02-03-2004 10:22 AM - edited 02-20-2020 11:13 PM
Hello,
I am hoping that someone here has had some experience with automating the configuration of the Cisco PIX 506/506e series. I work for an event planning company and we travel all around the world setting up networks onsite that will run for about a week and then break down and move to another location. Most of the time someone in tech travels to the show and configures the PIX for that venue. In the past we would give out a VPN hardware concentrator if there were no tech people going to the show. Most of the time we could set it to DHCP on the external interface and we would be fine. After using those devices for about a year and having to listen to all the complaints about them rebooting by themselves, we have decided to start deploying the PIX devices onsite to all events.
The problem that I have is giving out configuration instructions to people that have no technical skills. Is anyone aware of a way to automate the configuration either through a .bat file or some other way I have not thought of yet? All it would need to do is take input for the IP address, subnet, and gateway and then program that in to the PIX and then issue the following commands :
- ca zeroize rsa
- ca generate rsa key 1024
- ca save all
- clear crypto isakmp sa
- clear crypto ipsec sa
Thank you for any help or suggestions!!
-Reinier
02-05-2004 06:20 AM
I don't believe the PIX offers any scripting engine support, though it would be trivial to write a DOS batch file or PERL script to take some input and produce a text configuration file that could then be pasted in to the device.
02-05-2004 10:16 AM
This might be blasphemy, but here's one way to do it. Since the PIX is at the remote site, send a laptop with it preconfigured to console into the PIX. Install a HTTP tunneling type remote control client on the laptop, such as GotoMyPc so that you can remotely control the laptop and configure the PIX. As long as the laptop can get the Web, you're good to go.
If remote control gives you heartburn, you could use a scripting language of a telnet client like reflections to query for the needed info from the person at the site and automatically console into the PIX and paste in a config.
02-05-2004 10:53 AM
Configure the Pix as an EzVPN client and use DHCP on its outside interface. It will pull an IP and automatically create the tunnel to your mainsite like the 3002 was doing.
Then if you really want to change the RSA key, a technical person at the mainsite can connect to it provide the necessary changes.
Why do you remove and generate a new RSA key?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: