ASA configuration

Is there any benefits in configuring VPNs on the CLI rather than ASDM? I configured site to site VPN on the CLI on a lap environment is it was way more difficult and tedious.

Find more posts tagged with

Comments

Vask3n

Almost anything you do in ASDM is translated to the CLI equivalent when you send the commands to the device through ASDM so it's nice to know the CLI equivalents in some weird case where you can only SSH into the device and not access it through a browser.

That being said there were some ASA configurations that I specifically chose to do on CLI rather than the GUI. Specifically, when I created the Connection Profiles that check LDAP group membership when users log in to provide the right access. (I forgot if this was actually the Group Policies and not the Connection Profile, I don't have access to that ASA anymore)

RouteMyPacket

100% CLI is better due to the fact you have full control of the config going in. i.e. Creation of groups via ASDM will insert a default statement of "DM_INLINE_PROTOCOL_1" or "DM_INLINE_NETWORK_1". SO one thing you could at least do if you are worried of the CLI is to place a checkmark in the "Preview commands before sending to device" field found under preferences.

Then you could copy from that into a notepad and then make changes as needed. I cannot stand ASDM, it's utter garbage but I admit for logging I use ASDM to watch logs for deny/permits as I troubleshoot.

PurpleIT

sizeon wrote: »

Is there any benefits in configuring VPNs on the CLI rather than ASDM? I configured site to site VPN on the CLI on a lap environment is it was way more difficult and tedious.

IMO, the main thing is you will know more about what is happening when you use the CLI vs the GUI, but I fully admit to using the GUI 90% of the time.

There are still a few commands that simply won't run in ASDM - and last I checked, you could not change the IP of your IPSec VPN peer unless you used the CLI, so don't be afraid of it. As RouteMyPacket said, use the preview commands option to get a feel for what the GUI clicks really do.

colemic

And not all changes are visible using the preview command (unless I am doing it wrong), such as AnyConnect DAP changes, Host Scan setup...

LinuxNerd

CLI all the time, all the way.