Thanks to Anisha with Cisco Systems for this idea. We were in Brian McGahan’s CCIE Security 5 Day Bootcamp, and she realized it would be nice to have a Quick Ref of his troubleshooting/verification commands. There is a bazillion shows and debugs it seems, but you only need a subset to be successful in the lab. Here is the first part of the “cheat sheet”. The rest will follow in the respective categories in the blog. Please let me know via comment if you see errors or have additions. I added to Brian’s classroom commands with some of my own. I also took a few from the Cisco Press ASA All-In-One Guide. It is an excellent text for your Kindle!
PIX/ASA 7.2
AAA
debug radius
debug tacacs
show aaa-server protocol PROTOCOL_NAME
test aaa-server
Access Control Lists
show access-list
show run | include ACCESS_LIST_NAME
show run object-group
show run time-range
Application Inspection
show conn state STATE_TYPE detail
show service-policy
Configuring Interfaces
show firewall
show int
show int ip brief
show ip
show mode
show nameif
show run interface INTERFACE_NAME
show version
Connections and Translations
clear xlate
show conn
show conn detail
show local-host all
clear local-host all (clears all connections)
show log
show run | begin policy-map
show run global
show run nat
show xlate
test regex
Failover
debug fo rxip
debug fo txip
show failover
show ip
IP Routing
deug ospf event
debug rip
show ospf database
show ospf interface
show ospf neighbor
show ospf PROCESS_ID
show ospf virtual-links
show route
Multicast
show igmp interface
show mroute
show pim interface
show pim neighbor
PKI
debug crypto ca messages
debug crypto ca transactions
show crypto ca certificates
show crypto ca crls
show crypto key mypubkey rsa
Quality of Service
show priority-queue statistics
show run class-map
show run policy-map
show service-policy global
show service-policy interface INTERFACE_NAME
show service-policy priority
show service-policy shape
Security Contexts
show admin-context
show context
show mode
System Management
show clock
show crypto key mypubkey rsa
show logging
show ntp status
show running-config
show snmp-server statistics
show ssh sessions
show startup-config
Transparent Firewall
debug arp-inspection
debug l2-indication
debug mac-address-table
show access-list
show arp-inspection
show conn
show firewall
show mac-address-table
VPNs
debug crypto ipsec
debug crypto isakmp
show crypto ipsec sa
show crypto isakmp sa detail
show route
WebVPN
debug menu wbvpn
debug ssl cipher
show vpn-sessiondb summary
show vpn-sessiondb webvpn
About INE Instructor:
You can leave a response, or trackback from your own site.
9 Responses to “CCIE Security 2.X Verification Commands “Cheat Sheet””
Leave a Reply
Hi.
Why section IP Routing don’t have commands for iegrp?
Thk.
Thanks for the list.
I believe “show run access-list ACCESS-LIST-NAME” is the same as “show run | include ACCESS_LIST_NAME”. Use whichever one you prefer
Ty for this cheatsheet
I’d love to read more stuff about CCIE sec :>
Francois
Hi,
8 days to go for the exam and now only you are posting the good stuff, thanks a lot for the list to keep in mind. Appreciate if you can run across the other commands before end of 8 days ….
Regards
Maxwell Noel
To MoreJazzz:
There are no EIGRP commands because it is not supported in the 2.X version of the security on the PIX/ASA. Please see the command reference guide to verify this:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/qr_72.html
Hi,
You are Awesome!
Great work, and it was good meeting you at the camp. I’d add the “test aaa…” commands for the IOS and PIX/ASA under AAA though, they came in very handy.
Derek
Hi Derek!
Thanks so much! I added the two exam-relevant test commands of the possible three.
Thanks again!
Hi,
I think its time to update this Cheat Sheet.
I am sure Keith Barker must have got some tips to share with us. 
Here is my Golden Tip or Cheat to Setup VPN on ASA 8.x codes. ASA Config Term mode have vpnsetup command which show you all setup to configure VPNs. Let see here an Example:
ciscoasa#
ciscoasa# config t
ciscoasa(config)# vpnsetup
ERROR: % Incomplete command
ciscoasa(config)# vpnsetup ?
configure mode commands/options:
ipsec-remote-access Display IPSec Remote Access Configuration Commands
l2tp-remote-access Display L2TP/IPSec Configuration Commands
site-to-site Display IPSec Site-to-Site Configuration Commands
ssl-remote-access Display SSL Remote Access Configuration Commands
ciscoasa(config)# vpnsetup
ciscoasa(config)# vpnsetup ipsec-remote-access ?
configure mode commands/options:
steps Display VPN Setup Commands
ciscoasa(config)# vpnsetup ipsec-remote-access
ciscoasa(config)# vpnsetup ipsec-remote-access steps
Steps to configure a remote access IKE/IPSec connection with examples:
1. Configure Interfaces
interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown
interface GigabitEthernet0/1
ip address 192.168.0.20 255.255.255.0
nameif inside
no shutdown
2. Configure ISAKMP policy
crypto isakmp policy 65535
authentication pre-share
encryption aes
hash sha
3. Setup an address pool
ip local pool client-pool 192.168.1.1-192.168.1.254
4. Configure authentication method
aaa-server MyRadius protocol radius
aaa-server MyRadius host 192.168.0.254
key $ecretK3y
5. Define tunnel group
tunnel-group client type remote-access
tunnel-group client general-attributes
address-pool client-pool
authentication-server-group MyRadius
tunnel-group client ipsec-attributes
pre-shared-key VpnUs3rsP@ss
6. Setup ipsec parameters
crypto ipsec transform-set myset esp-aes esp-sha-hmac
7. Setup dynamic crypto map
crypto dynamic-map dynmap 1 set transform-set myset
crypto dynamic-map dynmap 1 set reverse-route
8. Create crypto map entry and associate dynamic map with it
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
9. Attach crypto map to interface
crypto map mymap interface outside
10. Enable isakmp on interface
crypto isakmp enable outside
ciscoasa(config)#
You can try other options and share your experience with us!
Thanks