Thanks to Anisha with Cisco Systems for this idea. We were in Brian McGahan’s CCIE Security 5 Day Bootcamp, and she realized it would be nice to have a Quick Ref of his troubleshooting/verification commands. There is a bazillion shows and debugs it seems, but you only need a subset to be successful in the lab. Here is the first part of the “cheat sheet”. The rest will follow in the respective categories in the blog. Please let me know via comment if you see errors or have additions. I added to Brian’s classroom commands with some of my own. I also took a few from the Cisco Press ASA All-In-One Guide. It is an excellent text for your Kindle!



debug radius
debug tacacs
show aaa-server protocol PROTOCOL_NAME
test aaa-server

Access Control Lists

show access-list
show run | include ACCESS_LIST_NAME
show run object-group
show run time-range

Application Inspection

show conn state STATE_TYPE detail
show service-policy

Configuring Interfaces

show firewall
show int
show int ip brief
show ip
show mode
show nameif
show run interface INTERFACE_NAME
show version

Connections and Translations

clear xlate
show conn
show conn detail
show local-host all
clear local-host all (clears all connections)
show log
show run | begin policy-map
show run global
show run nat
show xlate
test regex


debug fo rxip
debug fo txip
show failover
show ip

IP Routing

deug ospf event
debug rip
show ospf database
show ospf interface
show ospf neighbor
show ospf PROCESS_ID
show ospf virtual-links
show route


show igmp interface
show mroute
show pim interface
show pim neighbor


debug crypto ca messages
debug crypto ca transactions
show crypto ca certificates
show crypto ca crls
show crypto key mypubkey rsa

Quality of Service

show priority-queue statistics
show run class-map
show run policy-map
show service-policy global
show service-policy interface INTERFACE_NAME
show service-policy priority
show service-policy shape

Security Contexts

show admin-context
show context
show mode

System Management

show clock
show crypto key mypubkey rsa
show logging
show ntp status
show running-config
show snmp-server statistics
show ssh sessions
show startup-config

Transparent Firewall

debug arp-inspection
debug l2-indication
debug mac-address-table
show access-list
show arp-inspection
show conn
show firewall
show mac-address-table


debug crypto ipsec
debug crypto isakmp
show crypto ipsec sa
show crypto isakmp sa detail
show route


debug menu wbvpn
debug ssl cipher
show vpn-sessiondb summary
show vpn-sessiondb webvpn

You can leave a response, or trackback from your own site.

9 Responses to “CCIE Security 2.X Verification Commands “Cheat Sheet””

  1. more_JazZz says:


    Why section IP Routing don’t have commands for iegrp?


  2. Patrick says:

    Thanks for the list.

    I believe “show run access-list ACCESS-LIST-NAME” is the same as “show run | include ACCESS_LIST_NAME”. Use whichever one you prefer :)

  3. pello says:

    Ty for this cheatsheet :)
    I’d love to read more stuff about CCIE sec :>

  4. Maxwell says:


    8 days to go for the exam and now only you are posting the good stuff, thanks a lot for the list to keep in mind. Appreciate if you can run across the other commands before end of 8 days ….

    Maxwell Noel

  5. To MoreJazzz:

    There are no EIGRP commands because it is not supported in the 2.X version of the security on the PIX/ASA. Please see the command reference guide to verify this:

  6. Bal says:


    You are Awesome! :-)

  7. Ahriakin says:

    Great work, and it was good meeting you at the camp. I’d add the “test aaa…” commands for the IOS and PIX/ASA under AAA though, they came in very handy.


  8. Hi Derek!

    Thanks so much! I added the two exam-relevant test commands of the possible three.

    Thanks again!

  9. Rizzo says:


    I think its time to update this Cheat Sheet. :) I am sure Keith Barker must have got some tips to share with us. :)

    Here is my Golden Tip or Cheat to Setup VPN on ASA 8.x codes. ASA Config Term mode have vpnsetup command which show you all setup to configure VPNs. Let see here an Example:

    ciscoasa# config t
    ciscoasa(config)# vpnsetup
    ERROR: % Incomplete command
    ciscoasa(config)# vpnsetup ?

    configure mode commands/options:
    ipsec-remote-access Display IPSec Remote Access Configuration Commands
    l2tp-remote-access Display L2TP/IPSec Configuration Commands
    site-to-site Display IPSec Site-to-Site Configuration Commands
    ssl-remote-access Display SSL Remote Access Configuration Commands
    ciscoasa(config)# vpnsetup
    ciscoasa(config)# vpnsetup ipsec-remote-access ?

    configure mode commands/options:
    steps Display VPN Setup Commands
    ciscoasa(config)# vpnsetup ipsec-remote-access

    ciscoasa(config)# vpnsetup ipsec-remote-access steps

    Steps to configure a remote access IKE/IPSec connection with examples:

    1. Configure Interfaces

    interface GigabitEthernet0/0
    ip address
    nameif outside
    no shutdown

    interface GigabitEthernet0/1
    ip address
    nameif inside
    no shutdown

    2. Configure ISAKMP policy

    crypto isakmp policy 65535
    authentication pre-share
    encryption aes
    hash sha

    3. Setup an address pool

    ip local pool client-pool

    4. Configure authentication method

    aaa-server MyRadius protocol radius
    aaa-server MyRadius host
    key $ecretK3y

    5. Define tunnel group

    tunnel-group client type remote-access
    tunnel-group client general-attributes
    address-pool client-pool
    authentication-server-group MyRadius
    tunnel-group client ipsec-attributes
    pre-shared-key VpnUs3rsP@ss

    6. Setup ipsec parameters

    crypto ipsec transform-set myset esp-aes esp-sha-hmac

    7. Setup dynamic crypto map

    crypto dynamic-map dynmap 1 set transform-set myset
    crypto dynamic-map dynmap 1 set reverse-route

    8. Create crypto map entry and associate dynamic map with it

    crypto map mymap 65535 ipsec-isakmp dynamic dynmap

    9. Attach crypto map to interface

    crypto map mymap interface outside

    10. Enable isakmp on interface

    crypto isakmp enable outside


    You can try other options and share your experience with us!



Leave a Reply


CCIE Bloggers