Question about archived configs

Answered Question
Mar 4th, 2008

We had a Pix Firewall device go down and we are trying to find out where do the configs get archived. Is there anyway to pull down the configs in clear text so we can pull down the encryption keys from the devices?

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 8 years 9 months ago

A feature request by TAC doesn't hold much weight. A feature request made by the sales organization which can back things up with dollar figures means a whole lot more. Typically, TAC encourages customers to talk to their account team, SE, account manager, etc. to open a PERS ticket requesting a new or enhanced feature.

Correct Answer by Joe Clarke about 8 years 9 months ago

This method is hardcoded, and cannot be changed without recompiling parts of the PIX device package.

Correct Answer by Joe Clarke about 8 years 9 months ago

Pushing the config back would likely set the isakmp key to ****** which would be useless. Sounds like you'll need to look elsewhere for that key. This is akin to the problem we face with SNMPv3 users :-(.

Correct Answer by Joe Clarke about 8 years 9 months ago

If the shadow config shows asterisks for the isakmp key, then that is how the PIX provided it when a show run was issued. That means there will be no place in LMS where that key would be visible in clear text.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Martin Ermel Tue, 03/04/2008 - 09:46

the latest collected running config will be stored in the 'shadow' directory if this option is not disabled (Resource Manager Essentials > Admin > Config Mgmt > Archive Mgmt > Archive Settings)

for LMS 3.0 default shadow directory is

var/adm/CSCOpx/files/rme/dcma/shadow (solaris)

NMSROOT\files\rme\dcma\shadow (windows)

where NMSROOT is the installation directory of LMS (default: C:\Program Files\CSCOpx)

for LMS 2.6 it is

/var/adm/CSCOpx/files/rme/archive/shadow

NMSROOT\files\rme\archive\shadow

dionjiles Tue, 03/04/2008 - 10:26

Thanks.....still trying to figure out why are all my isakmp keys are showing ******* i'm trying to retrieve those passwords to get my pix up and running. Any ideas.

This info is very helpful.

Joe Clarke Tue, 03/04/2008 - 10:51

The shadow directory, as mermel pointed out, is where you want to look. All the configs in those directories are in clear text. They are exactly as the device provides them. If there is one place where the passwords should show up in clear text, that is it. You can push shadow configs back to devices as-is (e.g. for disaster recovery).

dionjiles Tue, 03/04/2008 - 10:55

Got you that would seem logical as I can see some passwords and not the others. Once again thanks for helping me out.

dionjiles Tue, 03/04/2008 - 10:58

So would it be logical to push that config back to the particular device affected with the *****

? Would I still need to type does manually or leave it as is?

Correct Answer
Joe Clarke Tue, 03/04/2008 - 11:00

Pushing the config back would likely set the isakmp key to ****** which would be useless. Sounds like you'll need to look elsewhere for that key. This is akin to the problem we face with SNMPv3 users :-(.

Correct Answer
Joe Clarke Tue, 03/04/2008 - 10:58

If the shadow config shows asterisks for the isakmp key, then that is how the PIX provided it when a show run was issued. That means there will be no place in LMS where that key would be visible in clear text.

dionjiles Tue, 03/04/2008 - 11:06

Awesome....thanks for you help. Good information to pass along to my engineers.

dionjiles Tue, 03/04/2008 - 11:35

One other thing my engineers want to know how exactly does Ciscoworks pulls the configuration off the devices.

Joe Clarke Tue, 03/04/2008 - 11:37

Depends on the device. For PIX, we telnet/SSH in, and run show running (running-config) and show config (startup-config).

dionjiles Tue, 03/04/2008 - 12:01

Can we change the way we pull the files on the PIX Firewalls? My engineer believes this is why we are only seeing asterisks.

Correct Answer
Joe Clarke Tue, 03/04/2008 - 12:28

This method is hardcoded, and cannot be changed without recompiling parts of the PIX device package.

dionjiles Tue, 03/04/2008 - 12:58

One last question and I'm done....my engineer just asked me this question and I'm not sure how to answer.

So Ciscoworks does not have the ability to log into the box via ssh and tftp the configuration vs. doing a show startup-configuration and pasting it into a text file on the Ciscoworks server

Joe Clarke Tue, 03/04/2008 - 13:07

Ah, I think I see. When you copy the config from the PIX, the credentials come through. Unfortunately, this would require an architectural change to RME to allow for this.

Joe Clarke Tue, 03/04/2008 - 13:03

What command could be used to get the full config suitable for disaster recovery? As far as I know, show running will always provide a starred out isakmp key as well as things like vpdn passwords. Other passwords will be encrypted.

dionjiles Tue, 03/04/2008 - 13:13

Okay here is the scenario. Let me know can this be done in CiscoWorks.

1) SSH to the PIX

2) wr net 192.168.10.10:Filename

This would tftp the startup configuration to the Ciscoworks server. Of course Ciscoworks would need to have a tftp server active for this to work.

Joe Clarke Tue, 03/04/2008 - 13:17

This is not currently possible. The trick is RME would need to be taught to pre-create the file on the TFTP server, then process the file once the download is complete. The changes would be non-trivial.

I do see a clear value for this, though. It is something you should pursue with your account team as a feature request.

dionjiles Tue, 03/04/2008 - 13:25

No problem. Can a Tac Case be opened to request this feature request to have this done? Can you clarify what do you mean by our account team?

Correct Answer
Joe Clarke Tue, 03/04/2008 - 13:50

A feature request by TAC doesn't hold much weight. A feature request made by the sales organization which can back things up with dollar figures means a whole lot more. Typically, TAC encourages customers to talk to their account team, SE, account manager, etc. to open a PERS ticket requesting a new or enhanced feature.

Actions

This Discussion