ASA built-in help

Did you know that the kind coders at Cisco has put a lot of help for us into the CLI of ASA firewall? Here are two examples:

  • vpnsetup todo-list
  • With the vpnsetup-command you can see a list of configuration tasks needed for setting up different types of VPN:

    fw2(config)# vpnsetup ?

    configure mode commands/options:
    ipsec-remote-access Display IPSec Remote Access Configuration Commands
    l2tp-remote-access Display L2TP/IPSec Configuration Commands
    site-to-site Display IPSec Site-to-Site Configuration Commands
    ssl-remote-access Display SSL Remote Access Configuration Commands

    Let´s say that we need to make a new Lan2Lan-tunnel:

    fw2(config)# vpnsetup site-to-site steps

    Steps to configure a site-to-site IKE/IPSec connection with examples:

    1. Configure Interfaces

    interface GigabitEthernet0/0
    ip address
    nameif outside
    no shutdown

    interface GigabitEthernet0/1
    ip address
    nameif inside
    no shutdown

    2. Configure ISAKMP policy

    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    hash sha

    3. Configure transform-set

    crypto ipsec transform-set myset esp-aes esp-sha-hmac

    4. Configure ACL

    access-list L2LAccessList extended permit ip

    5. Configure Tunnel group

    tunnel-group type ipsec-l2l
    tunnel-group ipsec-attributes
    pre-shared-key P@rtn3rNetw0rk

    6. Configure crypto map and attach to interface

    crypto map mymap 10 match address L2LAccessList
    crypto map mymap 10 set peer
    crypto map mymap 10 set transform-set myset
    crypto map mymap 10 set reverse-route
    crypto map mymap interface outside

    7. Enable isakmp on interface

    crypto isakmp enable outside


  • Command syntax help
  • Of course you can use question-mark and tab-completion. But did You know that there is also a built-in man-page for every command? Try “help

    fw2(config)# help global


    [no] global () {[-] [netmask ]} | interface
    show running-config [all] global [()] []
    clear configure global


    global Specify, delete or view global address pools,
    or designate a PAT(Port Address Translated) address


    <(ext_if_name)> The external network interface name

    The id of the nat group(from the nat command) that
    will draw from these global addresses

    The IP address, network or range of addresses that will
    dynamically be translated on an as needed basis to hosts
    in the nat group .
    If this is connected to the Internet, the
    should be registered with the Network Information
    These addresses should also be reverse resolvable(
    on the outside DNS servers.
    An address specified singly will be used as a PAT address.
    When all of the non-PAT addresses of a global pool are in use
    and there is a PAT address, subsequent hosts from the nat
    group will share the single PAT address for up to
    the number of licensed connections.
    [netmask ] The netmask of the global_ip.

    interface IP address of overloaded for PAT.

    see also: nat, alias, static


Posted in Cisco Security


[mc4wp_form id="2457"]
Website Security Test