show running-config
Displays the current running configuration of the Cisco ASA Firewall.
Overview
The 'show running-config' command is a fundamental tool for any Cisco ASA administrator. It displays the current configuration that is actively running in the device's memory. This configuration includes all settings that have been applied since the last reload or the last 'write memory' command. The command is essential for verifying changes, troubleshooting issues, and backing up configurations before making modifications.
On the Cisco ASA Firewall, the running configuration is stored in RAM and is volatile; it is lost if the device is reloaded without saving. Therefore, after making changes, it is critical to save the running configuration to the startup configuration using 'write memory' or 'copy running-config startup-config'. The 'show running-config' command is available in Privileged EXEC mode and can be used with various filters to display specific sections, such as 'show running-config interface' or 'show running-config | include access-list'.
In troubleshooting workflows, the running-config is often the first place to look when diagnosing connectivity or policy issues. For example, if traffic is not passing, you can check ACLs, NAT rules, and routing entries. The command also helps in auditing security posture by reviewing object definitions and access policies. Understanding how to read and interpret the output is crucial for both daily operations and certification exams like CCNP Security.
show running-config [all | | command | interface if_name | ipsec | map | object | policy-map | route | running | startup | system | tech-support | version]When to Use This Command
- Review current firewall settings after making changes to verify the configuration.
- Troubleshoot connectivity issues by checking interface IPs, NAT rules, and ACLs.
- Backup the running configuration before performing major upgrades or changes.
- Audit security policies to ensure compliance with organizational standards.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| all | all | Displays the running configuration including default values that are not normally shown. Useful for verifying default settings. |
| command | command | Displays the running configuration for a specific command or command category, e.g., 'show running-config access-list'. |
| interface if_name | interface if_name | Displays the running configuration for a specific interface by its name (e.g., 'outside'). |
| ipsec | ipsec | Displays the running configuration related to IPsec VPN settings. |
| map | map | Displays the running configuration for map objects (e.g., crypto map, policy map). |
| object | object | Displays the running configuration for network objects, service objects, etc. |
| policy-map | policy-map | Displays the running configuration for policy maps used in modular policy framework. |
| route | route | Displays the running configuration for static routes. |
| running | running | Equivalent to 'show running-config' without parameters; included for completeness. |
| startup | startup | Displays the startup configuration (saved config) rather than running config. |
| system | system | Displays the running configuration for system-level settings (e.g., hostname, enable password). |
| tech-support | tech-support | Displays a comprehensive output including running config and other diagnostic info for support. |
| version | version | Displays the running configuration including version information. |
Command Examples
Basic show running-config output
show running-configASA Version 9.12(4) hostname ASA5506 enable password 8Ry2YjIyt7RRXU24 encrypted names! interface GigabitEthernet1/1 nameif outside security-level 0 ip address 203.0.113.1 255.255.255.0 ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! object network obj-any subnet 0.0.0.0 0.0.0.0 ! access-list outside_access_in extended permit tcp any host 203.0.113.10 eq www ! access-group outside_access_in in interface outside ! route outside 0.0.0.0 0.0.0.0 203.0.113.254 1 ! http server enable http 192.168.1.0 255.255.255.0 inside ! class-map inspection_default match default-inspection-traffic ! prompt hostname context
The output shows the ASA version, hostname, interface configurations (nameif, security-level, IP), object definitions, ACLs, routing, HTTP server settings, and class-map. Each section is separated by '!'.
Show running-config for a specific interface
show running-config interface GigabitEthernet1/1! interface GigabitEthernet1/1 nameif outside security-level 0 ip address 203.0.113.1 255.255.255.0 !
This filters the output to show only the configuration for the specified interface, useful for quickly checking interface settings.
Understanding the Output
The 'show running-config' command outputs the entire active configuration of the ASA. The output begins with the ASA version and hostname. Each configuration section is separated by '!'. Key sections include: interface configurations (nameif, security-level, IP address), object definitions (network objects, service objects), access-lists and access-groups, routing (static routes), NAT rules (if configured), and system settings (like HTTP server, AAA, logging). To interpret the output, look for the specific sections relevant to your troubleshooting. For example, if checking interface IPs, find the 'interface' lines. For ACLs, find 'access-list' entries. A healthy configuration shows correct IPs, no duplicate entries, and proper security-level assignments. Problematic values might include missing IP addresses, incorrect subnet masks, or ACLs that are too permissive. The output is read-only; changes require entering configuration mode.
Configuration Scenarios
Verifying Interface Configuration After Change
An administrator has changed the IP address of the inside interface and wants to confirm the change.
Topology
N/ASteps
- 1.Enter Privileged EXEC mode.
- 2.Type 'show running-config interface inside' to display the inside interface configuration.
- 3.Verify the IP address and subnet mask match the intended change.
!
Verify: The output should show the new IP address under the interface configuration.
Watch out: If the change was not saved, the running-config will show the new IP, but the startup-config will still have the old one. Always save after changes.
Auditing ACLs for Security Compliance
A security audit requires reviewing all access-lists to ensure no overly permissive rules exist.
Topology
N/ASteps
- 1.Run 'show running-config | include access-list' to list all ACL entries.
- 2.Review each line for any 'permit any any' statements or overly broad source/destination.
- 3.Document findings and plan remediation if needed.
!
Verify: The output should show all ACLs; look for any 'any any' entries.
Watch out: Remember that ACLs are processed top-down; a permit any any at the end might be intentional but should be verified.
Troubleshooting with This Command
When troubleshooting connectivity issues on a Cisco ASA, the 'show running-config' command is invaluable. Start by checking the interface configurations: ensure that the correct IP addresses, subnet masks, and security-levels are assigned. For example, if traffic from the inside network cannot reach the internet, verify that the inside interface has an IP address in the correct subnet and that the outside interface has a public IP or appropriate private IP. Next, examine the routing section: look for a default route pointing to the next-hop gateway. If missing, traffic will not be forwarded. Also check for any static routes that might be misconfigured.
Access-lists are another common source of issues. Use 'show running-config | include access-list' to review all ACLs. Ensure that the ACL applied to the interface (via access-group) permits the desired traffic. For instance, if HTTP traffic from inside to outside is blocked, check the ACL on the outside interface for an inbound rule that permits return traffic. Also verify that NAT rules are correctly configured; use 'show running-config | include nat' to see NAT statements. A common mistake is forgetting to configure NAT for internal hosts to access the internet.
Finally, check system settings like logging, AAA, and management access. For example, if you cannot SSH to the ASA, verify that the 'ssh' command is present in the running-config and that the management interface is correctly configured. The 'show running-config' command provides a complete picture, allowing you to methodically eliminate potential causes.
CCNA Exam Tips
Memorize that 'show running-config' is the primary command to verify current settings; it's often the first step in troubleshooting.
Know that 'show running-config all' displays default values, which can be tested for understanding of hidden defaults.
Practice filtering output with 'show running-config | include <pattern>' to quickly find specific lines in exams.
Common Mistakes
Confusing 'show running-config' with 'show startup-config'; the former shows active config, the latter shows saved config.
Forgetting to use 'write memory' after changes; running-config is lost on reload without saving.
Assuming the output shows all defaults; use 'show running-config all' to see default values.
Platform Notes
On Cisco ASA, the 'show running-config' command is similar to Cisco IOS but with ASA-specific syntax. Unlike IOS, ASA uses 'nameif' to name interfaces and 'security-level' to assign trust levels. The output format is also different: ASA uses '!' as a section separator, while IOS uses '!' less consistently. ASA also has unique sections like 'object network' and 'access-group' that are not present in IOS.
Equivalent commands on other platforms: On Cisco IOS, 'show running-config' is identical in name but output differs. On Palo Alto firewalls, 'show running config' is used. On Juniper SRX, 'show configuration' displays the active configuration. ASA version differences: In older ASA versions (pre-8.3), NAT configuration used 'nat' and 'global' commands, while post-8.3 uses 'object network' and 'nat' statements. The 'show running-config' command reflects these differences. Always be aware of the ASA version when interpreting output.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions