02-20-2007 01:53 AM - edited 03-11-2019 02:35 AM
Hi all,
Im looking for solution of downloading
configuration from our PIX with PIXOS 7.x. I know that I can configure tftp
server to upload manually config from PIX, throught ASDM or CLI.
My question is if I can configure scheduled download?
BR
jl
02-20-2007 03:51 AM
yes, it can be easily done with an expect script like the one below:
#! /usr/bin/expect -f
set CINTR \003 ;# ^C
set CSUSP \032 ;# ^Z
set ESC \033
set CR \r
set CS6X "\036\x"
set CZ "\032"
#---------------------------USER INPUT------------------------------------
set timeout 30
set control_d 0x04
#------------------------------------------------------------------------
set timeout 10
spawn ssh 192.168.1.1
expect Username: {
sleep 2
send "test\r"
}
expect Password: {send "ciscopix\r"}
expect CiscoPix> {send "enable\r"}
expect Password: {send "ciscopix\r"}
sleep 2
expect CiscoPix# {send "term pager 0\r" }
sleep 1
expect CiscoPix# {send "copy running tftp: \r" }
sleep 1
expect *? {send "running-config\r" }
expect *? {send "tftp_server_IP_address\r"; }
expect *? {send "running-config\r" }
expect CiscoPix# {send "\r\r" }
expect CiscoPix# {send "exit\r\r\r"}
close
or if you already have the tftp server in the config, you can use "write net". Easy isn't it?
David
CCIE Security
02-21-2007 03:31 AM
Hi David,
thanks for help. It is useful for me.
I have other question. How can I do this with
every time changing name of file to know
date of download.
Thanks a lot for help.
BR
jl
02-21-2007 04:12 AM
Hi JL,
Yes, it is very simple. You set up a crontab
on the unix to run a shell script file that will
the expect script file. You will one extra line
like this one below after the expect script is
run:
DMY=`date +%d%h%Y`
C_TIME=`date +%H%M`
mv running-config running.$C_TIME.$DMY
Easy isn't it?
David
CCIE Security
02-23-2007 06:19 AM
Hi David,
thanks a lot for your example..it does nice.
Its a pity that it cannot be done directly
throught snmp because PIX hasnt RW access.
Thanks a lot for every conversation you had
with me.
BR
jl
02-23-2007 06:29 AM
Hi JL,
I complete with you. Pix should allow snmp RW
access. I work with both Checkpoint and Juniper
Firewalls, in addition to Cisco Pix, and both
CP and Juniper allow RW snmp to the firewalls.
For security reasons, I always SNMP version 3.
Not allowing RW snmp access to the pix is just
stupid, IMHO. Not everyone is as stupid as
Cisco thinks.
I am glad I was able to help.
David
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: