Symptom:
Cisco’s ASA isn’t exactly the same as their other products, the CLI is just enough like IOS to fool you.
For example, to blank the configuration, execute “clear configure all”, similar commands work to wipe out entire ACLs, etc.
Problem:
The command line interface of the Cisco ASA security appliance is quite different than the regular IOS CLI. Still it has a lot of things that are the same. Other things are quite different and possibly more difficult on the ASA.
Solution:
Show running-config
At first it’s not that special of course to display the current running-config of the box, but when you issue a question mark there are tons of options.
Rack1ASA1# sh run ?
aaa Show AAA configuration information
aaa-server Show aaa-server configuration information
access-group Show access group(s)
access-list Show configured access control elements
alias Show configured overlapping addresses with dual
NAT
all Show current operating configuration including
defaults
arp Show configured ARP entries, ARP timeout
asdm Show ASDM configuration
auth-prompt Show configured authentication challenge,
reject and acceptance prompts
auto-update Show Auto Update configuration
banner Show configured login/session banners
boot Show boot configuration information
class Show class configuration
class-map Show class-map configuration
client-update Show global client-update configuration
information
clock Show clock configuration
command-alias Show configured command aliases
compression Show compression global configuration
console Show console idle timeout
crypto Show crypto configuration
ctl-file Show configured CTL file instances
<— More —>
It’s possible to view EVERY configuration ‘snippet’ with a show run. For example, displaying access-list configuration:
Rack1ASA1(config)# sh run access-list
access-list OUTSIDE_IN extended permit tcp any host 136.1.122.12 eq telnet
access-list OUTSIDE_IN extended permit tcp 150.1.2.0 255.255.255.0 host 136.1.122.12 eq www
access-list INSIDE_IN extended permit icmp any any echo
Rack1ASA1(config)#
Or class-maps:
Rack1ASA1(config-cmap)# sh run class-map
!
class-map TEST
match port tcp eq www
class-map inspection_default
match default-inspection-traffic
!
Rack1ASA1(config-cmap)#
Or NAT configuration:
Rack1ASA1(config)# sh run global
global (outside) 1 136.1.122.100-136.1.122.200
Rack1ASA1(config)# sh run nat
nat (inside) 1 0.0.0.0 0.0.0.0
Rack1ASA1(config)#
No ‘do’
Another thing to notice is that the ‘do’ command is NOT used on the ASA CLI. It doesn’t matter if you are in enabled mode or in configuration mode, the do command does not exist and ALL commands can be executed from configuration mode.
Rack1ASA1(config)# do sh ip
^
ERROR: % Invalid input detected at ‘^’ marker.
Rack1ASA1(config)# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 outside 136.1.122.12 255.255.255.0 manual
Ethernet0/1 inside 136.1.121.12 255.255.255.0 manual
Ethernet0/2 dmz 10.0.0.12 255.255.255.0 manual
Context sensitive help
The context sensitive help is also quite informational on the ASA. It first differentiates the config and exec mode commands (since they are executable from config mode)
Rack1ASA1(config-if)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Execute Certification Authority Commands
Rack1ASA1(config-if)# crypto
Auto completion
Sometimes values are automatically available in the context help. For example interface ‘nameif’’s are possible for autocompletion:
Rack1ASA1(config)# access-group OUTSIDE in int ?
configure mode commands/options:
Current available interface(s):
dmz Name of interface Ethernet0/2
inside Name of interface Ethernet0/1
outside Name of interface Ethernet0/0
Rack1ASA1(config)# access-group OUTSIDE in int
When tab is pressed and enough characters are entered, the ASA will auto-complete the interface name. Also the question mark immediately gives a great overview of which physical interface is assigned which nameif.
Remove configuration
Sometimes a simple ‘no’ is not enough for the ASA to remove configuration. It’s impossible to remove an entire access-list with a simple no. In IOS this would work by just entering ‘no ip access-list extended <NAME>’. Since the ASA CLI also supports inserting and removing lines from an ACL without using numbering like in IOS, it requires you to enter the entire ACE (Access List Entry) before it actually removes it from the configuration.
For removing entire parts of configuration, Cisco introduced the ‘clear configure’ command on the ASA CLI. This command has the same logic as the ‘show run’ as it can remove entire configuration snippets with it, so for example all NAT config and a specific ACL.
Rack1ASA1(config)# clear configure global
Rack1ASA1(config)# clear configure access-list TELNET
Rack1ASA1(config)# sh run global
Rack1ASA1(config)# sh run access-list TELNET
ERROR: access-list <TELNET> does not exist
Rack1ASA1(config)#
This is a very handy command when doing labs, as it might be affective to redo the entire NAT setup again or remove an entire ACL to rename it for example.
VPN setup
Since the CCIE lab offers very few time left to really dive in the documentation the ASA CLI has a little cheat sheet for VPN configuration built-in! This is a really cool feature!
With the command ‘vpnsetup’ in configuration mode you have several options to see different kinds of VPN set-ups.
Rack1ASA1(config)# vpnsetup ?
configure mode commands/options:
ipsec-remote-access Display IPSec Remote Access Configuration Commands
l2tp-remote-access Display L2TP/IPSec Configuration Commands
site-to-site Display IPSec Site-to-Site Configuration Commands
ssl-remote-access Display SSL Remote Access Configuration Commands
Rack1ASA1(config)# vpnsetup
To check the site-to-site required steps enter the following commands and the ASA demonstrates all the required steps to take for a successful site-to-site VPN implementation
Rack1ASA1(config)# vpnsetup site-to-site ?
configure mode commands/options:
steps Display VPN Setup Commands
Rack1ASA1(config)# vpnsetup site-to-site steps ?
configure mode commands/options:
<cr>
Rack1ASA1(config)# vpnsetup site-to-site steps
Steps to configure a site-to-site IKE/IPSec connection with examples:
1. Configure Interfaces
interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown
interface GigabitEthernet0/1
ip address 192.168.0.20 255.255.255.0
nameif inside
no shutdown
2. Configure ISAKMP policy
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
3. Configure transform-set
crypto ipsec transform-set myset esp-aes esp-sha-hmac
4. Configure ACL
access-list L2LAccessList extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
5. Configure Tunnel group
tunnel-group 10.20.20.1 type ipsec-l2l
tunnel-group 10.20.20.1 ipsec-attributes
pre-shared-key P@rtn3rNetw0rk
6. Configure crypto map and attach to interface
crypto map mymap 10 match address L2LAccessList
crypto map mymap 10 set peer 10.10.4.108
crypto map mymap 10 set transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside
7. Enable isakmp on interface
crypto isakmp enable outside
Rack1ASA1(config)#
The only tiny thing that’s forgotten in this example are ‘security-level’s under the interface, though the
Comments:
http://blog.ipexpert.com/2010/01/11/cli-tricks-on-the-asa/
Leave A Comment?
You must be logged in to post a comment.