cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20732
Views
1
Helpful
9
Replies

Automated ASA Config Backup

Frank
Level 1
Level 1

Does anyone know of a way to automatically backup an ASA config using SNMP or some other method?

Thanks

Frank

9 Replies 9

plumbis
Level 7
Level 7

You could look into the RANCID network administrator software.

AxiomConsulting
Level 1
Level 1

We use...

http://www.kiwisyslog.com/kiwi-cattools-overview/

Never had any probs with it...

HTH

Steve

robinh
Level 1
Level 1

I'm using an Expect script from a linux host that leverages SSH and SCP. Feel free to look at it here:

http://paklids.blogspot.com/2012/01/securely-backup-cisco-firewall-asa-fwsm.html

I usually kick off the expect scipt to add some other fancy features, but I'll post that later.

--paklids.

Hey Robin,

You are writing

"TFTP is convenient but NOT secure."

and at the same time you are keeping plain text login and enable passwords for a firewall in file

"firewall_list".

Do you have a clue how to do that backup via TFTP direct? I understand it's not secure but I don't provide a password.

Thank you.

George

Yeah, you can back it up via TFTP without an authentication challenge - that's not a problem. You can even build an ACL to limit the IP addresses that can perform a TFTP GET against the ASA (to pull the config). There are a number of scripts and tools that make backups of ASAs & PIXs using TFTP (or you could just modify the script I published depending on your comfort level in Expect)

The problem I had in my situation is that I couldn't trust the path to the device, and in the case of TFTP it can be vulnerable to a MITM. As you probably already know, once someone gets your device config in its entirety they can plan an attack of the device that is likely to succeed.

Keeping credentials in a file are not desirable, but out of all the systems used to perform the backup, the host running the script was the one I trusted the most.  There are ways to really secure that using tools (in both Expect and Shell scripts) to convert the credentials to a hash that is decrypted only when the script is run, I just haven't tied that in with my script yet.

Robin,

I'm trying to find out how to do it via TFTP just to avoid keeping the password anywhere but in the device.

Any suggestions?

Thank you.

George

Have you already looked at the Cisco doc that describes the process?

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008072142a.shtml

If you need to automate it, there are suggestions in the Cisco doc for that. Otherwise you'll need to learn how to script it (in a language like Bash or Expect). Google can help if you decide to roll your own solution.

Hey Robin,

I don't have a problem to write pretty much any script.

The dark side for me is the ASA configuration and how exactly to make it accessible from a certain machine outside.

The document you point me to is saying everything about how to backup from inside ASA.

I guess ASA is not like the other IOS devices (this is the reason it doesn't run IOS) and there is no file which could be copied directly without first putting it in the flash as your script is doing.

I think this is the answer and that's the reason cannot be done with TFTP without first moving it to the flash.

thouser
Level 1
Level 1

I am aware this is a very old post, but there are a few current options for automated ASA backup:

1. Ansible will allow automated backups if you use the Cisco supported (free) ASA module.  Ansible also supports NX-OS and IOS with Cisco supported (free) modules.

Ansible example ASA config backup playbook:

- name: Run ASA Config backup
          asa_config:
            backup: yes
            backup_options:
              dir_path: "/home//backup/"
              filename: "{{ inventory_hostname }}-ASAbackup.cfg"
 2. Use an expect script per the links above
 3. Use a Python script per this link: 
 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: