Basic PIX / ASA CLI Commands

PIX / ASA configuration and monitoring connections. Methods 1 and 2 use CLI commands. 1 Console connection. Serial Port , Rollover cable to device. Secure because you have to physically access the device. No user password required, but privileged password maybe required. 2 Telnet or SSH remote connections. User password and privileged passwords required. 3 PDM or ASDM, GUI Java based web monitoring and configuration. AAA or local based authentication can require a username and password for improved security. CLI commands for console, telnet and SSH connections. PIX> enable Password: <default blank> PIX# disable PIX> help Or PIX> ? PIX> en ? PIX# help ----------<more> PIX# show ? PIX# configure terminal PIX(config)# show ? PIX(config)# hostname <Name> Name(config)# domain-name <dname> Name(config)# console timeout <#_of_minutes> <#_of_minutes> set to 0 and it does not timeout Name(config)# clock set hh:mm:ss day MONTH year MONTH is configured by name Name(config)# name <ip_address> <device_name> Name(config)# names PIX# setup Note: Not all commands are included in the PIX help, the ASAs help is better. Note: Command editing is similar to the switch and router CLI, but some of the advanced editing features depend on the firewalls OS version. (Example tab command completion does not work in pre 7 OSs.) Enter a q to quit long displays. Note: Show commands can be used in privileged or configuration mode.

Factory Default and Config. Saving

Default Configurations The PIX 501 and ASA 5505 were designed as SOHO devices. They come with a factory default configuration stored in flash. This configuration sets up a basic usable configuration for the device (WAN DHCP client, LAN DHCP server and a basic usable configuration for other areas). Other PIX and ASA also have a default configuration, but the main part of their configuration is to setup the basic commands to allow ASDM connections to the management interface. At anytime the running-config can be reset back to the factory default with the following command:

Name(config)# configure factory-default Then the running-config needs to be saved in NVRAM.

Configuration File Saving, Viewing Commands vary depending on the OS version, pre or post version 7. Pre 7, use the write commands, some copy commands work. Post, use the write or copy commands. Name# write memory Name# write terminal Name# write erase Name# write standby Name# configure memory Name# show configure Name# copy running-config startup-config Name# copy startup-config running-config Name# show running-config Name# show startup-config saves the running-config to startup-config views running-config erases startup-config running-config to standby failover firewall merges the two files into running-config views the startup-config saves the running-config to startup-config merges the two files into running-config views the configuration in RAM views the configuration in NVRAM

Passwords and Login Banners

Passwords For security, all passwords are encrypted on Cisco firewalls. User exec- not used for the console connection, used for telnet and SSH connections. Name(config)# passwd <password>

Privileged exec- used for moving from user to privileged mode on all connection types.
Name(config)# enable password <password> Login Banners Name(config)# banner <banner-type> <banner text> <banner-types> - asdm, exec, login, motd

Motd- message displayed at beginning of all connections Asdm- message displayed post-login of an asdm connection Exec- message displayed before the CLI prompt Login- message displayed before the name and password prompts

Telnet and SSH

Remote Connections The device would have to be preconfigured through the console to bring up the interfaces and allow traffic into the device. Telnet Setup Telnet is not secure, and as such is typically only allowed from hosts on the high security interfaces. Two things must be setup to allow telnet traffic to the device. A user password and a list of ip addresses for the devices allowed telnet connections. PIX(config)# passwd <user_password> PIX(config)# telnet <ip_address> <SNM> <interface_name> PIX(config)# telnet timeout <#_of_minutes> SSH Setup SSH creates an encrypted secure connection and can be used from any interface. SSH requires four things to be setup. A user password, host and domain names, public and private RSA keys must be generated and a list of allowed ip addresses must be created. PIX(config)# hostname <Name> Name(config)# domain-name <dname> Name(config)# passwd <user_password> Name(config)# ca generate rsa key <modulus_size> <modulus_size> 512, 768, 1024, 2048 Higher adds security but uses more resources Name(config)# ca save all Name(config)# sh ca mypubkey rsa Name(config)# ssh <ip_address> <SNM> <interface_name> Name(config)# ssh timeout <#_of_minutes>

ASA is the same except for the key generation, key saving and display. ASA(config)# crypto key generate rsa Follow and answer prompts. ASA# write memory ASA# show crypto key mypubkey rsa Note: Unless a username and password are configured, SSH connections, PIX and ASA use a default username of pix and the user password. (Up to OS 8.3). ASA(config)# username <name> password <password> ASA(config)# aaa authentication ssh console LOCAL ! Required for 8.4.2 or higher.

ASDM
ASDM (OS version 7 and later) PDM (OS version 6) Web and Java based GUI for configuring and monitoring ASA or PIX devices. PDM was included in flash on the PIX 501, but was an option on the other models. Starting with OS 7, ASDM was included and has been included in flash on all the ASAs. A basic configuration must be completed on the device to allow Web access to the device through one or more of its network interfaces. OS and ASDM, PDM versions are dependent on each other, updating one will usually require you to update the other. Also not all versions of the Java component are compatible with different versions of PDM or ASDM. The PIX 501s were never updated to IOS version 7 or later, and thus never were updated to ASDM. Our PIX 501 with PDM are only compatible with Java 1.4.1 or older. ASDM is compatible with 1.4.2 and newer. We will only do ASDM labs on the ASAs so that we wont have to keep changing and downgrading the Java component. ASDM uses HTTPS (SSL) to protect the communications between the desktop and the appliance. The factory default configuration on an ASA 5505 or PIX 501, allow for ASDM or PDM connections from hosts on the inside network. Basic ASA configuration required before ASDM can be used: ASA(config)# hostname <Name> Name(config)# domain-name <dmain> Name(config)# enable password <password> Name(config)# interface <physical_inter_name> Name(config-if)# nameif <logical_if_name> Name(config-if)# ip address <ip_address> <SNM> Name(config-if)# security-level <sec#> Name(config-if)# speed <value> Name(config-if)# duplex <value> Name(config-if)# no shutdown Name(config-if)# exit Name(config)# http server enable [port#] [port#] defaults to the standard value of 443, this option alls for changes. Name(config)# http <ip_address> <SNM> logical_if_name Hostname and domain-name are required, they used to generate the rsa key for SSL. A username and password can also be configured to enhance the ASDM logon security. ASA 5505 interface setting Name(config)# interface vlan <vlan_id> Name(config-if)# nameif <if-name> Name(config-if)# ip address <address> [snm] Name(config-if)# security-level <number> Note: Leave physical interface settings at their default values ( Auto negotiate speed, duplex E0/0 vlan 2, all others vlan1, all ports no shutdown)

Interface Config. and PIX inter. HW Values

Interface configurations Interface configurations are different between PIX and ASAs, and can be different between device models. For all the devices, there are two distinct areas of interface configuration, physical and logical interfaces. Physical- used to setup the physical properties of the interface Speed, duplex, security level, IP address, shutdown, no shutdown, logical interface name Physical interfaces Ethernet number (PIX e0 or e1) (ASA 5505 e0/0 to e0/7) Devices with gigabit (g0/0 etc) Prior to OS version 7.0, the physical interface setup was done in global configuration mode. OS version 7 or later, the OS went into interface subcommand mode. After the physical interface is setup and a logical name is assigned, all other interface commands are referenced to the logical name. Note: because of the internal switch with VLANs the ASA 5505 is slightly different form the standard ASA config.. PIX 501 Interface Configuration The PIX 501 does not work with VLANS. Pix(config)# interface hardware-id hardware-speed [shutdown] Hardware-id Ethernet 0 (typically the WAN port) Ethernet 1 (typically the LAN port) Hardware-speed 1000 auto (not available on the 501) 10baset (10M half-duplex) 10full (10M full-duplex) 100basetx (100M half-duplex) 100full (100M full-duplex) Auto (auto neg. speed and duplex) Optional shutdown. Enter no shutdown to turn it on. 501 default is on, all other PIX the default is shutdown.

PIX Interface Logical, Names and Security

Pix(config)# nameif hardware-id if-name security-level Hardware-id - Same as above If-name - Desired logical interface name, up to 48 characters, no spaces 501 factory-default E0 outside E1 inside Security-level (Default traffic flow allowed, higher to lower, except when the traffic is a reply to request from a higher level, or ACLs allow the flow). 0 to 100 with 100 being the highest security level 501 default outside 0 (the name outside is the only name allowed to be set to 0) 501 default inside 100 (the name inside is the only name allowed to be set to 100) Any other name can be set to values between 1 and 99. Pix(config)# ip address <if-name> ip_address snm Pix(config)# ip address <if-name> dhcp setroute (static) (dhcp client)(setroute accept def. route)

ASA Logical Config.

ASA 5505 Interface Configuration The ASA 5505 includes an 8 port switch and thus has 8 physical ports. Like most Cisco switches, by default all 8 ports would be assigned to VLAN 1. Depending on the ASA license, the maximum number of VLANs is 3 or 20. We have the basic license, which allows only 3 VLANs. The factory default configuration creates 2 VLANs, (1 and 2). VLAN 1 is inside and VLAN 2 is outside, with the physical ports set to auto neg. speed and duplex. E0/0 is assigned to VLAN 2 and all others are in VLAN 1. Note: The ASAs do not have limitations on the interface names and security levels. Any name can be assigned 100 or 0. The default is for the inside to be set to 100 and all other interfaces set to 0. Note: On both the ASAs and PIX, by default traffic is restricted between interfaces set to the same security level. ASA(config)# interface vlan <VLAN_ID#> ASA(config-if)# nameif <if-name> ASA(config-if)# ip address <Address> [subnet_mask] (Static address) ASA(config-if)# ip address dhcp setroute (dhcp client) (setroute causes the ASA to accept a default route from the dhcp server) ASA(config-if)# security-level <number> ASA(config-if)# [no] shutdown Note: For the ASA 5505 the default is no shutdown, all other ASAs the default is shutdown.

ASA Interface Physical Settings and DMZ

ASA(config)# interface physical_name ASA(config-if)# switchport access vlan <VLAN_ID#> ASA(config-if)# speed <value> Value 10, 100, auto ASA(config-if)# duplex <value> Value auto, full, half ASA(config-if)# [no] shutdown On an ASA, to allow traffic flow between interfaces with the same security levels, enter the following command. ASA(config)# same-security-traffic permit inter-interface For a PIX, an ACL must be created to allow traffic between interfaces with the same security levels. The DMZ configuration depends on the ASA 5505 license, Base or Security +. The Base only allows 3 VLANs and one of the VLANs and is restricted for data flow to one other VLAN. The Security + license allows 20 VLANs and does not restrict the data flow. We are using the Base license and the following example shows a restricted configuration. Note, the inside and outside interfaces have already been given standard default settings. ASA(config)# interface vlan 3 ASA(config-if)# ip address <ip-add> <snm> ASA(config-if)# no forward interface vlan 1 ASA(config-if)# nameif dmz ASA(config-if)# security-level <level> ! Typically some mid-range value, 50, 60 or 70. ASA(config-if)# no shut ASA(config-if)# interface ethernet<#> ASA(config-if)# switchport access vlan 3 ASA(config-if)# no shut Note: Normally static NAT would then be configured for the server installed on the DMZ.

Clear Commands
Clear Commands Clear commands are used to perform two functions in the PIX or ASA. 1 Clear counters, statistics or tables for the specified device function. 2 Clear the specified configuration commands. Note: Individual clear commands have been added with different OS versions, with many of them added in versions 7.0 to 7.2. As such, they will not all be available on our PIX 501s using version 6.3. Examples: ASA# clear conn (clears the connection table) ASA# clear interface e0 (clears the interface statistics counter) ASA# clear access-list (clears the access-list counters) ASA# clear mac-address-table (clears the switch address table) ASA# clear xlate (clears the connection and translation tables) Note: clear xlate should be done anytime a change is made to NAT, ACLs etc, but it will remove all current connections and translations. Examples: ASA(config)# clear configure access-list (clears all access-list configuration commands) ASA(config)# clear configure access-list IN (clears only the access-list commands with ID IN) ASA(config)# clear configure banner (clears all the banner commands) ASA(config)# clear configure all (clears the entire configuration in RAM) ASA(config)# clear configure icmp (clears all the icmp commands, Version 7 and newer) PIX(config)# clear icmp (clears all icmp commands, Version 6)

DHCP Settings, Client and Server

DHCP Client and Server Note: DHCP clients can be setup on the WAN interface, with DHCP servers setup on the LAN and DMZ interfaces. Static addresses can be used on any interface. Note: Examples are for two interface devices with the logical interfaces named Inside (LAN) and Outside (WAN). Example 1, default SOHO configuration. Outside set as a DHCP client and the Inside set as a DHCP client. Outside settings for DNS etc will be passed to the LAN clients. WAN DHCP client, LAN static ip. PIX(config)# ip address outside dhcp setroute PIX(config)# ip address inside <ip_address> <SNM> ASA under vlan 1 interface configuration. ASA(config-if)# ip address <ip_address> <SNM> ASA under vlan 2 interface configuration. ASA(config-if)# ip address dhcp setroute LAN DHCP server settings, using the DNS etc., learned from the WAN DHCP client PIX and ASA are the same. PIX(config)# dhcpd address <pool_start_ip>-<pool_end_ip> interface_name PIX(config)# dhcpd auto_config interface_name PIX(config)# dhcpd enable interface_name

DHCP Server Optional and Manual Settings

Optional and manual DHCP server settings. PIX(config)# dhcpd address <pool_start_ip>-<pool_end_ip> interface_name PIX(config)# dhcpd domain <domain_name> PIX(config)# dhcpd dns <1st dns> [<2nd dns>] PIX(config)# dhcpd wins <1st wins> [<2nd wins>] PIX(config)# dhcpd lease <length_in_secs> PIX(config)# dhcpd ping_timeout <length_in_millisecs> PIX(config)# dhcpd enable interface_name Note: PIX 501 and ASA 5505 license to max. DHCP pool size: 10 users Max. pool size 32 50 users Max. pool size 128 Unlimited users Max. pool size 256 Note: To change the network address or subnet for the LAN, first remove the DHCP pool of addresses by entering the command with a no in front of it. This removes the pool and disables the DHCP server. Then enter the new IP address on the interface of the DHCP server, reenter the DHCP pool command with the new pool address range , then re-enable the DHCP server.

Network & Service Objects and Object Groups

The ASA similar to the router IOS can support network objects and object grouping. By using these configuration rules it can simplify the configuration for many areas of the firewall. Two areas that we will cover are ACLs and NAT/PAT for OS 8.3 or newer. Once an object or object group has been defined, it can be used or reused in many different areas. Also, when you make a change to an object or object group, the change will be automatically applied to all the rules that use it. NAT only uses objects not object groups. Two object types can be configured: Network object- Contains an IP address mask pair, can a host, subnet or range of addresses. Service object- Contains a protocol and optional source and/or destination port. Objects can then be attached or detached from one or more object groups. Object group types include: icmp-type, network, protocol, service or user Then the object groups can used in the ACL or NAT configuration statements, instead of using the individual network addresses, protocols or TCP/UDP ports. This reduces the number of ACL or NAT statement that you would have to configure. Note: The number of statements arent reduced, just the number you have to enter. The OS takes the objects and object groups and enters the commands for each entry in the object group. The total number of finished commands are still the same. Network Object Creation: ASA(config)# object network <name> ASA(config-network-object)# host <ip-address> ASA(config-network-object)# subnet <net-address> <net-snm> ASA(config-network-object)# range <ip-address-start> <ip-address-end>

Service Objects
Service Object Creation: ASA(config)# object service <name> ASA(config-service-object)# service <protocol> [source [<operator> <port>]] [destination [<operator> <port>]] ASA(config-service-object)# service tcp [source [<operator> <port>]] [destination [<operator> <port>]] ASA(config-service-object)# service udp [<operator> <port>]] [destination [<operator> <port>]] ASA(config-service-object)# service icmp <icmp-type> ASA(config-service-object)# service icmp6 <icmp6-type> Note: <operator> options eq neq lt gt and range Objects can also be grouped together to create an object group. Create the group name then create the objects within the group. Also, previously created object groups can be nested into another object group.

Network Object Group Creation: ASA(config)# object-group network <name> ASA(config-network-object-group)# description <text> ASA(config-network-object-group)# network-object <same options as network object show above host subnet or range> ASA(config-network-object-group)# group-object <object name>
Protocol Object Group Creation: ASA(config)# object-group protocol <name> ASA(config-protocol-object-group)# protocol-object <protocol> ! Tcp, udp ipsec etc ASA(config-protocol-object-group)# group-object <name>

Object Groups
ICMP Object Group Creation: ASA(config)# object-group icmp-type <name> ASA(config-icmp-object-group)# icmp-object <icmp-type> ASA(config-icmp-object-group)# group-object <name>
Service Object Group Creation: Multiple possible rules, depending on the selected options. ASA(config)# object-group service <name> ASA(config-service-object-group)# service-object <protocol> destination <operator> <port> Or ASA(config)# object-group service <name> [tcp | udp | tcp-udp] ASA(config-service-object-group)# port-object <operator> <port> ASA(config-service-object-group)# group-object <name> To erase objects or object groups, enter the no form of the command. To erase all objects enter: ASA(config)# clear config object [network | service] To erase all object groups enter: ASA(config)# clear configure object-group To verify objects or object groups enter one of the following: ASA# show running-config object ASA# show running-config object-group

Address Translation, Dynamic and Static NAT

Address Translation (NAT, PAT, Dynamic, Static) OS version 7.0 to 8.2.5. 8.3 and higher use completely different commands. Note: Address translation was designed around the flow of traffic from a high security interface to a low security interface. Note: Pre OS version 7, address translation was required, if traffic did not match a configured NAT statement, the data was dropped. With OS version 7, NAT became optional, and if the traffic did not match a NAT statement, it was allowed, and no translation was completed. Note: There are commands that turn off the requirement for address translation, and there is a command that allows OS version 7 and newer to work the same as previous versions. Note: For public addresses not requiring NAT, static NAT can be completed with the same address used for both local and global addresses. Note: Static NAT is always done before dynamic NAT. To require translation for IOS version 7 or higher enter the following: ASA(config)# nat-control Dynamic Nat is a two part process. The Nat command defines the local or source interface and the addresses that need to be translated. The global command defines the destination or exit interface and the addresses that the local values are translated to. The NAT_ID ties the two commands together. A NAT_ID of 0 will disable required address translation for that range of local address, and does not use a global statement. Dynamic address translation. ASA(config)# nat (logical_if_name) NAT_ID local_ip_address SNM Note: Address and SNM of 0.0.0.0 0.0.0.0 will cause the device to translate all addresses. ASA(config)# global (logical_if_name) NAT_ID <1st_global_ip>-<last_global_ip> [netmask SNM] | interface The interface option will cause the device to use the address of the logical interface selected, for devices using a WAN DHCP client. Static NAT. ASA(config)# static (local_interface_name,global_interface_name) global_ip_address local_ip_address [netmask SNM] Static PAT is a form of port redirection and is covered in my ACL notes. Note: ACLs maybe used with NAT to allow both source and destination addresses to be used for deciding if the translation will be allowed. Note: For traffic entering your network, filtering, (ACLs and conduits) are always completed before NAT. So the global addresses must be used in the ACL or conduit statements.

OS Version 8.3 and Higher NAT and PAT

OS version 8.3 and newer use network objects to complete their NAT and PAT configurations, which is designed to simplify the process. The global and static commands are no longer supported. This form of NAT may be reffered to as AUTO_NAT. A network object is created, and then within this object that NAT is configured. Network objects can be a host, subnet or range of addresses. NAT configuration: ASA(config)# object network <name> ASA(config-network-object)# host <ip-address> or ASA(config-network-object)# subnet <net-address> <snm> or ASA(config-network-object)# range <ip-address1> <ip-address2> !Dynamic NAT|PAT ASA(config-network-object)# nat [(<real-intf>,<mapped-intf>)] dynamic {mapped-inline-host [interface] | [mapped-obj] [pat-pool mapped-obj [round-robin]] [interface]} [dns] !Static NAT ASA(config-network-object)# nat [(<real-intf>,<mapped-intf>)] static <ip-address> Note: See examples in the asa example configs or pix and asa example networks fall 2013 power points.

Protocol Fixups and Application Inspection

PIX Protocol Fixups and ASA Policy Inspection Stateful firewalls and network address translations have problems working with some applications. Some of these basic problems are: Applications that open multiple connections Applications and protocols that embed addressing and connection information in the application layer data Applications and protocols that have security issues Port number conversion made by the translating device Cisco has identified many of the common applications and protocols that have these issues and has setup corrections for many of these. The default configurations of the PIX 501 and ASA 5505 include commands to correct for the most used application and protocols. PIX- These are the fixup commands. ASA-These are the policy inspection commands.

ICMP to and Through the Device

ICMP Traffic ICMP traffic has different issues depending on whether its traffic directed at the devices interfaces or traffic passing through the device. Also it depends on the direction of the ICMP traffic, high security to low security or low to high security. ICMP is not a stateful protocol and does not create a connection that can be entered into a state table to be used for the returning traffic. ICMP also embeds address information into the data payload of the packets. By default, ICMP packets are allowed to flow from the high security interface to the low security interface, but are denied entry to the low security interface even if the ICMP packets are returning responses. Through OS version 6, ICMP fixup was enabled to fix the embedded address problem automatically. Version 7 and higher the fix is disabled by default and can be enabled through policy maps. ICMP traffic through the device can be allowed by using ACLs for version 6 or higher. For version 7 or higher, an inspection policy map may also be configured, that turns on stateful tracking for ICMP by using the unique sequence numbers in the ICMP headers. ICMP and ACLs are covered in my device filtering notes. ICMP Inspection Configuration ASA(config)# class-map icmp-class-map ASA(config-cmap)# match default-inspection-traffic ASA(config-cmap)# exit ASA(config)# policy-map icmp_policy_map ASA(config-pmap)# class icmp-class-map ASA(config-pmap-c)# inspect icmp ASA(config-pmap-c)# inspect icmp error ASA(config-pmap-c)# exit ASA(config)# service-policy icmp_policy_map interface inside Note: ICMP Inspection can be added directly to the default inspection rules. ICMP Traffic Directed at the Device Interfaces For SOHO devices ICMP responses are enabled by default to allow easy network troubleshooting. For all the other PIX or ASA models, it is disabled by default to improve security. The following command can be used to allow or deny ICMP traffic to the device interface. ASA(config)# ICMP {permit | deny} <src_ip_address> <src_SNM> [ICMP_message_Type] <logical_interface_name> ICMP_messsage_type can be the message name or number. If no message is entered, it defaults to all ICMP message types.

Logging
Logging The appliances can log many different events such as denied TCP connections, console logins, IDS or IPS matches , ACL deny matches and many more. Depending on the configuration the device can log to the console, an internal buffer, an SNMP management station, email messages or an external syslog server. The default is to log to the console. The information logged depends or the severity level configured. The lower the severity level number the more important the message is. When a value is set, the device will log the message set and any messages with a lower level value. Severity levels: Level # 0 1 2 3 4 5 6 7

Level Name Emergencies Alerts Critical Errors Warnings Notification Informational Debugging

Description Indicates the device is unusable. You need to take immediate action to fix the problem. A critical condition exists on the device. The device experienced an error. There is a configuration or processing error. A normal, but important event occurred, such as someone configuring the device. Something occurred on the device, such as a match on an ACL deny statement. Displays the output of debug commands.

Logging configuration commands: ASA(config)# logging enable ASA(config)# logging buffered <severity_level> ASA(config)# logging asdm <severity_level> ASA(config)# logging console <severity_level> ASA(config)# logging monitor <severity_level> ASA(config)# logging [no] logging message <message_id> ASA(config)# logging host [(logical_if_name)] syslog_ip_add [tcp|udp [port#]] ASA(config)# logging facility <facility#> ASA(config)# logging trap <severity_level> ASA(config)# logging standby ASA(config)# logging device_id {hostname | ip address <ip_address> | string <text>} ASA(config)# logging timestamp

Show Commands Page 1

Show Commands ASA# show access-list ( displays hit counters for access policies) ASA# show arp (displays the arp table ) ASA# show clock (displays the system clock) ASA# show configuration (shows the contents of the startup configuration) ASA# show conn (shows the connection table) ASA# show conn detail (shows the connection table with info. on its status, SYN, ACK, etc) ASA# show cpu usage (displays the % of cpu usage) ASA# show dhcpd bindings | state | statistics (displays the dhcp hsot mac to ip address, interface states, client or server, dhcp pool and message statistics) ASA# show disk (displays the files on the disk, disk 0 is flash) ASA# show disk filesys (displays the disk geometry and file format, sectors, clusters etc) ASA# show disk all (displays the two items above) ASA# show firewall (displays the firewall mode, router or transparent) ASA# show failover (displays the failover runtime info, not available on the 5505) ASA# show flash (displays the files in flash) ASA# dir (displays the files and directory information) ASA# show interface detail | ip | stats | e0/0 (etc) | vlan | inside | outside (displays information on the interface option selected) ASA# show ip (shows the ip addresses on the interfaces, and the method of Assignment) ASA# show ip address e0/0 (etc) | vlan | inside | outside (displays the ip information on the option selected)

Show Commands Page 2

ASA# show logging ASA# show memory ASA# show nameif ASA# show names ASA# show nat ASA# show running-config ASA# show running-config interface ASA# show startup-config ASA# show ssh sessions ASA# ssh disconnect session ID ASA# show switch vlan ASA# show switch mac-address-table ASA# show traffic ASA# who ASA# kill session_ID ASA# show version (shows the logging options settings enabled or disabled) (shows RAM use and availability) (displays the VLAN logical interface names) (displays the static hostnames configured) (displays the NAT policies configured on the device) (displays the configuration in RAM) (displays the configuration in RAM starting at the interface) (displays the configuration in NVRAM) (displays the active SSH sessions, with ID numbers) (disconnects the selected session) (displays the vlans configured and the port assignments) (displays the port to mac-address table) (displays the traffic statistics for all interfaces) (displays the active telnet sessions) (disconnects the selected session) (displays information on the ASA or PIX, IOS version, ASDM version, config_reg value, interface and memory information and license info.) (displays the NAT translations) (displays the NAT translations with details on the method used, static, dynamic etc)

ASA# show xlate ASA# show xlate detail

Show Command Modifiers

Show running or startup config modifiers

ASA# show running-config all Displays all the default info. physical port settings etc ASA# show running-config interface e0/0 Displays info on just that interface ASA# show running-config | begin nat Displays info starting at the first instance of nat ASA# show running-config | include ip address include displays the commands that include ip address ASA# show running-config | exclude ip address exclude displays the commands that do not include ip address

Packet Tracer Command

Packet Tracer Packet Tracer is a unique feature added to the ASA starting with version 7.2. It can be used to check the configuration of the device, including its security policies. Packet Tracer is supported by both the CLI and ASDM. It allows you to create a pretend packet and trace it through the device to see if the device performs the way you want it to. If the packet is denied and dropped, it will show what caused it to be dropped or it show that the packet made it through the device. The commands allow you to specify the source interface for the packet, its protocol, its source and destination addresses and the source and destination port numbers. ASA(config)# packet-tracer input <src_interface_name> <protocol> <src_address> [<src_port>] <dest_address> [<dest_port>] [detailed] [xml] ASA(config)# packet-tracer input <src_interface_name> icmp <src_address> <ICMP_message> <ICMP_code> <ICMP_identifier> <dest_address> [detailed] [xml]

Password Recovery PIX

Password Recovery Password recovery is needed when someone has changed or lost the passwords for the device. For security, password recovery requires access to the device through the console port and is completed by causing the device to boot to the monitor / ROMMON mode. From that point the password recovery varies depending on the device PIX or ASA, and the model. For both the PIX or ASA monitor / ROMMON modes, it is done the same way. Reboot the device and hit the break or ESC key within 10 seconds. PIX Older PIX used floppy disks and did the recovery using a program on the floppy disk. Newer PIX do not use floppy drives, but still use a program to blank the password. The PIX gets the program from a TFTP server and uses it to blank the passwords. The correct version of the password recovery program must be installed in the TFTP Root folder of the TFTP server. (For our PIX the correct file is np63.bin ) After that you can boot the IOS and configure new passwords for the device. monitor> interface <int_number> monitor> address <PIX_interface_ip_address> monitor> gateway <router_ip_address> monitor> server <TFTP_server_ip_address> monitor> file <BIN_file_name> monitor> ping <TFTP_server_ip_address> monitor> tftp

(If there is a router between the PIX and the TFTP server>)

Password Recovery ASA

ASA The ASAs perform their password recovery the same way as newer routers. You boot to the ROMMON mode and change the config_reg to cause the ASA to ignore the startup-config at bootup, then boot the ASA. Go to the privileged mode, change the passwords and reset the config_reg back to its normal value. The ASAs values for the config_reg are different from those of the routers. ASA normal boot ASA recovery confreg 0x1 confreg 0x41

rommon>confreg Follow the prompts, accepting the default values until you get to the disable system configuration question. Enter Y, complete the process accepting the default values. Or Rommon>confreg 0x41
rommon> boot The ASA boots up to the IOS without loading the startup-config. 1 Enter privileged mode. 2 Copy the startup-config to the running-config. 3 Reconfigure the new passwords. 4 Change the config_reg back to normal. ASA(config)# config-register 0x1 5 If needed re-enable the interfaces. 6 Save the running-config to the startup-config.