Cisco ASA tips and tricks


 Cisco’s ASA isn’t exactly the same as their other products, the CLI is just enough like IOS to fool you.

For example, to blank the configuration, execute “clear configure all”, similar commands work to wipe out entire ACLs, etc.


 The command line interface of the Cisco ASA security appliance is quite different than the regular IOS CLI. Still it has a lot of things that are the same. Other things are quite different and possibly more difficult on the ASA.


Show running-config

At first it’s not that special of course to display the current running-config of the box, but when you issue a question mark there are tons of options.

Rack1ASA1# sh run ?


aaa Show AAA configuration information

aaa-server Show aaa-server configuration information

access-group Show access group(s)

access-list Show configured access control elements

alias Show configured overlapping addresses with dual


all Show current operating configuration including


arp Show configured ARP entries, ARP timeout

asdm Show ASDM configuration

auth-prompt Show configured authentication challenge,

reject and acceptance prompts

auto-update Show Auto Update configuration

banner Show configured login/session banners

boot Show boot configuration information

class Show class configuration

class-map Show class-map configuration

client-update Show global client-update configuration


clock Show clock configuration

command-alias Show configured command aliases

compression Show compression global configuration

console Show console idle timeout

crypto Show crypto configuration

ctl-file Show configured CTL file instances

<— More —>

It’s possible to view EVERY configuration ‘snippet’ with a show run. For example, displaying access-list configuration:

Rack1ASA1(config)# sh run access-list

access-list OUTSIDE_IN extended permit tcp any host eq telnet

access-list OUTSIDE_IN extended permit tcp host eq www

access-list INSIDE_IN extended permit icmp any any echo


Or class-maps:

Rack1ASA1(config-cmap)# sh run class-map


class-map TEST

match port tcp eq www

class-map inspection_default

match default-inspection-traffic



Or NAT configuration:

Rack1ASA1(config)# sh run global

global (outside) 1

Rack1ASA1(config)# sh run nat

nat (inside) 1


No ‘do’

Another thing to notice is that the ‘do’ command is NOT used on the ASA CLI. It doesn’t matter if you are in enabled mode or in configuration mode, the do command does not exist and ALL commands can be executed from configuration mode.

Rack1ASA1(config)# do sh ip


ERROR: % Invalid input detected at ‘^’ marker.

Rack1ASA1(config)# sh ip

System IP Addresses:

Interface Name IP address Subnet mask Method

Ethernet0/0 outside manual

Ethernet0/1 inside manual

Ethernet0/2 dmz manual

Context sensitive help

The context sensitive help is also quite informational on the ASA. It first differentiates the config and exec mode commands (since they are executable from config mode)

Rack1ASA1(config-if)# crypto ?

configure mode commands/options:

ca Certification authority

dynamic-map Configure a dynamic crypto map

ipsec Configure transform-set, IPSec SA lifetime, and fragmentation

isakmp Configure ISAKMP

key Long term key operations

map Configure a crypto map

exec mode commands/options:

ca Execute Certification Authority Commands

Rack1ASA1(config-if)# crypto

Auto completion

Sometimes values are automatically available in the context help. For example interface ‘nameif’’s are possible for autocompletion:

Rack1ASA1(config)# access-group OUTSIDE in int ?

configure mode commands/options:

Current available interface(s):

dmz Name of interface Ethernet0/2

inside Name of interface Ethernet0/1

outside Name of interface Ethernet0/0

Rack1ASA1(config)# access-group OUTSIDE in int

When tab is pressed and enough characters are entered, the ASA will auto-complete the interface name. Also the question mark immediately gives a great overview of which physical interface is assigned which nameif.

Remove configuration

Sometimes a simple ‘no’ is not enough for the ASA to remove configuration. It’s impossible to remove an entire access-list with a simple no. In IOS this would work by just entering ‘no ip access-list extended <NAME>’. Since the ASA CLI also supports inserting and removing lines from an ACL without using numbering like in IOS, it requires you to enter the entire ACE (Access List Entry) before it actually removes it from the configuration.

For removing entire parts of configuration, Cisco introduced the ‘clear configure’ command on the ASA CLI. This command has the same logic as the ‘show run’ as it can remove entire configuration snippets with it, so for example all NAT config and a specific ACL.

Rack1ASA1(config)# clear configure global

Rack1ASA1(config)# clear configure access-list TELNET

Rack1ASA1(config)# sh run global

Rack1ASA1(config)# sh run access-list TELNET

ERROR: access-list <TELNET> does not exist


This is a very handy command when doing labs, as it might be affective to redo the entire NAT setup again or remove an entire ACL to rename it for example.

VPN setup

Since the CCIE lab offers very few time left to really dive in the documentation the ASA CLI has a little cheat sheet for VPN configuration built-in! This is a really cool feature!

With the command ‘vpnsetup’ in configuration mode you have several options to see different kinds of VPN set-ups.

Rack1ASA1(config)# vpnsetup ?

configure mode commands/options:

ipsec-remote-access Display IPSec Remote Access Configuration Commands

l2tp-remote-access Display L2TP/IPSec Configuration Commands

site-to-site Display IPSec Site-to-Site Configuration Commands

ssl-remote-access Display SSL Remote Access Configuration Commands

Rack1ASA1(config)# vpnsetup

To check the site-to-site required steps enter the following commands and the ASA demonstrates all the required steps to take for a successful site-to-site VPN implementation

Rack1ASA1(config)# vpnsetup site-to-site ?

configure mode commands/options:

steps Display VPN Setup Commands

Rack1ASA1(config)# vpnsetup site-to-site steps ?

configure mode commands/options:


Rack1ASA1(config)# vpnsetup site-to-site steps

Steps to configure a site-to-site IKE/IPSec connection with examples:

1. Configure Interfaces

interface GigabitEthernet0/0

ip address

nameif outside

no shutdown

interface GigabitEthernet0/1

ip address

nameif inside

no shutdown

2. Configure ISAKMP policy

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

3. Configure transform-set

crypto ipsec transform-set myset esp-aes esp-sha-hmac

4. Configure ACL

access-list L2LAccessList extended permit ip

5. Configure Tunnel group

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key P@rtn3rNetw0rk

6. Configure crypto map and attach to interface

crypto map mymap 10 match address L2LAccessList

crypto map mymap 10 set peer

crypto map mymap 10 set transform-set myset

crypto map mymap 10 set reverse-route

crypto map mymap interface outside

7. Enable isakmp on interface

crypto isakmp enable outside


The only tiny thing that’s forgotten in this example are ‘security-level’s under the interface, though the


Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.