Automating PIX configuration

Unanswered Question
Feb 3rd, 2004
User Badges:

Hello,


I am hoping that someone here has had some experience with automating the configuration of the Cisco PIX 506/506e series. I work for an event planning company and we travel all around the world setting up networks onsite that will run for about a week and then break down and move to another location. Most of the time someone in tech travels to the show and configures the PIX for that venue. In the past we would give out a VPN hardware concentrator if there were no tech people going to the show. Most of the time we could set it to DHCP on the external interface and we would be fine. After using those devices for about a year and having to listen to all the complaints about them rebooting by themselves, we have decided to start deploying the PIX devices onsite to all events.


The problem that I have is giving out configuration instructions to people that have no technical skills. Is anyone aware of a way to automate the configuration either through a .bat file or some other way I have not thought of yet? All it would need to do is take input for the IP address, subnet, and gateway and then program that in to the PIX and then issue the following commands :


- ca zeroize rsa

- ca generate rsa key 1024

- ca save all

- clear crypto isakmp sa

- clear crypto ipsec sa



Thank you for any help or suggestions!!


-Reinier

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sjevans Thu, 02/05/2004 - 10:16
User Badges:

This might be blasphemy, but here's one way to do it. Since the PIX is at the remote site, send a laptop with it preconfigured to console into the PIX. Install a HTTP tunneling type remote control client on the laptop, such as GotoMyPc so that you can remotely control the laptop and configure the PIX. As long as the laptop can get the Web, you're good to go.


If remote control gives you heartburn, you could use a scripting language of a telnet client like reflections to query for the needed info from the person at the site and automatically console into the PIX and paste in a config.


shannong Thu, 02/05/2004 - 10:53
User Badges:
  • Silver, 250 points or more

Configure the Pix as an EzVPN client and use DHCP on its outside interface. It will pull an IP and automatically create the tunnel to your mainsite like the 3002 was doing.


Then if you really want to change the RSA key, a technical person at the mainsite can connect to it provide the necessary changes.


Why do you remove and generate a new RSA key?

Actions

This Discussion