SystemPrivileged EXEC

show running-config

Displays the current running configuration of the Cisco ASA Firewall.

Overview

The 'show running-config' command is a fundamental tool for any Cisco ASA administrator. It displays the current configuration that is actively running in the device's memory. This configuration includes all settings that have been applied since the last reload or the last 'write memory' command. The command is essential for verifying changes, troubleshooting issues, and backing up configurations before making modifications.

On the Cisco ASA Firewall, the running configuration is stored in RAM and is volatile; it is lost if the device is reloaded without saving. Therefore, after making changes, it is critical to save the running configuration to the startup configuration using 'write memory' or 'copy running-config startup-config'. The 'show running-config' command is available in Privileged EXEC mode and can be used with various filters to display specific sections, such as 'show running-config interface' or 'show running-config | include access-list'.

In troubleshooting workflows, the running-config is often the first place to look when diagnosing connectivity or policy issues. For example, if traffic is not passing, you can check ACLs, NAT rules, and routing entries. The command also helps in auditing security posture by reviewing object definitions and access policies. Understanding how to read and interpret the output is crucial for both daily operations and certification exams like CCNP Security.

Syntax·Privileged EXEC
show running-config [all | | command | interface if_name | ipsec | map | object | policy-map | route | running | startup | system | tech-support | version]

When to Use This Command

  • Review current firewall settings after making changes to verify the configuration.
  • Troubleshoot connectivity issues by checking interface IPs, NAT rules, and ACLs.
  • Backup the running configuration before performing major upgrades or changes.
  • Audit security policies to ensure compliance with organizational standards.

Parameters

ParameterSyntaxDescription
allallDisplays the running configuration including default values that are not normally shown. Useful for verifying default settings.
commandcommandDisplays the running configuration for a specific command or command category, e.g., 'show running-config access-list'.
interface if_nameinterface if_nameDisplays the running configuration for a specific interface by its name (e.g., 'outside').
ipsecipsecDisplays the running configuration related to IPsec VPN settings.
mapmapDisplays the running configuration for map objects (e.g., crypto map, policy map).
objectobjectDisplays the running configuration for network objects, service objects, etc.
policy-mappolicy-mapDisplays the running configuration for policy maps used in modular policy framework.
routerouteDisplays the running configuration for static routes.
runningrunningEquivalent to 'show running-config' without parameters; included for completeness.
startupstartupDisplays the startup configuration (saved config) rather than running config.
systemsystemDisplays the running configuration for system-level settings (e.g., hostname, enable password).
tech-supporttech-supportDisplays a comprehensive output including running config and other diagnostic info for support.
versionversionDisplays the running configuration including version information.

Command Examples

Basic show running-config output

show running-config
ASA Version 9.12(4) 
hostname ASA5506
enable password 8Ry2YjIyt7RRXU24 encrypted
names!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 203.0.113.1 255.255.255.0
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
object network obj-any
 subnet 0.0.0.0 0.0.0.0
!
access-list outside_access_in extended permit tcp any host 203.0.113.10 eq www
!
access-group outside_access_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 203.0.113.254 1
!
http server enable
http 192.168.1.0 255.255.255.0 inside
!
class-map inspection_default
 match default-inspection-traffic
!
prompt hostname context 

The output shows the ASA version, hostname, interface configurations (nameif, security-level, IP), object definitions, ACLs, routing, HTTP server settings, and class-map. Each section is separated by '!'.

Show running-config for a specific interface

show running-config interface GigabitEthernet1/1
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 203.0.113.1 255.255.255.0
!

This filters the output to show only the configuration for the specified interface, useful for quickly checking interface settings.

Understanding the Output

The 'show running-config' command outputs the entire active configuration of the ASA. The output begins with the ASA version and hostname. Each configuration section is separated by '!'. Key sections include: interface configurations (nameif, security-level, IP address), object definitions (network objects, service objects), access-lists and access-groups, routing (static routes), NAT rules (if configured), and system settings (like HTTP server, AAA, logging). To interpret the output, look for the specific sections relevant to your troubleshooting. For example, if checking interface IPs, find the 'interface' lines. For ACLs, find 'access-list' entries. A healthy configuration shows correct IPs, no duplicate entries, and proper security-level assignments. Problematic values might include missing IP addresses, incorrect subnet masks, or ACLs that are too permissive. The output is read-only; changes require entering configuration mode.

Configuration Scenarios

Verifying Interface Configuration After Change

An administrator has changed the IP address of the inside interface and wants to confirm the change.

Topology

N/A

Steps

  1. 1.Enter Privileged EXEC mode.
  2. 2.Type 'show running-config interface inside' to display the inside interface configuration.
  3. 3.Verify the IP address and subnet mask match the intended change.
Configuration
!

Verify: The output should show the new IP address under the interface configuration.

Watch out: If the change was not saved, the running-config will show the new IP, but the startup-config will still have the old one. Always save after changes.

Auditing ACLs for Security Compliance

A security audit requires reviewing all access-lists to ensure no overly permissive rules exist.

Topology

N/A

Steps

  1. 1.Run 'show running-config | include access-list' to list all ACL entries.
  2. 2.Review each line for any 'permit any any' statements or overly broad source/destination.
  3. 3.Document findings and plan remediation if needed.
Configuration
!

Verify: The output should show all ACLs; look for any 'any any' entries.

Watch out: Remember that ACLs are processed top-down; a permit any any at the end might be intentional but should be verified.

Troubleshooting with This Command

When troubleshooting connectivity issues on a Cisco ASA, the 'show running-config' command is invaluable. Start by checking the interface configurations: ensure that the correct IP addresses, subnet masks, and security-levels are assigned. For example, if traffic from the inside network cannot reach the internet, verify that the inside interface has an IP address in the correct subnet and that the outside interface has a public IP or appropriate private IP. Next, examine the routing section: look for a default route pointing to the next-hop gateway. If missing, traffic will not be forwarded. Also check for any static routes that might be misconfigured.

Access-lists are another common source of issues. Use 'show running-config | include access-list' to review all ACLs. Ensure that the ACL applied to the interface (via access-group) permits the desired traffic. For instance, if HTTP traffic from inside to outside is blocked, check the ACL on the outside interface for an inbound rule that permits return traffic. Also verify that NAT rules are correctly configured; use 'show running-config | include nat' to see NAT statements. A common mistake is forgetting to configure NAT for internal hosts to access the internet.

Finally, check system settings like logging, AAA, and management access. For example, if you cannot SSH to the ASA, verify that the 'ssh' command is present in the running-config and that the management interface is correctly configured. The 'show running-config' command provides a complete picture, allowing you to methodically eliminate potential causes.

CCNA Exam Tips

1.

Memorize that 'show running-config' is the primary command to verify current settings; it's often the first step in troubleshooting.

2.

Know that 'show running-config all' displays default values, which can be tested for understanding of hidden defaults.

3.

Practice filtering output with 'show running-config | include <pattern>' to quickly find specific lines in exams.

Common Mistakes

Confusing 'show running-config' with 'show startup-config'; the former shows active config, the latter shows saved config.

Forgetting to use 'write memory' after changes; running-config is lost on reload without saving.

Assuming the output shows all defaults; use 'show running-config all' to see default values.

Platform Notes

On Cisco ASA, the 'show running-config' command is similar to Cisco IOS but with ASA-specific syntax. Unlike IOS, ASA uses 'nameif' to name interfaces and 'security-level' to assign trust levels. The output format is also different: ASA uses '!' as a section separator, while IOS uses '!' less consistently. ASA also has unique sections like 'object network' and 'access-group' that are not present in IOS.

Equivalent commands on other platforms: On Cisco IOS, 'show running-config' is identical in name but output differs. On Palo Alto firewalls, 'show running config' is used. On Juniper SRX, 'show configuration' displays the active configuration. ASA version differences: In older ASA versions (pre-8.3), NAT configuration used 'nat' and 'global' commands, while post-8.3 uses 'object network' and 'nat' statements. The 'show running-config' command reflects these differences. Always be aware of the ASA version when interpreting output.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions