fw tab -t http_vpnd_cookies -f   !! View currently connected clients
fw tab -t http_vpnd_cookies -x   !! Clear all currently connected clients

[ # ]

!! Contains the following directories by default
  $FWDIR/conf
  $FWDIR/database
  $CPDIR/conf
  $CPDIR/database

[ # ]

fwm lock_admin -v         // View locked admins
fwm lock_admin -u <admin>    // Unlock a specific admin
fwm lock_admin -ua            // Unlock all admins

Documentation

[ # ]

fw unloadlocal

[ # ]

  1. Launch ASDM from a privilege 15 account
  2. Go to Configuration > Device Managment > Users/AAA > AAA Access > Authorization
  3. Click the button "Set ASDM Defined Roles"
  4. Select "Yes" to have ASDM configure the necessary Priv 3 and Priv 5 permissions
  5. Select "Apply" to set the configuration on the firewall

[ # ]

!! Configuring the captures
!! Method 1 - ACL Capture
  access-list ryan permit ip host <source> host <dst>
  capture ryan-inside access-list ryan int <int>
  show capture ryan-inside

!! Method 2 - Match Capture (This is bidirectional)
  capture ryan-inside interface <int> match ip host <src ip> dest <dest ip>
  sh cap ryan-inside

!! Obtaining capture as PCAP file
!! 1.) Method 1 - Copying to another location
  copy /pcap capture:/<capture-name> <destination>

!! Example:
  copy /pcap capture:/mycap ftp://1.1.1.1/incoming/mycap.pcap

!! 2.) Method 2 - Downloading from the firewall
 Visit in Browser: https://<FW-IP>/admin/capture/<capture_name>/pcap

!! Example:
  Visit in Browser: https://1.1.1.1/admin/capture/mycap/pcap

Notes:

  • To download the PCAP, ensure you are connecting on the same port as ASDM is configured ('show run http')

Documentation

[ # ]

boot system flash:/<new-imagename>
no boot system flash:/<old-imagename>

[ # ]

!! As of writing this, some (or all) versions of Android do not support AES 256 so AES 128 is in use here
crypto ikev1 policy 20
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

!! Configure Nat-T for Android phones
crypto isakmp nat-traversal

!! Configure the phase 2 transform set for Android
crypto ipsec ikev1 transform-set aes-128-sha-transport esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set aes-128-sha-transport mode transport

!! Assign the transform-set to the first dynamic-map if possible
!! note, aes-256-sha is a previously used transform-set I use with my iphone
crypto dynamic-map dynMap 10 set ikev1 transform-set aes-256-sha aes-128-sha-transport

!! Configure l2tp group-policy
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec

!! Configure tunnel-group to use the required PSK and pool
tunnel-group DefaultRAGroup general-attributes
 address-pool <ip-pool>
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key <pre-shared-key>

!! Configure group-policy of group-policy username lock to also accept l2tp
group-policy <group-policy-related-to-lock> attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec <etc>

!! Configure username with mchap encryption and lock to the required group-policy
username <username> password <password> mschap
username <username> attributes
  vpn-group-policy <group-policy-related-to-group>

[ # ]

‚ÄčIn order to create a read-only account for ASDM access, you need to ensure the following command is set for the privilege level you are looking to permit the read-only access for:

privilege cmd level 5 mode exec command more

Documentation

[ # ]

interface GigabitEthernet0/2
  description <optional description>
  vlan 40  !! optional
  nameif <name for interface>
  security-level <0-100>
  ip address <ip> <netmask> standby <standby ip>
  exit

Notes:

  • The 'standby' portion of the IP address can be omitted if this is not part of a High Availability pair of firewalls

[ # ]