Do people configure VPN's via the GUI, or CLI? It seems like a lot of effort to use the CLI, and much more likely you'll end up making a mistake... how's it done in the "real world"?
Usually CLI if done on routers, some ASA admins like the GUI though. When you are doing it by CLI you are usually going to have a template that you just pop in the IPs and key and it's good to go. No need to manually type it all out every time.
An expert is a man who has made all the mistakes which can be made.
So would you recommend I memorise all of the commands then? Because if I'm going to have to troubleshoot via the CLI I'll need to pretty much know all of the commands.
Right on with networker, CLI on routers, ASDM on ASA's (I actually love ASDM, despite it's quirkiness with some java versions). It's good to know the CLI either way..so if you get locked out of ASDM for some reason, you're not hopeless!
It's that thing that lets you configure a VPN a LOT faster than CLI
I have no shame, I am not an ASA guru, but I have both installed and maintained ASAs, and for installs, CLI would be OK, but for production, maintaining rulesets via CLI would be much more error prone, and frankly a headache, ESPECIALLY if you're using complex rulesets (ie: permit group A ports SERVICE_GROUP_A -> group B ports SERVICE_GROUP_B, etc). I'm a die-hard CLI guy, but I make exceptions with ASA's!
What I find funny is that in the handful of times I have configured VPN's on ASA's I have done them via ASDM but never once used the VPN Wizard. I had never seen the wizard until i started down the Security track. lulz
Speaking of GUI, Cisco putting CCP on their exams is a pathetic joke. Not real world at all..sorry for that rant. lol
Modularity and Design Simplicity:
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?
You can trace the flow of packets through an ASA via CLI too, in fact I didn't know you could do that through the GUI. I do agree, maintaining rules isn't feasible outside of ASDM. I'm stuck in my ways with CLI for everything else though... just a preference, nothing more.
You can trace the flow of packets through an ASA via CLI too, in fact I didn't know you could do that through the GUI. I do agree, maintaining rules isn't feasible outside of ASDM. I'm stuck in my ways with CLI for everything else though... just a preference, nothing more.
Same here. I don't like GUIs. I always use the CLI. Actually, I have used ASDM only a couple of times Usually when time is short.
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
Setting up a decent vpn in CLI is child's play, especially something as simple as a GRE tunnel with IPSEC. DMVPN design gets really fun, and it only needs an extra command or three.
CLI for site to site; ASDM/GUI for RA. VPN isn't what you have to worry about; its when you get a PIX or pre 8.3 ASA and have to upgrade it - you'll see what I mean lol.
Ahhh, so that's what's powering our SDN controllers!
Lets not use that term, people will start freakin' out. IDK what setup your referring to but if it has the words _CS with a bank of W/N in it I found scripting CLI is still quicker for a lot of tasks.
I do it in ASDM, but I should learn to do it in CLI. I do almost everything ASA related in ASDM because that's how I learned to operate the ASA initially. I do nat configurations at the CLI though.
CLI mostly but the ASDM interface allows you to quickly create them too if you dont use the wizard. If you go into "Connection Profiles" under Configuration/VPN area and create a new one it does 90% of the work for you. I hate the wizard especially with the default DM_INLINE_1 crap it uses.
Majority of the VPNs we do are EZVPN from ASAs to ISRs and we do them via CLI. As networker mentioned above, we have templates built to plug in for time savings and to eliminate manual entry errors.
I'm going to be looking at a huge ASA migration tomorrow, CLI or ASDM is the question. I mean it's over 9,000 ACL's, 31,000 Objects among other things. lulz
Modularity and Design Simplicity:
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?
I've only done CLI VPN configuration on ASA and routers. Hardly used ASDM. I think it really depends on the work place. Just gotten used to using the CLI.
"Love your Job, but never fall in love with your company....because you never know when your company stops loving you!"
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?
Comments
It's that thing that lets you configure a VPN a LOT faster than CLI
I have no shame, I am not an ASA guru, but I have both installed and maintained ASAs, and for installs, CLI would be OK, but for production, maintaining rulesets via CLI would be much more error prone, and frankly a headache, ESPECIALLY if you're using complex rulesets (ie: permit group A ports SERVICE_GROUP_A -> group B ports SERVICE_GROUP_B, etc). I'm a die-hard CLI guy, but I make exceptions with ASA's!
Speaking of GUI, Cisco putting CCP on their exams is a pathetic joke. Not real world at all..sorry for that rant. lol
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?
However, nothing beats a CLI IMO TBH.
Same here. I don't like GUIs. I always use the CLI. Actually, I have used ASDM only a couple of times
Setting up a decent vpn in CLI is child's play, especially something as simple as a GRE tunnel with IPSEC. DMVPN design gets really fun, and it only needs an extra command or three.
Really, I would think that someone with their CCIE would know what a GUI is.
GUI:
Glowing Underwear Inside
Lets not use that term, people will start freakin' out. IDK what setup your referring to but if it has the words _CS with a bank of W/N in it I found scripting CLI is still quicker for a lot of tasks.
Templates are nice though =/
IPSec VPN Design 44%
Mastering VMWare vSphere 5 42.8%
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?
5585's will run 8.4
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?
I was asking if the 5550 was 8.4 already.
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?