Scheduled download of PIX config.

Unanswered Question
Feb 20th, 2007

Hi all,

Im looking for solution of downloading

configuration from our PIX with PIXOS 7.x. I know that I can configure tftp

server to upload manually config from PIX, throught ASDM or CLI.

My question is if I can configure scheduled download?

BR

jl

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
daviddtran Tue, 02/20/2007 - 03:51

yes, it can be easily done with an expect script like the one below:

#! /usr/bin/expect -f

set CINTR \003 ;# ^C

set CSUSP \032 ;# ^Z

set ESC \033

set CR \r

set CS6X "\036\x"

set CZ "\032"

#---------------------------USER INPUT------------------------------------

set timeout 30

set control_d 0x04

#------------------------------------------------------------------------

set timeout 10

spawn ssh 192.168.1.1

expect Username: {

sleep 2

send "test\r"

}

expect Password: {send "ciscopix\r"}

expect CiscoPix> {send "enable\r"}

expect Password: {send "ciscopix\r"}

sleep 2

expect CiscoPix# {send "term pager 0\r" }

sleep 1

expect CiscoPix# {send "copy running tftp: \r" }

sleep 1

expect *? {send "running-config\r" }

expect *? {send "tftp_server_IP_address\r"; }

expect *? {send "running-config\r" }

expect CiscoPix# {send "\r\r" }

expect CiscoPix# {send "exit\r\r\r"}

close

or if you already have the tftp server in the config, you can use "write net". Easy isn't it?

David

CCIE Security

johnleeee Wed, 02/21/2007 - 03:31

Hi David,

thanks for help. It is useful for me.

I have other question. How can I do this with

every time changing name of file to know

date of download.

Thanks a lot for help.

BR

jl

daviddtran Wed, 02/21/2007 - 04:12

Hi JL,

Yes, it is very simple. You set up a crontab

on the unix to run a shell script file that will

the expect script file. You will one extra line

like this one below after the expect script is

run:

DMY=`date +%d%h%Y`

C_TIME=`date +%H%M`

mv running-config running.$C_TIME.$DMY

Easy isn't it?

David

CCIE Security

johnleeee Fri, 02/23/2007 - 06:19

Hi David,

thanks a lot for your example..it does nice.

Its a pity that it cannot be done directly

throught snmp because PIX hasnt RW access.

Thanks a lot for every conversation you had

with me.

BR

jl

daviddtran Fri, 02/23/2007 - 06:29

Hi JL,

I complete with you. Pix should allow snmp RW

access. I work with both Checkpoint and Juniper

Firewalls, in addition to Cisco Pix, and both

CP and Juniper allow RW snmp to the firewalls.

For security reasons, I always SNMP version 3.

Not allowing RW snmp access to the pix is just

stupid, IMHO. Not everyone is as stupid as

Cisco thinks.

I am glad I was able to help.

David

Actions

This Discussion