistics counter)
ASA# clear access-list (clears the access-list counters)
ASA# clear mac-address-table (clears the switch address table)
ASA# clear xlate (clears the connection and translation tables)Note: clear xlate should be done anytime a change is made to NAT, ACLs etc, but it will
remove all current connections and translations.
Examples:ASA(config)# clear configure access-list (clears all access-list configuration commands)
ASA(config)# clear configure access-list IN (clears only the access-list commands with ID IN)
ASA(config)# clear configure banner (clears all the banner commands)
ASA(config)# clear configure all (clears the entire configuration in RAM)
ASA(config)# clear configure icmp (clears all the icmp commands, Version 7 and newer)
PIX(config)# clear icmp (clears all icmp commands, Version 6)
-
7/29/2019 Cli Commands for ASA
11/26
DHCP Settings, Client and Server
DHCP Client and Server
Note: DHCP clients can be setup on the WAN interface, with DHCP servers setup on the LAN
and DMZ interfaces. Static addresses can be used on any interface.
Note: Examples are for two interface devices with the logical interfaces named Inside (LAN) andOutside (WAN).
Example 1, default SOHO configuration. Outside set as a DHCP client and the Inside set as a
DHCP client. Outside settings for DNS etc will be passed to the LAN clients.
WAN DHCP client, LAN static ip.
PIX(config)# ip address outside dhcp setroute
PIX(config)# ip address inside
ASA under vlan 1 interface configuration.ASA(config-if)# ip address
ASA under vlan 2 interface configuration.
ASA(config-if)# ip address dhcp setroute
LAN DHCP server settings, using the DNS etc., learned from the WAN DHCP client
PIX and ASA are the same.
PIX(config)# dhcpd address - interface_name
PIX(config)# dhcpd auto_config interface_name
PIX(config)# dhcpd enable interface_name
-
7/29/2019 Cli Commands for ASA
12/26
DHCP Server Optional and Manual Settings
Optional and manual DHCP server settings.
PIX(config)# dhcpd address - interface_name
PIX(config)# dhcpd domain
PIX(config)# dhcpd dns []
PIX(config)# dhcpd wins []PIX(config)# dhcpd lease
PIX(config)# dhcpd ping_timeout
PIX(config)# dhcpd enable interface_name
Note: PIX 501 and ASA 5505 license to max. DHCP pool size:
10 users Max. pool size 32
50 users Max. pool size 128
Unlimited users Max. pool size 256
Note: To change the network address or subnet for the LAN, first remove the DHCP pool of addresses by entering the command with ano in front of it. This removes the pool and disables the DHCP server. Then enter the new IP address on the interface of the DHCP
server, reenter the DHCP pool command with the new pool address range , then re-enable the DHCP server.
-
7/29/2019 Cli Commands for ASA
13/26
Network & Service Objects and Object Groups
The ASA similar to the router IOS can support network objects and object grouping. By using these configuration rules
it can simplify the configuration for many areas of the firewall. Two areas that we will cover are ACLs and
NAT/PAT for OS 8.3 or newer. Once an object or object group has been defined, it can be used or reused in
many different areas. Also, when you make a change to an object or object group, the change will be
automatically applied to all the rules that use it. NAT only uses objects not object groups.Two object types can be configured:
Network object- Contains an IP address mask pair, can a host, subnet or range of addresses.
Service object- Contains a protocol and optional source and/or destination port.
Objects can then be attached or detached from one or more object groups. Object group types include:
icmp-type, network, protocol, service or user
Then the object groups can used in the ACL or NAT configuration statements, instead of using the individual network
addresses, protocols or TCP/UDP ports.
This reduces the number of ACL or NAT statement that you would have to configure.
Note: The number of statements arent reduced, just the number you have to enter. The OS takes the objects and
object groups and enters the commands for each entry in the object group. The total number of finished
commands are still the same.
Network Object Creation:
ASA(config)# object network
ASA(config-network-object)# host ASA(config-network-object)# subnet
ASA(config-network-object)# range
-
7/29/2019 Cli Commands for ASA
14/26
Service Objects
Service Object Creation:
ASA(config)# object service
ASA(config-service-object)# service [source [ ]] [destination [ ]]
ASA(config-service-object)# service tcp [source [ ]] [destination [ ]]
ASA(config-service-object)# service udp [ ]] [destination [ ]]
ASA(config-service-object)# service icmp
ASA(config-service-object)# service icmp6
Note: options eq neq lt gt and range
Objects can also be grouped together to create an object group. Create the group name then create the objects within the
group. Also, previously created object groups can be nested into another object group.
Network Object Group Creation:
ASA(config)# object-group network
ASA(config-network-object-group)# description
ASA(config-network-object-group)# network-object
ASA(config-network-object-group)# group-object
Protocol Object Group Creation:
ASA(config)# object-group protocol
ASA(config-protocol-object-group)# protocol-object ! Tcp, udp ipsec etc
ASA(config-protocol-object-group)# group-object
-
7/29/2019 Cli Commands for ASA
15/26
Object GroupsICMP Object Group Creation:
ASA(config)# object-group icmp-type
ASA(config-icmp-object-group)# icmp-object
ASA(config-icmp-object-group)# group-object
Service Object Group Creation: Multiple possible rules, depending on the selected options.
ASA(config)# object-group service
ASA(config-service-object-group)# service-object destination
Or
ASA(config)# object-group service [tcp | udp | tcp-udp]
ASA(config-service-object-group)# port-object
ASA(config-service-object-group)# group-object
To erase objects or object groups, enter the no form of the command.
To erase all objects enter:
ASA(config)# clear config object [network | service]
To erase all object groups enter:
ASA(config)# clear configure object-group
To verify objects or object groups enter one of the following:
ASA# show running-config object
ASA# show running-config object-group
-
7/29/2019 Cli Commands for ASA
16/26
Address Translation, Dynamic and Static NAT
Address Translation (NAT, PAT, Dynamic, Static) OS version 7.0 to 8.2.5. 8.3 and higher use completely different commands.
Note: Address translation was designed around the flow of traffic from a high security interface to a low security interface.
Note: Pre OS version 7, address translation was required, if traffic did not match a configured NAT statement, the data was dropped. With
OS version 7, NAT became optional, and if the traffic did not match a NAT statement, it was allowed, and no translation was completed.
Note: There are commands that turn off the requirement for address translation, and there is a command that allows OS version 7 andnewer to work the same as previous versions.
Note: For public addresses not requiring NAT, static NAT can be completed with the same address used for both local and global
addresses.
Note: Static NAT is always done before dynamic NAT.
To require translation for IOS version 7 or higher enter the following:
ASA(config)# nat-control
Dynamic Nat is a two part process.
The Nat command defines the local or source interface and the addresses that need to be translated.The global command defines the destination or exit interface and the addresses that the local values are translated to.
The NAT_ID ties the two commands together.
A NAT_ID of 0 will disable required address translation for that range of local address, and does not use a global statement.
Dynamic address translation.
ASA(config)# nat (logical_if_name) NAT_ID local_ip_address SNM
Note: Address and SNM of 0.0.0.0 0.0.0.0 will cause the device to translate all addresses.
ASA(config)# global (logical_if_name) NAT_ID - [netmask SNM] | interface
The interface option will cause the device to use the address of the logical interface selected, for devices using a WAN DHCP client.
Static NAT.
ASA(config)# static (local_interface_name,global_interface_name) global_ip_address local_ip_address [netmask SNM]
Static PAT is a form of port redirection and is covered in my ACL notes.
Note: ACLs maybe used with NAT to allow both source and destination addresses to be used for deciding if the translation will be allowed.
Note: For traffic entering your network, filtering, (ACLs and conduits) are always completed before NAT. So the global addresses must be
used in the ACL or conduit statements.
-
7/29/2019 Cli Commands for ASA
17/26
OS Version 8.3 and Higher NAT and PAT
OS version 8.3 and newer use network objects to complete their NAT and PAT configurations, which is designed to simplify the
process. The global and static commands are no longer supported. This form of NAT may be reffered to as AUTO_NAT.
A network object is created, and then within this object that NAT is configured. Network objects can be a host, subnet or range of
addresses.
NAT configuration:
ASA(config)# object network
ASA(config-network-object)# host
or
ASA(config-network-object)# subnet
or
ASA(config-network-object)# range
!Dynamic NAT|PATASA(config-network-object)# nat [(,)] dynamic {mapped-inline-host [interface] | [mapped-obj]
[pat-pool mapped-obj [round-robin]] [interface]} [dns]
!Static NAT
ASA(config-network-object)# nat [(,)] static
Note: See examples in the asa example configs or pix and asa example networks fall 2013 power points.
-
7/29/2019 Cli Commands for ASA
18/26
Protocol Fixups and Application Inspection
PIX Protocol Fixups and ASA Policy Inspection
Stateful firewalls and network address translations have problems working with some applications.
Some of these basic problems are:
Applications that open multiple connectionsApplications and protocols that embed addressing and connection information in the application layer data
Applications and protocols that have security issues
Port number conversion made by the translating device
Cisco has identified many of the common applications and protocols that have these issues and has setup corrections for many of these.
The default configurations of the PIX 501 and ASA 5505 include commands to correct for the most used application and protocols.
PIX- These are the fixup commands.
ASA-These are the policy inspection commands.
ICMP t d Th h th D i
-
7/29/2019 Cli Commands for ASA
19/26
ICMP to and Through the DeviceICMP Traffic
ICMP traffic has different issues depending on whether its traffic directed at the devices interfaces or traffic passing through the device.Also it depends on the direction of the ICMP traffic, high security to low security or low to high security.
ICMP is not a stateful protocol and does not create a connection that can be entered into a state table to be used for the returning traffic.
ICMP also embeds address information into the data payload of the packets.
By default, ICMP packets are allowed to flow from the high security interface to the low security interface, but are denied entry to the low
security interface even if the ICMP packets are returning responses.
Through OS version 6, ICMP fixup was enabled to fix the embedded address problem automatically. Version 7 and higher the fix isdisabled by default and can be enabled through policy maps.
ICMP traffic through the device can be allowed by using ACLs for version 6 or higher.
For version 7 or higher, an inspection policy map may also be configured, that turns on stateful tracking for ICMP by using the uniquesequence numbers in the ICMP headers.
ICMP and ACLs are covered in my device filtering notes.
ICMP Inspection Configuration
ASA(config)# class-map icmp-class-mapASA(config-cmap)# match default-inspection-traffic
ASA(config-cmap)# exit
ASA(config)# policy-map icmp_policy_map
ASA(config-pmap)# class icmp-class-map
ASA(config-pmap-c)# inspect icmp
ASA(config-pmap-c)# inspect icmp error
ASA(config-pmap-c)# exit
ASA(config)# service-policy icmp_policy_map interface inside
Note: ICMP Inspection can be added directly to the default inspection rules.
ICMP Traffic Directed at the Device Interfaces
For SOHO devices ICMP responses are enabled by default to allow easy network troubleshooting. For all the other PIX or ASA models, it
is disabled by default to improve security.
The following command can be used to allow or deny ICMP traffic to the device interface.
ASA(config)# ICMP {permit | deny} [ICMP_message_Type]
ICMP_messsage_type can be the message name or number. If no message isentered, it defaults to all ICMP message types.
-
7/29/2019 Cli Commands for ASA
20/26
Logging
Logging
The appliances can log many different events such as denied TCP connections, console logins, IDS or IPS matches , ACL deny matches
and many more. Depending on the configuration the device can log to the console, an internal buffer, an SNMP management station,
email messages or an external syslog server. The default is to log to the console.
The information logged depends or the severity level configured. The lower the severity level number the more important the message is.When a value is set, the device will log the message set and any messages with a lower level value.
Severity levels:
Level # Level Name Description
0 Emergencies Indicates the device is unusable.
1 Alerts You need to take immediate action to fix the problem.
2 Critical A critical condition exists on the device.
3 Errors The device experienced an error.
4 Warnings There is a configuration or processing error.
5 Notification A normal, but important event occurred, such as someoneconfiguring the device.
6 Informational Something occurred on the device, such as a match on an
ACL deny statement.
7 Debugging Displays the output of debug commands.
Logging configuration commands:
ASA(config)# logging enable
ASA(config)# logging buffered
ASA(config)# logging asdm
ASA(config)# logging console
ASA(config)# logging monitor ASA(config)# logging [no] logging message
ASA(config)# logging host [(logical_if_name)] syslog_ip_add [tcp|udp [port#]]
ASA(config)# logging facility
ASA(config)# logging trap
ASA(config)# logging standby
ASA(config)# logging device_id {hostname | ip address | string }
ASA(config)# logging timestamp
-
7/29/2019 Cli Commands for ASA
21/26
Show Commands Page 1
Show Commands
ASA# show access-list ( displays hit counters for access policies)
ASA# show arp (displays the arp table )
ASA# show clock (displays the system clock)
ASA# show configuration (shows the contents of the startup configuration)
ASA# show conn (shows the connection table)
ASA# show conn detail (shows the connection table with info. on its status, SYN, ACK, etc)
ASA# show cpu usage (displays the % of cpu usage)ASA# show dhcpd bindings | state | statistics (displays the dhcp hsot mac to ip address, interface states, client or server, dhcp pool and
message statistics)
ASA# show disk (displays the files on the disk, disk 0 is flash)
ASA# show disk filesys (displays the disk geometry and file format, sectors, clusters etc)
ASA# show disk all (displays the two items above)
ASA# show firewall (displays the firewall mode, router or transparent)ASA# show failover (displays the failover runtime info, not available on the 5505)
ASA# show flash (displays the files in flash)
ASA# dir (displays the files and directory information)
ASA# show interface detail | ip | stats | e0/0 (etc) | vlan | inside | outside
(displays information on the interface option selected)
ASA# show ip (shows the ip addresses on the interfaces, and the method of
Assignment)
ASA# show ip address e0/0 (etc) | vlan | inside | outside (displays the ip information on the
option selected)
Sh C d P 2
-
7/29/2019 Cli Commands for ASA
22/26
Show Commands Page 2
ASA# show logging (shows the logging options settings enabled or disabled)
ASA# show memory (shows RAM use and availability)
ASA# show nameif (displays the VLAN logical interface names)
ASA# show names (displays the static hostnames configured)
ASA# show nat (displays the NAT policies configured on the device)ASA# show running-config (displays the configuration in RAM)
ASA# show running-config interface (displays the configuration in RAM starting at the interface)
ASA# show startup-config (displays the configuration in NVRAM)ASA# show ssh sessions (displays the active SSH sessions, with ID numbers)
ASA# ssh disconnect session ID (disconnects the selected session)
ASA# show switch vlan (displays the vlans configured and the port assignments)
ASA# show switch mac-address-table (displays the port to mac-address table)
ASA# show traffic (displays the traffic statistics for all interfaces)
ASA# who (displays the active telnet sessions)
ASA# kill session_ID (disconnects the selected session)
ASA# show version (displays information on the ASA or PIX, IOS version, ASDM
version, config_reg value, interface and memory informationand license info.)
ASA# show xlate (displays the NAT translations)
ASA# show xlate detail (displays the NAT translations with details on the method used,
static, dynamic etc)
-
7/29/2019 Cli Commands for ASA
23/26
Show Command Modifiers
Show running or startup config modifiers
ASA# show running-config allDisplays all the default info. physical port settings etc
ASA# show running-config interface e0/0Displays info on just that interface
ASA# show running-config | begin natDisplays info starting at the first instance of nat
ASA# show running-config | include ip addressinclude displays the commands that include ip address
ASA# show running-config | exclude ip addressexclude displays the commands that do not include ip address
P k t T C d
-
7/29/2019 Cli Commands for ASA
24/26
Packet Tracer Command
Packet Tracer
Packet Tracer is a unique feature added to the ASA starting with version 7.2. It can be used to check the configuration of the device,
including its security policies. Packet Tracer is supported by both the CLI and ASDM. It allows you to create a pretend packet and trace it
through the device to see if the device performs the way you want it to. If the packet is denied and dropped, it will show what caused it to
be dropped or it show that the packet made it through the device. The commands allow you to specify the source interface for the packet,
its protocol, its source and destination addresses and the source and destination port numbers.
ASA(config)# packet-tracer input [] [] [detailed]
[xml]
ASA(config)# packet-tracer input icmp
[detailed] [xml]
P d R PIX
-
7/29/2019 Cli Commands for ASA
25/26
Password Recovery PIX
Password Recovery
Password recovery is needed when someone has changed or lost the passwords for the device.
For security, password recovery requires access to the device through the console port and is completed by causing the device to boot to
the monitor / ROMMON mode. From that point the password recovery varies depending on the device PIX or ASA, and the model.
For both the PIX or ASA monitor / ROMMON modes, it is done the same way. Reboot the device and hit the break or ESC key within 10
seconds.
PIX
Older PIX used floppy disks and did the recovery using a program on the floppy disk.
Newer PIX do not use floppy drives, but still use a program to blank the password. The PIX gets the program from a TFTP server and uses
it to blank the passwords. The correct version of the password recovery program must be installed in the TFTP Root folder of the TFTP
server.
(For our PIX the correct file is np63.bin )
After that you can boot the IOS and configure new passwords for the device.
monitor> interface
monitor> address
monitor> gateway (If there is a router between the PIX and the TFTP server>)
monitor> server
monitor> file
monitor> ping
monitor> tftp
Password Recovery ASA
-
7/29/2019 Cli Commands for ASA
26/26
Password Recovery ASA
ASA
The ASAs perform their password recovery the same way as newer routers. You boot to the ROMMON mode and change the config_reg
to cause the ASA to ignore the startup-config at bootup, then boot the ASA. Go to the privileged mode, change the passwords and
reset the config_reg back to its normal value. The ASAs values for the config_reg are different from those of the routers.
ASA normal boot confreg 0x1ASA recovery confreg 0x41
rommon>confregFollow the prompts, accepting the default values until you get to the disable system configuration question. Enter Y, complete
the process accepting the default values.
Or
Rommon>confreg 0x41
rommon> boot
The ASA boots up to the IOS without loading the startup-config.
1 Enter privileged mode.2 Copy the startup-config to the running-config.
3 Reconfigure the new passwords.
4 Change the config_reg back to normal. ASA(config)# config-register 0x1
5 If needed re-enable the interfaces.
6 Save the running-config to the startup-config.