Question about archived configs

Answered Question
Mar 4th, 2008
User Badges:

We had a Pix Firewall device go down and we are trying to find out where do the configs get archived. Is there anyway to pull down the configs in clear text so we can pull down the encryption keys from the devices?

Correct Answer by Joe Clarke about 9 years 3 months ago

A feature request by TAC doesn't hold much weight. A feature request made by the sales organization which can back things up with dollar figures means a whole lot more. Typically, TAC encourages customers to talk to their account team, SE, account manager, etc. to open a PERS ticket requesting a new or enhanced feature.

Correct Answer by Joe Clarke about 9 years 3 months ago

This method is hardcoded, and cannot be changed without recompiling parts of the PIX device package.

Correct Answer by Joe Clarke about 9 years 3 months ago

Pushing the config back would likely set the isakmp key to ****** which would be useless. Sounds like you'll need to look elsewhere for that key. This is akin to the problem we face with SNMPv3 users :-(.

Correct Answer by Joe Clarke about 9 years 3 months ago

If the shadow config shows asterisks for the isakmp key, then that is how the PIX provided it when a show run was issued. That means there will be no place in LMS where that key would be visible in clear text.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Martin Ermel Tue, 03/04/2008 - 09:46
User Badges:
  • Blue, 1500 points or more

the latest collected running config will be stored in the 'shadow' directory if this option is not disabled (Resource Manager Essentials > Admin > Config Mgmt > Archive Mgmt > Archive Settings)


for LMS 3.0 default shadow directory is


var/adm/CSCOpx/files/rme/dcma/shadow (solaris)

NMSROOT\files\rme\dcma\shadow (windows)

where NMSROOT is the installation directory of LMS (default: C:\Program Files\CSCOpx)


for LMS 2.6 it is

/var/adm/CSCOpx/files/rme/archive/shadow

NMSROOT\files\rme\archive\shadow




dionjiles Tue, 03/04/2008 - 10:26
User Badges:

Thanks.....still trying to figure out why are all my isakmp keys are showing ******* i'm trying to retrieve those passwords to get my pix up and running. Any ideas.



This info is very helpful.

Joe Clarke Tue, 03/04/2008 - 10:51
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The shadow directory, as mermel pointed out, is where you want to look. All the configs in those directories are in clear text. They are exactly as the device provides them. If there is one place where the passwords should show up in clear text, that is it. You can push shadow configs back to devices as-is (e.g. for disaster recovery).

dionjiles Tue, 03/04/2008 - 10:55
User Badges:

Got you that would seem logical as I can see some passwords and not the others. Once again thanks for helping me out.

dionjiles Tue, 03/04/2008 - 10:58
User Badges:

So would it be logical to push that config back to the particular device affected with the *****

? Would I still need to type does manually or leave it as is?

Correct Answer
Joe Clarke Tue, 03/04/2008 - 11:00
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Pushing the config back would likely set the isakmp key to ****** which would be useless. Sounds like you'll need to look elsewhere for that key. This is akin to the problem we face with SNMPv3 users :-(.

Correct Answer
Joe Clarke Tue, 03/04/2008 - 10:58
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

If the shadow config shows asterisks for the isakmp key, then that is how the PIX provided it when a show run was issued. That means there will be no place in LMS where that key would be visible in clear text.

dionjiles Tue, 03/04/2008 - 11:06
User Badges:

Awesome....thanks for you help. Good information to pass along to my engineers.

dionjiles Tue, 03/04/2008 - 11:35
User Badges:

One other thing my engineers want to know how exactly does Ciscoworks pulls the configuration off the devices.

Joe Clarke Tue, 03/04/2008 - 11:37
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Depends on the device. For PIX, we telnet/SSH in, and run show running (running-config) and show config (startup-config).

dionjiles Tue, 03/04/2008 - 12:01
User Badges:

Can we change the way we pull the files on the PIX Firewalls? My engineer believes this is why we are only seeing asterisks.

Correct Answer
Joe Clarke Tue, 03/04/2008 - 12:28
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

This method is hardcoded, and cannot be changed without recompiling parts of the PIX device package.

dionjiles Tue, 03/04/2008 - 12:32
User Badges:

Thanks.....You are a great source of information

dionjiles Tue, 03/04/2008 - 12:58
User Badges:

One last question and I'm done....my engineer just asked me this question and I'm not sure how to answer.


So Ciscoworks does not have the ability to log into the box via ssh and tftp the configuration vs. doing a show startup-configuration and pasting it into a text file on the Ciscoworks server

Joe Clarke Tue, 03/04/2008 - 13:07
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Ah, I think I see. When you copy the config from the PIX, the credentials come through. Unfortunately, this would require an architectural change to RME to allow for this.

Joe Clarke Tue, 03/04/2008 - 13:03
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

What command could be used to get the full config suitable for disaster recovery? As far as I know, show running will always provide a starred out isakmp key as well as things like vpdn passwords. Other passwords will be encrypted.

dionjiles Tue, 03/04/2008 - 13:13
User Badges:

Okay here is the scenario. Let me know can this be done in CiscoWorks.



1) SSH to the PIX

2) wr net 192.168.10.10:Filename


This would tftp the startup configuration to the Ciscoworks server. Of course Ciscoworks would need to have a tftp server active for this to work.


Joe Clarke Tue, 03/04/2008 - 13:17
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

This is not currently possible. The trick is RME would need to be taught to pre-create the file on the TFTP server, then process the file once the download is complete. The changes would be non-trivial.


I do see a clear value for this, though. It is something you should pursue with your account team as a feature request.

dionjiles Tue, 03/04/2008 - 13:25
User Badges:

No problem. Can a Tac Case be opened to request this feature request to have this done? Can you clarify what do you mean by our account team?

Correct Answer
Joe Clarke Tue, 03/04/2008 - 13:50
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

A feature request by TAC doesn't hold much weight. A feature request made by the sales organization which can back things up with dollar figures means a whole lot more. Typically, TAC encourages customers to talk to their account team, SE, account manager, etc. to open a PERS ticket requesting a new or enhanced feature.

dionjiles Tue, 03/04/2008 - 14:44
User Badges:

Thanks for clarifying on what needs to be done on our end.




Actions

This Discussion