Cisco

Cisco command line bits:

Some of the notes have been taken from:

http://www.routeralley.com/ra/docs/pixos_command_line.pdf
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/63_cmd.pdf

as well as various other sites…

areas covered:

A few general bits
To connect via serial port from a windows machine
Getting into the correct mode
To set the firewall name
To change the password
Help
Show
Write changes to memory
View the running config
View the startup config
To restart the firewall:
Grep
Change ip address
How to wipe a firewall
View the startup config
How to add a new access rule
How to add a new line
How to add a rule at position x (after another rule):
How to add a rule at position x
How to Add a comment to a rule
How to clear a complete access list –dangerous!!
How to clear a complete access list
How to clear 1 line from an access list
How to “undo” a changeView the startup config
Commands for firewalls in pairs
Vpn commands
Extract, VPN PSK from a running config:
Show if a VPN is established:
Show the number of connections
Show arp details

A few general bits

Like Linux tab completion works and you can use the up arrow which will show you previous commands entered (the history is not stored after reboot)
The Gui is generally easier to use but in some cases command line is needed.
To access the Gui run https://ip and you will be able to download the ASDM-IDM Launcher.
To access the command line you can ssh to the server or access it via a serial cable and a local machine.
A lot of commands have shortcuts i.e config terminal is the same as config t
All text in bold in this document are commands which can be run

To connect via serial port from a windows machine

If plugged into machine via usb (serial to usb port) open device manager and open ports and check which comX port is in operation
then open putty and connect to the serial port on comX
you will get a black screen press enter and you should see a prompt.

Getting into the correct mode

The default prompt is >
To change to root enter en then enter the password the prompt should then change to #
Very little configuration can be changed directly from Privileged mode. Instead you must enter the Global Configuration mode: config terminal the prompt should then change to config #

If you cannot run a particular mode make sure you are in the correct mode.

To change the password


enable password PASSWORD

To set the firewall name

hostname MYFIREWALL

Help

type ? or help to view more details

Show

to show details of… use the sh (short for show) commands:
sh ve # show the version
sh version # show version and licensing info **same as above? Test **
sh hist# shows the command history
sh ip #shows IP addresses configured on interfaces
sh interface #To view physical and data-link information about interfaces
sh memory # view memory
sh cpu usage # view cpu usage
sh access-list #to show access list
sh access-group # to show access group
sh access-group outside_access_in # to view the access list outside_access_in

Write changes to memory

wr me # important to run as if a firewall is rebooted and the change is not saved the config will be reverted to pre change.

View the running config

write terminal or show running-config

View the startup config

show startup-config or show configure # may differ from running config if changes have been made

To restart the firewall:

reload

Grep

command | grep search_term i.e show run | grep 1.2.3.4
or sh run | i 1.2.3.4

Change ip address

To assign an IP address to an interface:
ip address OUTSIDE 192.168.1.10 255.255.255.0
make sure you have run conf t to enter the config mode and after writing the command run wr me to save the changes.

How to wipe a firewall

• Plug in the firewall into a PC via the console cable.
• Start putty and connect and click ‘Serial’ under connection type.
• Plug in the power of the firewall. You will see it start up in the putty window.
• Once the firewall has started up type ‘en’.
• Now enter the password that is set.
• Now type ‘wr er’. This will erase the stored configuration of the firewall.
• Enter ‘reload’ to reboot the firewall.
• Once the firewall starts up, you should see a prompt to pre-configure the firewall. Select no.
• Type ‘en’ and enter a blank password.
• Next type ‘conf t’ to enter the configuration menu.
• Now to reset the firewall type ‘configure factory-default’. This will return it to factory settings.
• After the reset is complete type ‘wr me’. This will write the new configuration to the firewalls memory.
• Check the version of the firewall by typing ‘sh ve’, if required label the firewall with its version (10IP etc).
• Once this is complete the IP address will need to be removed from the inside interface. To do this:
• ASA5505
o ‘interface vlan1’
o ‘no ip address’
o ‘nameif inside’
o ‘security-level 100’
o ‘wr me’

• ASA5510
o interface Ethernet 0/1’
o ‘no ip address’
o ‘nameif inside’
o ‘security-level 100’
o ‘wr me’

How to add a new access rule

Login to server
Run en to get into root mode
Run conf t to get into configure mode
Run show access-list to see what already exists

How to add a new line

access-list outside_access_in permit tcp host 1.2.3.4 host 5.6.7.8 eq https
# where the access_list you want to add it to is outside_access_in and you want to allow access from 1.2.3.4 ti 5.6.7.8 where the service is https
save the changes wr me
this will be default add the rule to the bottom of the access list

How to add a rule at position x (after another rule):

•Run show access-list to see what already exists and make a note of which line you want to include it after (each line will say…in Line XX…)
• i.e if you want to include it after this line:
access-list outside_access_in line 40 permit tcp host 1.2.3.4 host 5.6.7.8 object-group SSH
• increment the line number by 1 i.e
access-list outside_access_in line 41 permit tcp host 1.2.3.4 host 5.6.7.8 eq https
wr me

How to Add a comment to a rule

• run show access-list to see what already exists and use the Line XX i.e to add a comment to the line
access-list outside_access_in line 40 permit tcp host 1.2.3.4 host 5.6.7.8 object-group SSH
• run access-list outside_access_in line 39 remark test12

How to clear a complete access list –dangerous!!:/a>

clear access-list outside_access_in

How to clear 1 line from an access list

show access-list and find the line you want to remove copy and paste the line and prefix with the word no i.e
no access-list outside_access_in line 53 remark testrule

How to “undo” a change

use the history command to find what has been entered and prefix the relevant command with no
if possible as long as wr mem has not been run you could reload the firewall but this would cause downtime…

Commands for firewalls in pairs

show failover to show the status of the failover pair
no failover active run on primary to failover to secondary
failover active run on secondary to failover from primary

Extract, VPN PSK from a running config:

more system:running-config | I key

Show if a VPN is established:

show vpn-sessiondb detail l2l
Show crypto isakmp sa detail

show the number of connections

Show conn - shows the details of each connection
show conn count - shows the number of connections

copy show conn output to a linux file and then run awk '{split($3,array,":"); print array[1]}' conn_copy.txt | sort | uniq -c | sort -n | tail to check who is connected most

show arp details

show arp