Configuration Management

The security appliance keeps two copies of the configuration in the system:

• The active, or running, configuration

• The saved, or startup, configuration

These configurations are discussed in the next two subsections. Removing configurations from the security appliance is also discussed.

Running Configuration

The running configuration is the actual configuration that the security appliance loads in its memory. When the security appliance boots up, it copies the saved configuration in its memory and then uses it to function as configured. Use the show running-config command to display the current configuration that the security appliance is using. This is the most important command to verify that the security appliance is configured properly. The running configuration is not stored in nonvolatile RAM (NVRAM) until the security appliance is instructed to store it there.

Example 4-29 shows the current configuration on an appliance. As you can see, the configuration file can be fairly large and complex depending on the number of features configured on the security appliance. The configuration file displays the current version of the system image, and then the rest of the configuration parameters.

Example 4-29. Output of show running-config

Chicago# show running-config

: Saved

:

ASA Version 7.0(1)

names

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.200.225 255.255.255.224

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.10.1 255.255.255.0

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

no ip address

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 shutdown

 no nameif

 no security-level

 no ip address

!

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname Chicago

domain-name securemeinc.com

ftp mode passive

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

monitor-interface outside

monitor-interface inside

asdm image disk0:/asdm501.bin

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 209.165.200.226 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00

 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 sip 0:30:00 sip_media 0

:02:00

timeout uauth 0:05:00 absolute

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

 service-policy global_policy global

Cryptochecksum:533c1e606d18c43ea3c6d1cfb7f00d52

: end

Cisco ASA allows you to display the specific part of the configuration by using show running-config followed by the name of the command you are interested in checking, as shown in Example 4-30. The show running-config ? command shows all possible keywords you can use, while the show running-config interface gigabitEthernet0/0 command shows the running configuration of the GigabitEthernet0/0 interface.

Example 4-30. Partial Output of show running-config

Chicago# show running-config ?

  aaa                    Show aaa configuration information

  aaa-server             Show aaa-server configuration information

  access-group           Show access group(s)

  access-list            Show configured access control elements

  alias                  Show configured overlapping addresses with dual NAT

  all                    Current operating configuration including defaults

  arp                    Show configured arp entries, arp timeout

  asdm                   Show ASDM configuration

! Output omitted for brevity

Chicago# show running-config interface gigabitEthernet0/0

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.200.225 255.255.255.224

The Cisco ASA operating system allows you to enhance the search capabilities when a show command is executed, by using | grep at the end of the command. Alternatively, | include displays the output when the exact phrase matches a show command. In Example 4-31, the administrator is only interested in looking at the IP addresses set up on the security appliance and their respective subnet masks in the running configuration.

Example 4-31. Selective Output of show running-config

Chicago# show running-config | include ip address

 ip address 209.165.200.225 255.255.255.224

 ip address 192.168.10.1 255.255.255.0

 no ip address

 no ip address

 no ip address

The security appliance can also display the selective output of a show command when the | begin option is used. In this case, the security appliance displays the output beginning from a specific keyword. As shown in Example 4-32, the administrator is interested in looking at the running configuration beginning from the physical interfaces. This is done by using the show running-config | begin interface command.

Example 4-32. Output of show running-config Beginning from the Interface Configuration

Chicago# show running-config | begin interface

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.200.225 255.255.255.224

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.10.1 255.255.255.0

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

! Output omitted for brevity

Startup Configuration

The security appliance uses the saved configuration during the bootup process as the running configuration. This saved configuration is known as the startup configuration. The startup configuration can be viewed by using the show startup-config command, as shown in Example 4-33.

Example 4-33. Output of show startup-config

Chicago# show startup-config

: Saved

: Written by enable_15 at 23:35:53.100 UTC Sat Aug 5 2005



ASA Version 7.0(1)

names

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.200.225 255.255.255.224

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.10.1 255.255.255.0

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

! Output omitted for brevity

The output of show running-config and show startup-config may or may not be identical depending on whether the two configurations were synced. Use the copy running-config startup-config command to copy the active configuration into NVRAM, as shown in Example 4-34.

Example 4-34. Output of copy running-config startup-config

Chicago# copy running-config startup-config

Source filename [running-config]?

Cryptochecksum: 28b8d710 e2eaeda0 bc98a262 2bf3247a

3205 bytes copied in 3.230 secs (1068 bytes/sec)

Removing the Device Configuration

A configured command can be removed from the configuration by using the no form of the command. This will undo the command that was previously entered into the configuration. In Example 4-35, the security appliance is set up for ISAKMP processing on the outside interface. It is being disabled with the no isakmp enable outside command.

Example 4-35. Disabling ISAKMP Processing on the Outside Interface

Chicago(config)# isakmp enable outside

Chicago(config)# no isakmp enable outside

The security appliance can also remove the current configuration for a specific feature if the clear configure command is used. If the security appliance is set up with an ISAKMP policy 10 for Phase 1 negotiations, the clear configure isakmp command will remove all the isakmp commands from the running configuration. This is demonstrated in Example 4-36.

Example 4-36. Clearing All ISAKMP Commands from the Running Configuration

Chicago(config)# show running-config | include isakmp

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Chicago(config)# clear configure isakmp

Chicago(config)# show running-config | include isakmp

The preceding example not only cleared the ISAKMP policy but also removed the isakmp enable outside command from the running configuration. Use the clear configure isakmp policy command to only remove the ISAKMP policy from the active configuration, as shown in Example 4-37.

Example 4-37. Clearing ISAKMP Policy Commands from the Running Configuration

Chicago(config)# show running-config | include isakmp

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Chicago(config)# clear configure isakmp policy

Chicago(config)# show running-config | include isakmp

isakmp enable outside

Unlike the Cisco IOS routers, the Cisco ASA can clear the running configuration without going through the reboot process. This is helpful in a scenario where the security appliance needs to be in the default configuration. Use the clear configure all command to clear the running configuration, as shown in Example 4-38.

Example 4-38. Clearing the Running Configuration

Chicago(config)# clear configure all

ciscoasa(config)#

The security appliance can also erase the startup configuration from NVRAM if the write erase command is issued from privileged mode, as shown in Example 4-39.

Example 4-39. Clearing the Startup Configuration

Chicago# write erase

Chicago#