Cisco ASA useful commands

In: Cisco Firewall

There are thousands of commands available on the Cisco ASA. I found some of the commands very useful when troubleshooting.

1. Removing a tunnel-group

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
   ikev1 pre-shared-key lksdjflksd565glmfb

ASA (config)# clear configure tunnel-group 1.1.1.1

2. Viewing a list of Remote access VPN users

ASA# show vpn-sessiondb anyconnect | incl U
Username     : user1              Index        : 6787
Username     : user2              Index        : 8765

3. Displays information about a particular user

ASA# show vpn-sessiondb anyconnect filter name user1

Session Type: AnyConnect

Username     : user1                  Index        : 6787
Assigned IP  : 10.10.1.10             Public IP    : 1.1.1.1
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Essentials
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES256  DTLS-Tunnel: (1)AES256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA256  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 3894551326             Bytes Rx     : 1305056771
Group Policy : GRP-POLICY.            Tunnel Group : RA-VPN
Login Time   : 16:50:12 BST Tue May 7 2020
Duration     : 0d 8h:26m:44s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : 00000000019e9025eb16f50
Security Grp : 10:Sales        

4. View the IPsec SAs built between peers.

The show crypto ipsec sa command shows the IPsec SAs that are built between the peers. The encrypted tunnel is built between IP addresses 2.2.2.2 and 1.1.1.1for the traffic that flows between the networks 10.10.1.0 and 10.20.1.0. You can also see the two ESP SAs built for the inbound and outbound traffic.

ASA/act/sec# show crypto ipsec sa peer 1.1.1.1
peer address: 1.1.1.1
    Crypto map tag: map, seq num: 10, local addr: 2.2.2.2

      access-list VPN-ACL extended permit ip 10.10.1.0 255.255.255.0 10.20.1.0 255.255.255.0 
      local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.1.0/255.255.255.0/0/0)
      current_peer: 1.1.1.1


      #pkts encaps: 16905, #pkts encrypt: 16905, #pkts digest: 16905
      #pkts decaps: 16906, #pkts decrypt: 16906, #pkts verify: 16906
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 16905, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2/4500, remote crypto endpt.: 1.1.1.1/4500
      path mtu 1500, ipsec overhead 82(52), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: CEFTYUBA
      current inbound spi : CTYCBHYJ

5. ping tcp

This command allows the ASA device to send any TCP packet (TCP SYN) from any source IP to any destination IP on any port. This is very handy for troubleshooting. In this example, I'm testing connectivity from 10.10.1.10 to example.net (93.184.216.34) on port 80

 ping tcp $source_interface $dest_ip $dest_port source $src_ip $ $src_port
ASA# ping tcp inside 93.184.216.34 80 source 10.10.1.10 25000  
Type escape sequence to abort.
Sending 5 TCP SYN requests to 93.184.216.34 port 80
from 10.10.1.10 starting port 25000, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 69/70/73 ms

6. Find the name of an object for 10.1.1.1

ASA# show running-config object network in-line | i 10.10.1.1

object network web-server1 host 10.10.1.1

Note - in-line is used to view the output in one line

ASA# show run object network ?

  in-line  display the output in one line
  |        Output modifiers
  <cr>

7. View the contents of an object

ASA# show run object id web-server1

object network web-server1
 host 10.10.1.1

8. View the contents of an object group

ASA# show run object-group id public-servers

object-group network public-servers
 network-object host 10.10.1.1
 network-object host 10.10.1.2

9. packet-tracer utility

You can use packet-tracer command to identify whether traffic is able to traverse through the firewall.

ASA# packet-tracer input $source_interface $traffic_type $src_ip $src_port $dest_ip $ dest_port

ASA# packet-tracer input inside tcp 10.10.10.10 25000 8.8.8.8 80

10. View active IP-SGT Bindings

You can use show cts sgt-map command to find the sgt-tag assigned to a specific IP via ISE.

ASA# show cts sgt-map               

Active IP-SGT Bindings Information

IP Address          SGT   Source
================================================================
10.10.1.10           11   SXP
10.10.15.11          13   SXP
10.10.50.12          22   SXP
10.10.12.16          17   SXP

11. View detail information about Remote access VPN user such as OS and AnyConnect client version

Note - You can remove the filter to view the entire output.

ASA# show vpn-sessiondb detail anyconnect filter name user1 | incl Client

Client OS    : mac-intel              
Client OS Ver: 10.13.6                
Client Type  : AnyConnect
Client Ver   : Cisco AnyConnect VPN Agent for Mac OS X 4.7.04056
Client OS    : Mac OS X               
Client Type  : SSL VPN Client
Client Ver   : Cisco AnyConnect VPN Agent for Mac OS X 4.7.04056
Client OS    : Mac OS X               
Client Type  : DTLS VPN Client
Client Ver   : Cisco AnyConnect VPN Agent for Mac OS X 4.7.04056

Thanks for reading

As always, your feedback and comments are more than welcome.

Table of Contents
Written by
Suresh Vina
Tech enthusiast sharing Networking, Cloud & Automation insights. Join me in a welcoming space to learn & grow with simplicity and practicality.
Comments
More from Packetswitch
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Packetswitch.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.