Need ASA cli commands.

My partner who was the ASA guy left, so I have been abruptly elected to fill the role.
I'm looking for some advise on some great cli commands.
The 2 I'd really love to know are how to tell phase 1 is up and how do I check to see if there is interesting traffic coming across.
Thanks guys, I appreciate any and all help.
Sent from Cisco Technical Support iPhone App

Start with those two:
show isakmp show crypto ipsec sa [peer ....]
You can always check the command reference if missing anything.
Marcin

Similar Messages

Need CLI commands for WPA2 Personal Mode

I've seen this example, but I need the CLI the gui generates. Can anyone help out please?
https://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml#pers
This is what I need to accomplish w/o the gui interface on an 1142N running 12.4
Configure in Personal Mode
The term personal mode refers to products that are       tested to be interoperable in the PSK-only mode of operation for       authentication. This mode requires manual configuration of a PSK on the AP and       clients. PSK authenticates users via a password, or identification code, on       both the client station and the AP. No authentication server is necessary. A       client can gain access to the network only if the client password matches the       AP password. The password also provides the keying material that TKIP or AES       uses to generate an encryption key for the encryption of the data packets.       Personal mode is targeted to SOHO environments and is not considered secure for       enterprise environments. This section provides the configuration that you need       to implement WPA 2 in the personal mode of operation.

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi,
Below are the CLI commands for WPA2 personal mode
Configure terminal
interface dot11Radio 0
encryption mode ciphers aes-ccm
or
encryption vlan mode ciphers aes-ccm < --- If you have multiple vlans
exit
dot11 ssid
    authentication open
    authentication key-management wpa version 2
    wpa-psk ascii
Regards,
Madhuri

What is the equivalent implementation of isr ios cli "ip tcp synwait-time 10" on asa cli

I would like to see an implementation of an ISR IOS cli:
     ip tcp synwait-time 10
on an ASA cli. thank you much in advance.

Hi Oscar,
this is supported but you need a class-map type management:
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/mpf_service_policy.html#wp1167296
TCP and UDP connection limits and timeouts, and TCP sequence number randomization: supported for management traffic...
access-list CONTROL_ACL extended permit tcp host 1.1.1.2 interface outside eq https log
access-list CONTROL_ACL extended permit tcp host 1.1.1.2 interface outside eq ssh log
class-map type management CONTROL
match access-list CONTROL_ACL
policy-map global_policy
class CONTROL
set connection conn-max 1
service-policy global_policy global
In my tests, it worked for SSH but not for HTTPS:
ciscoasa(config)# sh conn all
2 in use, 2 most used
TCP outside 1.1.1.2:38670 NP Identity Ifc 1.1.1.10:22, idle 0:00:38, bytes 20, flags UfrOB
TCP outside 1.1.1.2:26470 NP Identity Ifc 1.1.1.10:443, idle 0:00:02, bytes 0, flags UB
After other sessions:
%ASA-7-710005: TCP request discarded from 1.1.1.2/25085 to outside:1.1.1.10/22
%ASA-3-201011: Connection limit exceeded 1/1 for input packet from 1.1.1.2/25085 to 1.1.1.10/22 on interface outside
ciscoasa(config)# sh conn all
4 in use, 5 most used
TCP outside 1.1.1.2:41726 NP Identity Ifc 1.1.1.10:443, idle 0:00:43, bytes 0, flags UB
TCP outside 1.1.1.2:26087 NP Identity Ifc 1.1.1.10:443, idle 0:00:45, bytes 0, flags UB
TCP outside 1.1.1.2:33312 NP Identity Ifc 1.1.1.10:443, idle 0:00:47, bytes 0, flags UB
TCP outside 1.1.1.2:26470 NP Identity Ifc 1.1.1.10:443, idle 0:00:04, bytes 0, flags UB
Somehow, 0 hitcount on HTTPS ACL...
ciscoasa(config)# sh access-list
access-list CONTROL_ACL line 1 extended permit tcp host 1.1.1.2 interface outside eq https log informational interval 300 (hitcnt=0) 0x59b7aa4c
access-list CONTROL_ACL line 2 extended permit tcp host 1.1.1.2 interface outside eq ssh log informational interval 300 (hitcnt=8) 0x31fe983c
ciscoasa(config)# sh asp drop
Frame drop:
Flow is denied by configured rule (acl-drop)                                 2
First TCP packet not SYN (tcp-not-syn)                                      49
Connection limit reached (conn-limit)                                        2
FP L2 rule drop (l2_acl)                                                    48
Flow drop:
SSL bad record detected (ssl-bad-record-detect)                              3
ciscoasa(config)# sh service-policy
Global policy:
Service-policy: global_policy
    Class-map: CONTROL
      Set connection policy: conn-max 1
        current conns 1, drop 2
you can also control each feature timeouts seperately via:
telnet/ssh timeout 1
http server idle-timeout/session-timeout 1
Note: I tried this in GNS (asa 8.4.2) and using telnet from a router (not using a real browser for HTTPS) so the results might not be reflect a production environnement...
Patrick

How to change to.pac file using CLI command ?

I've asked this before but have not had much luck getting an easy fix.
I need to change a large number of machines over to using a pac file instead of the current settings for secure and web proxys.
It's not possible using 10.4 CLI command networksetup but I'm wondering if anyone may have another way of doing this ? Possibly a script or something ???
Mitch

Hi Min,
You should move this question to Unified Communications Application community to get the expert answer on IP phone configuration. This community is for Cisco WebEx Meetings Server and Cisco Unified MeetingPlace products.
Thank you.
-Dejan

How get to CLI commands on WAP4410N

Hi, I need enable WPS function on WAP4410N. Help says that this is possible with CLI command #set wps enable. But how I can connect to WAP4410N with CLI? Thanks for any suggestions.

Hi Jan, you may telnet the WAP4410N. However, the CLI is not a supported configuration method.
-Tom
Please mark answered for helpful posts

Execute Hidden/Undocumented CLI Commands

Hello,
I am running into an issue running some undocumented/hidden CLI commands via the EEM Applet.
I guess this is due to the fact that the Applet checks whether the CLI Command exists and the command is "hidden" .
Is there a way to disable CLI Command Check or possiby enable hidden commands specifically?
Best regards,
Tim
EDIT:
Specifically it is concerning show list in the following Applet:
event manager applet memory_outputs
event timer cron cron-entry "* */4 * * *"
action 010 cli command "enable"
action 020 cli command "terminal exec prompt timestamp"
action 030 cli command "show processes memory sorted | redirect tftp://10.10.10.20/show_process_cpu_sorted$_event_pub_sec"
action 040 wait 10
action 050 cli command "show memory alloc totals | redirect tftp://10.10.10.20/show_memory_alloc_totals$_event_pub_sec"
action 060 wait 10
action 070 cli command "show list | redirect tftp://10.10.10.20/show_list$_event_pub_sec"
action 080 wait 10
action 090 cli command "end"
But it seems show list is not executed due to the default maxrun of 20 seconds. I have not had the chance to confirm this...

Yeah, you definitely need to add "maxrun 50" (or higher) for this applet. Note: you can execute any CLI command via EEM that you can manually. EEM uses the same VTY infrastructure for executing CLI commands.

Cli commands

I am looking a cli command to run ut custom report with custom layout. currently I am using cli for generate report with custom layout but now I want include custom report. here my current command
/opt/CSCOpx/campus/bin/ut -u USER -p PASS -cli -query all -layout YELLOW. where I should add my custom report name "red" ? next to -query instead of "all" add "red" is that working or something different. Thanks, Paul

Instead of "-query all" you would use your custom query name. For example, "-query RED".

What are the raw devices, CLI commands to take backup for raw devices

CLI commands to execute these using brtools for raw devices
1. Back up tablespace(s) online and offline using the BRBACKUP function util_file.
2. Back up tablespace(s) online using the BRBACKUP function util_file_online.
3.Back up offline redo log files using BRARCHIVE
please give reply
Thanks & Regards

Hi,
RAW devices is when you store your data directly on device.
It is like you use devices directly instead of data files on file system. Can give you some performance benefits.

Does EEM support action cli command "set clock hh:mm:ss Mmm dd yyyy" ?

conf t
no event manager applet TEST
event manager applet TEST
event snmp oid 1.3.6.1.2.1.1.3.0 get-type exact entry-op gt entry-val "0" poll-interval 6
action 001 cli command "clock set 00:00:00 Jan 1 1994"
end
show clock

You're missing an "enable" cli command, but the clock set should work once you add it.

LMS 3.2 - URL or CLI-Command to manually start a CM datacollection

Hello all,
does anybody of you know whether it is possible to start a CM-DataCollection via either invoking a URL-Command or a CLI-Command?
Thanks for any feedback
Lothar

No, this is not possible. Data Collection must be scheduled, or started via the GUI.

Need a unix command

Hi all,
I just can't figure this out... I need a unix command that will backup any file matching a specific file extension AND the directory structure those files are in into a separate directory or volume. In other words, let's say that I have the files and directory structure below. I want to backup all of the txt files as separate files (not a tar archive) without writing the img files, without overwriting one txt file with another, and preserving the directory structure.
foo/bar/a.txt
foo/bar/b.txt
foo/bar/a.img
foo/bar/b.img
foo/me/a.txt
foo/me/b.txt
foo/me/a.img
foo/me/b.img
foo/me/you/a.txt
foo/me/you/b.txt
foo/me/you/a.img
foo/me/you/b.img
I've read the man pages for ditto and rsync... they're geared toward backing up every file in a directory, and so they're not very clear about how to backup one single file type/extension.
Everytime I try different varients of the rsync command, I either get errors "rsync error: some files could not be transferred (code 23) at /SourceCache/rsync/rsync-24.1/rsync/main.c(717)", or file not found, or it overwrites the 'a.txt' with a different 'a.txt' without preserving the directory structure.
Can someone give me the exact syntax for backing up the .txt files in the example above to an external disk (e.g. /Volume/backup)???
Thanks!

OK... my example was oversimplified. There are tons of different types of files in my directories (*.img, *.gif, *.etc), and I only want to cp one type (e.g., .txt).
So, I started with the --include flag using the following command:
rsync -nav --include *.txt foo/ /Volumes/baz/
the result listed every file in foo (e.g., *.txt, *.img)
I thought that perhaps the \*.txt should be *.txt
rsync -nav --include *.txt foo/ /Volumes/baz/
the result listed every file in foo (e.g., *.txt, *.img)
rsync -nav --include "*.txt" foo/ /Volumes/baz/
again, the result listed every file in foo (e.g., *.txt, *.img)
Clearly, the --include flag wasn't working as I expected it to work. So, I decided to try the --exclude flag:
rsync -nav --exclude "*.img" foo/ /Volumes/baz/
Now, the results listed every file in foo except the *.img files.
I needed to exclude other files as well, so I tried:
rsync -nav --exclude "*.img *.etc" foo/ /Volumes/baz/
Now, the results listed every file in foo INCLUDING the *.img files. So, adding additional file types within quotes broke the original command.
rsync -nav --exclude *.img *.etc foo/ /Volumes/baz/
Now, I get the error "rsync: link_stat "/Volumes/HD/foo/*.etc" failed: No such file or directory (2)"; and all .etc files are still included
Now I tried:
rsync -nav --exclude *.img --exclude *.etc foo/ /Volumes/baz/
Now, this excluded both *.img and *.etc files. I have about 20 file types other than *.txt ... there has to be some other way!!!
PowerMac Dual 2.7GHz G5 Mac OS X (10.4.9) 4.5GB RAM

Interactive CLI commands

I'm quite new to EEM, so please bear with me.
How can I handle interactive CLI commands. I want a script that detects when a configuration change has been made, and then copies the running configuration to a TFTP server. This is what I have tried:
event manager applet Configured
event syslog pattern ".*%SYS-5-CONFIG_I.*"
action 10 cli command "enable"
action 20 cli command "copy run tftp"
action 30 gets response
action 40 puts "MyTFTPServer"
action 50 gets response
action 60 puts "MyRtr.run"
action 70 end
All that happens is:
No. Job Id Proc Status Time of Event            Event Type        Name
1    1      Actv abort    Mon May14 13:53:35 2012 syslog            applet: Configured
2    2      Actv abort    Mon May14 13:53:46 2012 syslog            applet: Configured
3    3      Actv abort    Mon May14 14:01:32 2012 syslog            applet: Configured
4    4      Actv abort    Mon May14 14:02:11 2012 syslog            applet: Configured
5    5      Actv abort    Mon May14 14:05:01 2012 syslog            applet: Configured
6    6      Actv abort    Mon May14 14:06:18 2012 syslog            applet: Configured
7    7      Actv abort    Mon May14 14:08:49 2012 syslog            applet: Configured
(You see how many times I have tried to get it working ;-) The problem seems to be the interactivity of the "copy run tftp" command.
Can someone give me some guidance please?
Kevin Dorrell
Luxembourg

OK, I got it
event manager applet Configured
event syslog pattern ".*%SYS-5-CONFIG_I."
action 10 cli command "enable"
action 20 cli command "copy run tftp" pattern "Address or name of remote host.*"
action 30 cli command "MyTFTPServer" pattern "Destination filename.*"
action 40 cli command "MyRtr.run"
Kevin Dorrell
Luxembourg

Is there a CLI command to check DLU's?

available and used?
This is version 7.1.5
Thanks!
Tracee

Hi Tracee,
There are no commands via cli related to the
license/DLU's on 7.x. There are some new cli commands
on 9.x related to licensing/ELM
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cli_ref/9_0_1/CUCM_BK_C3A58B83_00_cucm-cli-reference-guide-90_chapter_0100.html
Cheers!
Rob
"Why do the best things always disappear "
- The Band

EEM CLI command not running

Hi guys,
I have an issue with an EEM applet that I have configured. Part of the applet is to run a kron occurrence. I know the applet is executing by viewing event manager history, but when I then run show kron schedule, the kron job is not set to run.
If I manually input the same CLI commands, the schedule starts without issue.
The config for the applet is below:
event manager applet RESTORED
event track 100 state up
action 1.0 cli command "enable"
action 1.1 cli command "conf t"
action 1.2 cli command "kron occurrence MONITOR in 0:10"
action 1.3 cli command "policy-list MONITOR"
action 1.4 syslog msg "ATTENTION:THE CCT HAS RESTORED"
exit
Any help with this would be greatly appreciated.
Thanks
Scott

I have debugged event manager action cli, and discovered that the reason the CLI commands are not taking is that aaa (tacacs) is applied to this router, so when the system attempts to enter commands, command authorisation is failing.
*Jul 15 15:14:26.245: %TRACKING-5-STATE: 100 interface Lo100 ip routing Up->Down
*Jul 15 15:14:26.261: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : CTL : cli_open called.
*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : CC
*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT :
*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT :
*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : This is a test router for SNMP traps
*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT :
*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT :
*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : WAKE-ANT-TEST-RTR>
*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : IN : WAKE-ANT-TEST-RTR>enable
*Jul 15 15:14:26.281: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : WAKE-ANT-TEST-RTR#
*Jul 15 15:14:26.281: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : IN : WAKE-ANT-TEST-RTR#conf t
*Jul 15 15:14:26.497: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : Command authorization failed.
*Jul 15 15:14:26.497: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT :
*Jul 15 15:14:26.497: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : WAKE-ANT-TEST-RTR#
*Jul 15 15:14:26.497: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : IN : WAKE-ANT-TEST-RTR#no kron occurrence MONITOR in 0:03
*Jul 15 15:14:26.513: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : ^
*Jul 15 15:14:26.513: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
*Jul 15 15:14:26.513: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT :
*Jul 15 15:14:26.513: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : WAKE-ANT-TEST-RTR#
Does anyone out there know if its possible for EEM to authenticate against aaa?
I did try adding a "login" command after
action 1.0 cli command "enable", but this failed authorisation also.
Thanks
Scott

Brand new 2960X and 2960XR not responding to cli commands

I have 2 brand new 2960X switches and neither are responding to cli commands via the RJ45 to DB9 cisco cable. Text is displayed but when I hit enter on the keyboard nothing happens and the switches just sit at whatever the last boot ouput is. 2960-XR just sits at 'vlan1, changed state to up.....' and I am never prompted for the express setup and no response to any keyboard input.
I know the cable/keyboard works because I can connect it to a 2911 right beside the 2960's and have no problems using the same cable.
Anyone seen this before?
Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.0(2)EX1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 28-Jun-13 13:20 by prod_rel_team
Nov 22 10:49:54.277: %USB_CONSOLE-6-MEDIA_RJ45: Console media-type is RJ45.
Nov 22 10:49:55.602: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to down
Nov 22 10:49:56.493: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/47, changed state to up
Nov 22 10:49:56.493: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/48, changed state to up
Nov 22 10:49:58.370: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/47, changed state to up
Nov 22 10:49:58.412: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/48, changed state to up
Nov 22 10:49:58.450: %PLATFORM_ENV-1-FAN_NOT_PRESENT: Fan is not present
Nov 22 10:50:26.384: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

Hello,
Recieved today also 2 2960-x switches.
Had the same issue...playing arround with secureCRT settings (rts/cts, xon/xoff etc) ...no results.
Tried Putty and it worked right away ...indeed strange have never seen this before.
Installed latest software 150.2ex4 still the same.
regards michel

Need ASA cli commands.

Similar Messages

Maybe you are looking for