Most of the configuration on an ASA can be viewed in plain text just by using the “show run” command. One of the exceptions to this is viewing pre-shared keys for VPN’s (the keys appear as asterisks ‘*’). These keys can however be viewed using the command “more system:running-config” which displays the running configuration including the pre-shared keys in plain text. If you want to filter the output to just the lines containing the keys use “more system:running-config | include keys”.
Here’s a great link to troubleshooting ASDM issues:
I came across a situation where I had an ASA 5505 connected to a 3750 switch via two physical interfaces. These interfaces were both on the same chassis of a two chassis 3750 stack. This ASA has been running well for some time and no issues had arisen until one of the two 3750’s experienced an issue (the one connected to the ASA of course) causing an Internet outage. I did some research and didn’t find anything on the ASA end of things that would allow for redundant links to the secondary switch. Then as I was reading through a Cisco Catalyst IOS configuration guide I saw something about “Flex Links” and struck gold! Simply put Flex Links allow backup interfaces to be administratively defined on a switch (or stack of switches). The configuration one the switch side is very straightforward as shown in the example below. The ASA configuration is very simple as well. I simply assigned the appropriate VLAN’s to the ASA switched interfaces and attached the cables to the proper backup interfaces on my second stacked switch. The ports that are in a standby state will have orange status lights but will show “up/up” on both ends.
interface GigabitEthernet1/0/23 description ASA 5505 INSIDE - BACKUP switchport access vlan 10 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/24 description ASA 5505 OUTSIDE - BACKUP switchport access vlan 30 switchport mode access spanning-tree portfast ! interface GigabitEthernet2/0/23 description ASA 5505 INSIDE switchport access vlan 10 switchport mode access switchport backup interface Gi1/0/23 switchport backup interface Gi1/0/23 preemption mode forced spanning-tree portfast ! interface GigabitEthernet2/0/24 description ASA 5505 OUTSIDE switchport access vlan 30 switchport mode access switchport backup interface Gi1/0/24 switchport backup interface Gi1/0/24 preemption mode forced spanning-tree portfast
This configuration statically configures port Gig1/0/23 as a backup for Gig2/0/23 and Gig1/0/24 as a backup for Gig 2/0/24. The “preemption mode forced” command simply means that if a failed primary interface becomes available a failback will occur rather than just remaining in the last working state.
Two very useful show commands are “show interfaces switchport backup” which provides a simple output showing active and backup interfaces:
Active Interface Backup Interface State ------------------------------------------------------------------------ GigabitEthernet2/0/23 GigabitEthernet1/0/23 Active Up/Backup Standby GigabitEthernet2/0/24 GigabitEthernet1/0/24 Active Up/Backup Standby
The second useful command is “show interfaces switchport backup detail” which strangely enough just provides more detailed information
Switch Backup Interface Pairs: Active Interface Backup Interface State ------------------------------------------------------------------------ GigabitEthernet2/0/23 GigabitEthernet1/0/23 Active Up/Backup Standby Preemption Mode : forced Preemption Delay : 35 seconds (default) Multicast Fast Convergence : Off Bandwidth : 100000 Kbit (Gi2/0/23), 100000 Kbit (Gi1/0/23) Mac Address Move Update Vlan : auto GigabitEthernet2/0/24 GigabitEthernet1/0/24 Active Up/Backup Standby Preemption Mode : forced Preemption Delay : 35 seconds (default) Multicast Fast Convergence : Off Bandwidth : 100000 Kbit (Gi2/0/24), 100000 Kbit (Gi1/0/24) Mac Address Move Update Vlan : auto
More information from Cisco can be found here
The Cisco ASA platform ships with default licensing that permits two simultaneous WebVPN sessions. If users don’t logout when they finish using WebVPN the ASA still considers these sessions open and will consume licensing until the timeout period expires. There are two useful commands to troubleshoot issues surround WebVPN sessions. The first command shows current WebVPN sessions:
“show vpn-sessiondb webvpn”
The second command will terminate all WebVPN sessions:
“vpn-sessiondb logoff webvpn”
When running h323 h225 inspection on an ASA using the command “inspect h323 h225” on an ASA in transparent mode routes are required for the inspection to work correctly. These routes are ONLY needed for the inspection process and are NOT used to route the actual traffic as the transparent mode firewall does not participate in routing.
More information can be found here
There is an excellent packet capture capability built in to the ASA/PIX software. In order to capture traffic perform the following:
1) Create an ACL to identify the traffic you want to capture:
access-list ACL_CAPTURE permit tcp any any eq smtp
2) Create the capture statement:
capture MYCAP access-list ACL_CAPTURE interface inside
If you want to see the entire packet you would need to add the “packet-length 1522”
capture MYCAP access-list ACL_CAPTURE packet-length 1522 interface inside
You can then do a “show capture MYCAP” to see the traffic.
If you want to download the capture to a sniffer (wireshark), you have to do that while the capture is running you do that from a browser with the URL https://
NOTE: This assumes that the interface on your ASA is named “inside”