[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Useful Cisco IOS and PIX/ASA Commands

Published on
15,670 Points
3 Endorsements
Last Modified:
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS and Dynamips (Cisco Simulator)

To display only access-list entries that have non-zero hit counts

PIX#sh access-list | grep -v hticnt=0
sh access-list TACACS | grep  -v hitcnt=0
access-list TACACS; 4 elements
access-list TACACS line 4 extended permit icmp any host (hitcnt=1)

Cisco IOS command to return a configuration to its default.  "NO" is not always the default.

ROUTER(config)#default ?
  aaa                         Authentication, Authorization and Accounting.
  access-list                 Add an access list entry

Cisco introduced similar ‘clear configuration <section>’ command on ASA firewall.

There is a quick and easy way to coax a vpn configuration template from the Cisco ASA.  Simply use the ‘vpnsetup’ command in global configuration

ASA(config)# vpnsetup ?
configure mode commands/options:
  ipsec-remote-access  Display IPSec Remote Access Configuration Commands
  l2tp-remote-access   Display L2TP/IPSec Configuration Commands
  site-to-site         Display IPSec Site-to-Site Configuration Commands
  ssl-remote-access    Display SSL Remote Access Configuration Commands

To display basic Signature IDs. I use Cisco ASA every time I forget any signature ID for Cisco IPS and IOS IPS…(i.e. Echo Signatures IDs) So far it’s the fastest way to do it for me. First enable ASA IPS signatures using ‘ip audit name’ and ‘ip audit interface’ commands.

ASA#sh ip audit count | i Echo
2000 I ICMP Echo Reply            0
2004 I ICMP Echo Request          0
2000 I ICMP Echo Reply            0
2004 I ICMP Echo Request          0

To quickly display ‘tacacs’ and ‘radius’ ports (or any ports you don’t remember)

ROUTER#show ip port-map | in tacacs|radius
Default mapping:  tacacs               udp port 49                         system defined
Default mapping:  radius               udp port 1812,1813                  system defined
Default mapping:  tacacs-ds            tcp port 65                         system defined

Erase IOS configuration (very important in Cisco training labs):

ROUTER#erase nvram:startyp-config
ROUTER#config replace nvram:startup-config list force

Or erase IPS configuration:

IPS#erase current-config;
Dynamips (‘dyna’) commands:

In case VLANs cannot be saved (on NM-16ESW Ethernet switch module):

SWITCH#vtp file nvram:vlan.dat


SWITCH#format flash

To eliminate annoying warnings when using dyna switch module

SWITCH#no cdp log mismatch duplex

It’s good idea to keep track of this type of commands so they can save us hours of troubleshooting or speed up configuration tasks.

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Join & Write a Comment

Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month