ASA configuration

sizeonsizeon Member Posts: 321
Is there any benefits in configuring VPNs on the CLI rather than ASDM? I configured site to site VPN on the CLI on a lap environment is it was way more difficult and tedious.

Comments

  • Vask3nVask3n Member Posts: 517
    Almost anything you do in ASDM is translated to the CLI equivalent when you send the commands to the device through ASDM so it's nice to know the CLI equivalents in some weird case where you can only SSH into the device and not access it through a browser.

    That being said there were some ASA configurations that I specifically chose to do on CLI rather than the GUI. Specifically, when I created the Connection Profiles that check LDAP group membership when users log in to provide the right access. (I forgot if this was actually the Group Policies and not the Connection Profile, I don't have access to that ASA anymore)
    Working on MS-ISA at Western Governor's University
  • RouteMyPacketRouteMyPacket Member Posts: 1,104
    100% CLI is better due to the fact you have full control of the config going in. i.e. Creation of groups via ASDM will insert a default statement of "DM_INLINE_PROTOCOL_1" or "DM_INLINE_NETWORK_1". SO one thing you could at least do if you are worried of the CLI is to place a checkmark in the "Preview commands before sending to device" field found under preferences.

    Then you could copy from that into a notepad and then make changes as needed. I cannot stand ASDM, it's utter garbage but I admit for logging I use ASDM to watch logs for deny/permits as I troubleshoot.
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
  • PurpleITPurpleIT Member Posts: 327
    sizeon wrote: »
    Is there any benefits in configuring VPNs on the CLI rather than ASDM? I configured site to site VPN on the CLI on a lap environment is it was way more difficult and tedious.

    IMO, the main thing is you will know more about what is happening when you use the CLI vs the GUI, but I fully admit to using the GUI 90% of the time.

    There are still a few commands that simply won't run in ASDM - and last I checked, you could not change the IP of your IPSec VPN peer unless you used the CLI, so don't be afraid of it. As RouteMyPacket said, use the preview commands option to get a feel for what the GUI clicks really do.
    WGU - BS IT: ND&M | Start Date: 12/1/12, End Date 5/7/2013
    What next, what next...
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    And not all changes are visible using the preview command (unless I am doing it wrong), such as AnyConnect DAP changes, Host Scan setup...
    Working on: staying alive and staying employed
  • LinuxNerdLinuxNerd Member Posts: 83 ■■□□□□□□□□
    CLI all the time, all the way.
Sign In or Register to comment.