02-20-2007 01:53 AM - edited 03-11-2019 02:35 AM
Hi all,
Im looking for solution of downloading
configuration from our PIX with PIXOS 7.x. I know that I can configure tftp
server to upload manually config from PIX, throught ASDM or CLI.
My question is if I can configure scheduled download?
BR
jl
02-20-2007 03:51 AM
yes, it can be easily done with an expect script like the one below:
#! /usr/bin/expect -f
set CINTR \003 ;# ^C
set CSUSP \032 ;# ^Z
set ESC \033
set CR \r
set CS6X "\036\x"
set CZ "\032"
#---------------------------USER INPUT------------------------------------
set timeout 30
set control_d 0x04
#------------------------------------------------------------------------
set timeout 10
spawn ssh 192.168.1.1
expect Username: {
sleep 2
send "test\r"
}
expect Password: {send "ciscopix\r"}
expect CiscoPix> {send "enable\r"}
expect Password: {send "ciscopix\r"}
sleep 2
expect CiscoPix# {send "term pager 0\r" }
sleep 1
expect CiscoPix# {send "copy running tftp: \r" }
sleep 1
expect *? {send "running-config\r" }
expect *? {send "tftp_server_IP_address\r"; }
expect *? {send "running-config\r" }
expect CiscoPix# {send "\r\r" }
expect CiscoPix# {send "exit\r\r\r"}
close
or if you already have the tftp server in the config, you can use "write net". Easy isn't it?
David
CCIE Security
02-21-2007 03:31 AM
Hi David,
thanks for help. It is useful for me.
I have other question. How can I do this with
every time changing name of file to know
date of download.
Thanks a lot for help.
BR
jl
02-21-2007 04:12 AM
Hi JL,
Yes, it is very simple. You set up a crontab
on the unix to run a shell script file that will
the expect script file. You will one extra line
like this one below after the expect script is
run:
DMY=`date +%d%h%Y`
C_TIME=`date +%H%M`
mv running-config running.$C_TIME.$DMY
Easy isn't it?
David
CCIE Security
02-23-2007 06:19 AM
Hi David,
thanks a lot for your example..it does nice.
Its a pity that it cannot be done directly
throught snmp because PIX hasnt RW access.
Thanks a lot for every conversation you had
with me.
BR
jl
02-23-2007 06:29 AM
Hi JL,
I complete with you. Pix should allow snmp RW
access. I work with both Checkpoint and Juniper
Firewalls, in addition to Cisco Pix, and both
CP and Juniper allow RW snmp to the firewalls.
For security reasons, I always SNMP version 3.
Not allowing RW snmp access to the pix is just
stupid, IMHO. Not everyone is as stupid as
Cisco thinks.
I am glad I was able to help.
David
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide