cli commands for asa

7/29/2019 Cli Commands for ASA

1/26

Basic PIX / ASA CLI Commands

PIX / ASA configuration and monitoring connections. Methods 1 and 2 use CLI commands.

1 Console connection. Serial Port , Rollover cable to device. Secure because you have to physically access the device. No

user password required, but privileged password maybe required.

2 Telnet or SSH remote connections. User password and privileged passwords required.

3 PDM or ASDM, GUI Java based web monitoring and configuration.

AAA or local based authentication can require a username and password for improved security.

CLI commands for console, telnet and SSH connections.

PIX> enable

Password: PIX# disable

PIX> help

Or

PIX> ?

PIX> en ?

PIX# help------

------

PIX# show ?

PIX# configure terminal

PIX(config)# show ?

PIX(config)# hostname

Name(config)# domain-name

Name(config)# console timeout

set to 0 and it does not timeoutName(config)# clock set hh:mm:ss day MONTH year

MONTH is configured by name

Name(config)# name

Name(config)# names

PIX# setup

Note: Not all commands are included in the PIX help, the ASAs help is better.

Note: Command editing is similar to the switch and router CLI, but some of the advanced editing features depend on the firewallsOS version. (Example tab command completion does not work in pre 7 OSs.) Enter a q to quit long displays.Note: Show commands can be used in privileged or configuration mode.


2/26

Factory Default and Config. Saving

Default Configurations

The PIX 501 and ASA 5505 were designed as SOHO devices. They come with a factory default configuration stored in flash. This

configuration sets up a basic usable configuration for the device (WAN DHCP client, LAN DHCP server and a basic usable

configuration for other areas). Other PIX and ASA also have a default configuration, but the main part of their configuration is to

setup the basic commands to allow ASDM connections to the management interface. At anytime the running-config can be resetback to the factory default with the following command:

Name(config)# configure factory-defaultThen the running-config needs to be saved in NVRAM.

Configuration File Saving, Viewing

Commands vary depending on the OS version, pre or post version 7.

Pre 7, use the write commands, some copy commands work.

Post, use the write or copy commands.

Name# write memory saves the running-config to startup-config

Name# write terminal views running-configName# write erase erases startup-config

Name# write standby running-config to standby failover firewall

Name# configure memory merges the two files into running-config

Name# show configure views the startup-config

Name# copy running-config startup-config saves the running-config to startup-config

Name# copy startup-config running-config merges the two files into running-configName# show running-config views the configuration in RAM

Name# show startup-config views the configuration in NVRAM


3/26

Passwords and Login Banners

Passwords

For security, all passwords are encrypted on Cisco firewalls.

User exec- not used for the console connection, used for telnet and SSH connections.

Name(config)# passwd

Privileged exec- used for moving from user to privileged mode on all connection types.

Name(config)# enable password

Login Banners

Name(config)# banner

- asdm, exec, login, motd

Motd- message displayed at beginning of all connectionsAsdm- message displayed post-login of an asdm connection

Exec- message displayed before the CLI prompt

Login- message displayed before the name and password prompts


4/26

Telnet and SSHRemote Connections

The device would have to be preconfigured through the console to bring up the interfaces and allow traffic into the device.

Telnet Setup

Telnet is not secure, and as such is typically only allowed from hosts on the high security interfaces.

Two things must be setup to allow telnet traffic to the device. A user password and a list of ip addresses for the devices allowed telnet

connections.

PIX(config)# passwd

PIX(config)# telnet

PIX(config)# telnet timeout

SSH Setup

SSH creates an encrypted secure connection and can be used from any interface.

SSH requires four things to be setup. A user password, host and domain names, public and private RSA keys must be generated and a

list of allowed ip addresses must be created.

PIX(config)# hostname

Name(config)# domain-name Name(config)# passwd

Name(config)# ca generate rsa key

512, 768, 1024, 2048 Higher adds security but uses more resources

Name(config)# ca save all

Name(config)# sh ca mypubkey rsa

Name(config)# ssh

Name(config)# ssh timeout

ASA is the same except for the key generation, key saving and display.ASA(config)# crypto key generate rsa

Follow and answer prompts.

ASA# write memory

ASA# show crypto key mypubkey rsa

Note: Unless a username and password are configured, SSH connections, PIX and ASA use a default username of pix and the user

password. (Up to OS 8.3).

ASA(config)# username password

ASA(config)# aaa authentication ssh console LOCAL ! Required for 8.4.2 or higher.


5/26

ASDMASDM (OS version 7 and later) PDM (OS version 6)

Web and Java based GUI for configuring and monitoring ASA or PIX devices.PDM was included in flash on the PIX 501, but was an option on the other models.

Starting with OS 7, ASDM was included and has been included in flash on all the ASAs.

A basic configuration must be completed on the device to allow Web access to the device through one or more of its network interfaces.

OS and ASDM, PDM versions are dependent on each other, updating one will usually require you to update the other.

Also not all versions of the Java component are compatible with different versions of PDM or ASDM. The PIX 501s were never updated toIOS version 7 or later, and thus never were updated to ASDM.

Our PIX 501 with PDM are only compatible with Java 1.4.1 or older.

ASDM is compatible with 1.4.2 and newer.

We will only do ASDM labs on the ASAs so that we wont have to keep changing and downgrading the Java component.

ASDM uses HTTPS (SSL) to protect the communications between the desktop and the appliance.

The factory default configuration on an ASA 5505 or PIX 501, allow for ASDM or PDM connections from hosts on the inside network.

Basic ASA configuration required before ASDM can be used:

ASA(config)# hostname

Name(config)# domain-name

Name(config)# enable password

Name(config)# interface

Name(config-if)# nameif Name(config-if)# ip address

Name(config-if)# security-level

Name(config-if)# speed

Name(config-if)# duplex

Name(config-if)# no shutdown

Name(config-if)# exit

Name(config)# http server enable [port#][port#] defaults to the standard value of 443, this option alls for changes.

Name(config)# http logical_if_nameHostname and domain-name are required, they used to generate the rsa key for SSL.

A username and password can also be configured to enhance the ASDM logon security.

ASA 5505 interface setting

Name(config)# interface vlan

Name(config-if)# nameif

Name(config-if)# ip address [snm]

Name(config-if)# security-level

Note: Leave physical interface settings at their default values ( Auto negotiate speed, duplexE0/0 vlan 2, all others vlan1, all ports no shutdown)


6/26

Interface Config. and PIX inter. HW Values

Interface configurations

Interface configurations are different between PIX and ASAs, and can be different between device models. For all the devices, there are

two distinct areas of interface configuration, physical and logical interfaces.

Physical- used to setup the physical properties of the interface

Speed, duplex, security level, IP address, shutdown, no shutdown, logical interface namePhysical interfaces Ethernet number (PIX e0 or e1) (ASA 5505 e0/0 to e0/7)

Devices with gigabit (g0/0 etc)

Prior to OS version 7.0, the physical interface setup was done in global configuration mode.

OS version 7 or later, the OS went into interface subcommand mode.

After the physical interface is setup and a logical name is assigned, all other interface commands are referenced to the logical name.

Note: because of the internal switch with VLANs the ASA 5505 is slightly different form the standard ASA config..

PIX 501 Interface Configuration

The PIX 501 does not work with VLANS.

Pix(config)# interface hardware-id hardware-speed [shutdown]Hardware-id

Ethernet 0 (typically the WAN port)

Ethernet 1 (typically the LAN port)

Hardware-speed

1000 auto (not available on the 501)

10baset (10M half-duplex)

10full (10M full-duplex)

100basetx (100M half-duplex)

100full (100M full-duplex)Auto (auto neg. speed and duplex)

Optional shutdown. Enter no shutdown to turn it on.501 default is on, all other PIX the default is shutdown.


7/26

PIX Interface Logical, Names and Security

Pix(config)# nameif hardware-id if-name security-level

Hardware-id - Same as above

If-name - Desired logical interface name, up to 48 characters, no spaces

501 factory-default

E0 outsideE1 inside

Security-level (Default traffic flow allowed, higher to lower, except when the traffic is a

reply to request from a higher level, or ACLs allow the flow).0 to 100 with 100 being the highest security level

501 default outside 0 (the name outside is the only name allowed

to be set to 0)

501 default inside 100 (the name inside is the only name allowed

to be set to 100)

Any other name can be set to values between 1 and 99.

Pix(config)# ip address ip_address snm (static)

Pix(config)# ip address dhcp setroute (dhcp client)(setroute accept def. route)


8/26

ASA Logical Config.

ASA 5505 Interface Configuration

The ASA 5505 includes an 8 port switch and thus has 8 physical ports.

Like most Cisco switches, by default all 8 ports would be assigned to VLAN 1.

Depending on the ASA license, the maximum number of VLANs is 3 or 20.

We have the basic license, which allows only 3 VLANs.The factory default configuration creates 2 VLANs, (1 and 2).

VLAN 1 is inside and VLAN 2 is outside, with the physical ports set to auto neg.

speed and duplex.

E0/0 is assigned to VLAN 2 and all others are in VLAN 1.

Note: The ASAs do not have limitations on the interface names and security levels.

Any name can be assigned 100 or 0. The default is for the inside to be set to

100 and all other interfaces set to 0.

Note: On both the ASAs and PIX, by default traffic is restricted between interfaces set

to the same security level.

ASA(config)# interface vlan

ASA(config-if)# nameif

ASA(config-if)# ip address [subnet_mask] (Static address)

ASA(config-if)# ip address dhcp setroute (dhcp client)

(setroute causes the ASA to accept a default route from the dhcp server)

ASA(config-if)# security-level

ASA(config-if)# [no] shutdown

Note: For the ASA 5505 the default is no shutdown, all other ASAs the default is shutdown.


9/26

ASA Interface Physical Settings and DMZ

ASA(config)# interface physical_name

ASA(config-if)# switchport access vlan

ASA(config-if)# speed

Value 10, 100, auto

ASA(config-if)# duplex Value auto, full, half

ASA(config-if)# [no] shutdown

On an ASA, to allow traffic flow between interfaces with the same security levels, enter the following command.

ASA(config)# same-security-traffic permit inter-interface

For a PIX, an ACL must be created to allow traffic between interfaces with the same security levels.

The DMZ configuration depends on the ASA 5505 license, Base or Security +. The Base only allows 3 VLANs and one of the VLANs and isrestricted for data flow to one other VLAN. The Security + license allows 20 VLANs and does not restrict the data flow. We are using the

Base license and the following example shows a restricted configuration.

Note, the inside and outside interfaces have already been given standard default settings.

ASA(config)# interface vlan 3

ASA(config-if)# ip address

ASA(config-if)# no forward interface vlan 1

ASA(config-if)# nameif dmz

ASA(config-if)# security-level ! Typically some mid-range value, 50, 60 or 70.

ASA(config-if)# no shut

ASA(config-if)# interface ethernet

ASA(config-if)# switchport access vlan 3

ASA(config-if)# no shut

Note: Normally static NAT would then be configured for the server installed on the DMZ.


10/26

Clear Commands

Clear Commands

Clear commands are used to perform two functions in the PIX or ASA.

1 Clear counters, statistics or tables for the specified device function.

2 Clear the specified configuration commands.Note: Individual clear commands have been added with different OS versions, with

many of them added in versions 7.0 to 7.2. As such, they will not all be available

on our PIX 501s using version 6.3.Examples:

ASA# clear conn (clears the connection table)

ASA# clear interface e0 (clears the interface statistics counter)

ASA# clear access-list (clears the access-list counters)

ASA# clear mac-address-table (clears the switch address table)

ASA# clear xlate (clears the connection and translation tables)Note: clear xlate should be done anytime a change is made to NAT, ACLs etc, but it will

remove all current connections and translations.

Examples:ASA(config)# clear configure access-list (clears all access-list configuration commands)

ASA(config)# clear configure access-list IN (clears only the access-list commands with ID IN)

ASA(config)# clear configure banner (clears all the banner commands)

ASA(config)# clear configure all (clears the entire configuration in RAM)

ASA(config)# clear configure icmp (clears all the icmp commands, Version 7 and newer)

PIX(config)# clear icmp (clears all icmp commands, Version 6)


11/26

DHCP Settings, Client and Server

DHCP Client and Server

Note: DHCP clients can be setup on the WAN interface, with DHCP servers setup on the LAN

and DMZ interfaces. Static addresses can be used on any interface.

Note: Examples are for two interface devices with the logical interfaces named Inside (LAN) andOutside (WAN).

Example 1, default SOHO configuration. Outside set as a DHCP client and the Inside set as a

DHCP client. Outside settings for DNS etc will be passed to the LAN clients.

WAN DHCP client, LAN static ip.

PIX(config)# ip address outside dhcp setroute

PIX(config)# ip address inside

ASA under vlan 1 interface configuration.ASA(config-if)# ip address

ASA under vlan 2 interface configuration.

ASA(config-if)# ip address dhcp setroute

LAN DHCP server settings, using the DNS etc., learned from the WAN DHCP client

PIX and ASA are the same.

PIX(config)# dhcpd address - interface_name

PIX(config)# dhcpd auto_config interface_name

PIX(config)# dhcpd enable interface_name


12/26

DHCP Server Optional and Manual Settings

Optional and manual DHCP server settings.

PIX(config)# dhcpd address - interface_name

PIX(config)# dhcpd domain

PIX(config)# dhcpd dns []

PIX(config)# dhcpd wins []PIX(config)# dhcpd lease

PIX(config)# dhcpd ping_timeout

PIX(config)# dhcpd enable interface_name

Note: PIX 501 and ASA 5505 license to max. DHCP pool size:

10 users Max. pool size 32

50 users Max. pool size 128

Unlimited users Max. pool size 256

Note: To change the network address or subnet for the LAN, first remove the DHCP pool of addresses by entering the command with ano in front of it. This removes the pool and disables the DHCP server. Then enter the new IP address on the interface of the DHCP

server, reenter the DHCP pool command with the new pool address range , then re-enable the DHCP server.


13/26

Network & Service Objects and Object Groups

The ASA similar to the router IOS can support network objects and object grouping. By using these configuration rules

it can simplify the configuration for many areas of the firewall. Two areas that we will cover are ACLs and

NAT/PAT for OS 8.3 or newer. Once an object or object group has been defined, it can be used or reused in

many different areas. Also, when you make a change to an object or object group, the change will be

automatically applied to all the rules that use it. NAT only uses objects not object groups.Two object types can be configured:

Network object- Contains an IP address mask pair, can a host, subnet or range of addresses.

Service object- Contains a protocol and optional source and/or destination port.

Objects can then be attached or detached from one or more object groups. Object group types include:

icmp-type, network, protocol, service or user

Then the object groups can used in the ACL or NAT configuration statements, instead of using the individual network

addresses, protocols or TCP/UDP ports.

This reduces the number of ACL or NAT statement that you would have to configure.

Note: The number of statements arent reduced, just the number you have to enter. The OS takes the objects and

object groups and enters the commands for each entry in the object group. The total number of finished

commands are still the same.

Network Object Creation:

ASA(config)# object network

ASA(config-network-object)# host ASA(config-network-object)# subnet

ASA(config-network-object)# range


14/26

Service Objects

Service Object Creation:

ASA(config)# object service

ASA(config-service-object)# service [source [ ]] [destination [ ]]

ASA(config-service-object)# service tcp [source [ ]] [destination [ ]]

ASA(config-service-object)# service udp [ ]] [destination [ ]]

ASA(config-service-object)# service icmp

ASA(config-service-object)# service icmp6

Note: options eq neq lt gt and range

Objects can also be grouped together to create an object group. Create the group name then create the objects within the

group. Also, previously created object groups can be nested into another object group.

Network Object Group Creation:

ASA(config)# object-group network

ASA(config-network-object-group)# description

ASA(config-network-object-group)# network-object

ASA(config-network-object-group)# group-object

Protocol Object Group Creation:

ASA(config)# object-group protocol

ASA(config-protocol-object-group)# protocol-object ! Tcp, udp ipsec etc

ASA(config-protocol-object-group)# group-object


15/26

Object GroupsICMP Object Group Creation:

ASA(config)# object-group icmp-type

ASA(config-icmp-object-group)# icmp-object

ASA(config-icmp-object-group)# group-object

Service Object Group Creation: Multiple possible rules, depending on the selected options.

ASA(config)# object-group service

ASA(config-service-object-group)# service-object destination

Or

ASA(config)# object-group service [tcp | udp | tcp-udp]

ASA(config-service-object-group)# port-object

ASA(config-service-object-group)# group-object

To erase objects or object groups, enter the no form of the command.

To erase all objects enter:

ASA(config)# clear config object [network | service]

To erase all object groups enter:

ASA(config)# clear configure object-group

To verify objects or object groups enter one of the following:

ASA# show running-config object

ASA# show running-config object-group


16/26

Address Translation, Dynamic and Static NAT

Address Translation (NAT, PAT, Dynamic, Static) OS version 7.0 to 8.2.5. 8.3 and higher use completely different commands.

Note: Address translation was designed around the flow of traffic from a high security interface to a low security interface.

Note: Pre OS version 7, address translation was required, if traffic did not match a configured NAT statement, the data was dropped. With

OS version 7, NAT became optional, and if the traffic did not match a NAT statement, it was allowed, and no translation was completed.

Note: There are commands that turn off the requirement for address translation, and there is a command that allows OS version 7 andnewer to work the same as previous versions.

Note: For public addresses not requiring NAT, static NAT can be completed with the same address used for both local and global

addresses.

Note: Static NAT is always done before dynamic NAT.

To require translation for IOS version 7 or higher enter the following:

ASA(config)# nat-control

Dynamic Nat is a two part process.

The Nat command defines the local or source interface and the addresses that need to be translated.The global command defines the destination or exit interface and the addresses that the local values are translated to.

The NAT_ID ties the two commands together.

A NAT_ID of 0 will disable required address translation for that range of local address, and does not use a global statement.

Dynamic address translation.

ASA(config)# nat (logical_if_name) NAT_ID local_ip_address SNM

Note: Address and SNM of 0.0.0.0 0.0.0.0 will cause the device to translate all addresses.

ASA(config)# global (logical_if_name) NAT_ID - [netmask SNM] | interface

The interface option will cause the device to use the address of the logical interface selected, for devices using a WAN DHCP client.

Static NAT.

ASA(config)# static (local_interface_name,global_interface_name) global_ip_address local_ip_address [netmask SNM]

Static PAT is a form of port redirection and is covered in my ACL notes.

Note: ACLs maybe used with NAT to allow both source and destination addresses to be used for deciding if the translation will be allowed.

Note: For traffic entering your network, filtering, (ACLs and conduits) are always completed before NAT. So the global addresses must be

used in the ACL or conduit statements.


17/26

OS Version 8.3 and Higher NAT and PAT

OS version 8.3 and newer use network objects to complete their NAT and PAT configurations, which is designed to simplify the

process. The global and static commands are no longer supported. This form of NAT may be reffered to as AUTO_NAT.

A network object is created, and then within this object that NAT is configured. Network objects can be a host, subnet or range of

addresses.

NAT configuration:

ASA(config)# object network

ASA(config-network-object)# host

or

ASA(config-network-object)# subnet

or

ASA(config-network-object)# range

!Dynamic NAT|PATASA(config-network-object)# nat [(,)] dynamic {mapped-inline-host [interface] | [mapped-obj]

[pat-pool mapped-obj [round-robin]] [interface]} [dns]

!Static NAT

ASA(config-network-object)# nat [(,)] static

Note: See examples in the asa example configs or pix and asa example networks fall 2013 power points.


18/26

Protocol Fixups and Application Inspection

PIX Protocol Fixups and ASA Policy Inspection

Stateful firewalls and network address translations have problems working with some applications.

Some of these basic problems are:

Applications that open multiple connectionsApplications and protocols that embed addressing and connection information in the application layer data

Applications and protocols that have security issues

Port number conversion made by the translating device

Cisco has identified many of the common applications and protocols that have these issues and has setup corrections for many of these.

The default configurations of the PIX 501 and ASA 5505 include commands to correct for the most used application and protocols.

PIX- These are the fixup commands.

ASA-These are the policy inspection commands.

ICMP t d Th h th D i


19/26

ICMP to and Through the DeviceICMP Traffic

ICMP traffic has different issues depending on whether its traffic directed at the devices interfaces or traffic passing through the device.Also it depends on the direction of the ICMP traffic, high security to low security or low to high security.

ICMP is not a stateful protocol and does not create a connection that can be entered into a state table to be used for the returning traffic.

ICMP also embeds address information into the data payload of the packets.

By default, ICMP packets are allowed to flow from the high security interface to the low security interface, but are denied entry to the low

security interface even if the ICMP packets are returning responses.

Through OS version 6, ICMP fixup was enabled to fix the embedded address problem automatically. Version 7 and higher the fix isdisabled by default and can be enabled through policy maps.

ICMP traffic through the device can be allowed by using ACLs for version 6 or higher.

For version 7 or higher, an inspection policy map may also be configured, that turns on stateful tracking for ICMP by using the uniquesequence numbers in the ICMP headers.

ICMP and ACLs are covered in my device filtering notes.

ICMP Inspection Configuration

ASA(config)# class-map icmp-class-mapASA(config-cmap)# match default-inspection-traffic

ASA(config-cmap)# exit

ASA(config)# policy-map icmp_policy_map

ASA(config-pmap)# class icmp-class-map

ASA(config-pmap-c)# inspect icmp

ASA(config-pmap-c)# inspect icmp error

ASA(config-pmap-c)# exit

ASA(config)# service-policy icmp_policy_map interface inside

Note: ICMP Inspection can be added directly to the default inspection rules.

ICMP Traffic Directed at the Device Interfaces

For SOHO devices ICMP responses are enabled by default to allow easy network troubleshooting. For all the other PIX or ASA models, it

is disabled by default to improve security.

The following command can be used to allow or deny ICMP traffic to the device interface.

ASA(config)# ICMP {permit | deny} [ICMP_message_Type]

ICMP_messsage_type can be the message name or number. If no message isentered, it defaults to all ICMP message types.


20/26

Logging

Logging

The appliances can log many different events such as denied TCP connections, console logins, IDS or IPS matches , ACL deny matches

and many more. Depending on the configuration the device can log to the console, an internal buffer, an SNMP management station,

email messages or an external syslog server. The default is to log to the console.

The information logged depends or the severity level configured. The lower the severity level number the more important the message is.When a value is set, the device will log the message set and any messages with a lower level value.

Severity levels:

Level # Level Name Description

0 Emergencies Indicates the device is unusable.

1 Alerts You need to take immediate action to fix the problem.

2 Critical A critical condition exists on the device.

3 Errors The device experienced an error.

4 Warnings There is a configuration or processing error.

5 Notification A normal, but important event occurred, such as someoneconfiguring the device.

6 Informational Something occurred on the device, such as a match on an

ACL deny statement.

7 Debugging Displays the output of debug commands.

Logging configuration commands:

ASA(config)# logging enable

ASA(config)# logging buffered

ASA(config)# logging asdm

ASA(config)# logging console

ASA(config)# logging monitor ASA(config)# logging [no] logging message

ASA(config)# logging host [(logical_if_name)] syslog_ip_add [tcp|udp [port#]]

ASA(config)# logging facility

ASA(config)# logging trap

ASA(config)# logging standby

ASA(config)# logging device_id {hostname | ip address | string }

ASA(config)# logging timestamp


21/26

Show Commands Page 1

Show Commands

ASA# show access-list ( displays hit counters for access policies)

ASA# show arp (displays the arp table )

ASA# show clock (displays the system clock)

ASA# show configuration (shows the contents of the startup configuration)

ASA# show conn (shows the connection table)

ASA# show conn detail (shows the connection table with info. on its status, SYN, ACK, etc)

ASA# show cpu usage (displays the % of cpu usage)ASA# show dhcpd bindings | state | statistics (displays the dhcp hsot mac to ip address, interface states, client or server, dhcp pool and

message statistics)

ASA# show disk (displays the files on the disk, disk 0 is flash)

ASA# show disk filesys (displays the disk geometry and file format, sectors, clusters etc)

ASA# show disk all (displays the two items above)

ASA# show firewall (displays the firewall mode, router or transparent)ASA# show failover (displays the failover runtime info, not available on the 5505)

ASA# show flash (displays the files in flash)

ASA# dir (displays the files and directory information)

ASA# show interface detail | ip | stats | e0/0 (etc) | vlan | inside | outside

(displays information on the interface option selected)

ASA# show ip (shows the ip addresses on the interfaces, and the method of

Assignment)

ASA# show ip address e0/0 (etc) | vlan | inside | outside (displays the ip information on the

option selected)

Sh C d P 2


22/26

Show Commands Page 2

ASA# show logging (shows the logging options settings enabled or disabled)

ASA# show memory (shows RAM use and availability)

ASA# show nameif (displays the VLAN logical interface names)

ASA# show names (displays the static hostnames configured)

ASA# show nat (displays the NAT policies configured on the device)ASA# show running-config (displays the configuration in RAM)

ASA# show running-config interface (displays the configuration in RAM starting at the interface)

ASA# show startup-config (displays the configuration in NVRAM)ASA# show ssh sessions (displays the active SSH sessions, with ID numbers)

ASA# ssh disconnect session ID (disconnects the selected session)

ASA# show switch vlan (displays the vlans configured and the port assignments)

ASA# show switch mac-address-table (displays the port to mac-address table)

ASA# show traffic (displays the traffic statistics for all interfaces)

ASA# who (displays the active telnet sessions)

ASA# kill session_ID (disconnects the selected session)

ASA# show version (displays information on the ASA or PIX, IOS version, ASDM

version, config_reg value, interface and memory informationand license info.)

ASA# show xlate (displays the NAT translations)

ASA# show xlate detail (displays the NAT translations with details on the method used,

static, dynamic etc)


23/26

Show Command Modifiers

Show running or startup config modifiers

ASA# show running-config allDisplays all the default info. physical port settings etc

ASA# show running-config interface e0/0Displays info on just that interface

ASA# show running-config | begin natDisplays info starting at the first instance of nat

ASA# show running-config | include ip addressinclude displays the commands that include ip address

ASA# show running-config | exclude ip addressexclude displays the commands that do not include ip address

P k t T C d


24/26

Packet Tracer Command

Packet Tracer

Packet Tracer is a unique feature added to the ASA starting with version 7.2. It can be used to check the configuration of the device,

including its security policies. Packet Tracer is supported by both the CLI and ASDM. It allows you to create a pretend packet and trace it

through the device to see if the device performs the way you want it to. If the packet is denied and dropped, it will show what caused it to

be dropped or it show that the packet made it through the device. The commands allow you to specify the source interface for the packet,

its protocol, its source and destination addresses and the source and destination port numbers.

ASA(config)# packet-tracer input [] [] [detailed]

[xml]

ASA(config)# packet-tracer input icmp

[detailed] [xml]

P d R PIX


25/26

Password Recovery PIX

Password Recovery

Password recovery is needed when someone has changed or lost the passwords for the device.

For security, password recovery requires access to the device through the console port and is completed by causing the device to boot to

the monitor / ROMMON mode. From that point the password recovery varies depending on the device PIX or ASA, and the model.

For both the PIX or ASA monitor / ROMMON modes, it is done the same way. Reboot the device and hit the break or ESC key within 10

seconds.

PIX

Older PIX used floppy disks and did the recovery using a program on the floppy disk.

Newer PIX do not use floppy drives, but still use a program to blank the password. The PIX gets the program from a TFTP server and uses

it to blank the passwords. The correct version of the password recovery program must be installed in the TFTP Root folder of the TFTP

server.

(For our PIX the correct file is np63.bin )

After that you can boot the IOS and configure new passwords for the device.

monitor> interface

monitor> address

monitor> gateway (If there is a router between the PIX and the TFTP server>)

monitor> server

monitor> file

monitor> ping

monitor> tftp

Password Recovery ASA


26/26

Password Recovery ASA

ASA

The ASAs perform their password recovery the same way as newer routers. You boot to the ROMMON mode and change the config_reg

to cause the ASA to ignore the startup-config at bootup, then boot the ASA. Go to the privileged mode, change the passwords and

reset the config_reg back to its normal value. The ASAs values for the config_reg are different from those of the routers.

ASA normal boot confreg 0x1ASA recovery confreg 0x41

rommon>confregFollow the prompts, accepting the default values until you get to the disable system configuration question. Enter Y, complete

the process accepting the default values.

Or

Rommon>confreg 0x41

rommon> boot

The ASA boots up to the IOS without loading the startup-config.

1 Enter privileged mode.2 Copy the startup-config to the running-config.

3 Reconfigure the new passwords.

4 Change the config_reg back to normal. ASA(config)# config-register 0x1

5 If needed re-enable the interfaces.

6 Save the running-config to the startup-config.

cli commands for asa

Documents