cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
381
Views
0
Helpful
3
Replies

Automating PIX configuration

reinier.nissen
Level 1
Level 1

Hello,

I am hoping that someone here has had some experience with automating the configuration of the Cisco PIX 506/506e series. I work for an event planning company and we travel all around the world setting up networks onsite that will run for about a week and then break down and move to another location. Most of the time someone in tech travels to the show and configures the PIX for that venue. In the past we would give out a VPN hardware concentrator if there were no tech people going to the show. Most of the time we could set it to DHCP on the external interface and we would be fine. After using those devices for about a year and having to listen to all the complaints about them rebooting by themselves, we have decided to start deploying the PIX devices onsite to all events.

The problem that I have is giving out configuration instructions to people that have no technical skills. Is anyone aware of a way to automate the configuration either through a .bat file or some other way I have not thought of yet? All it would need to do is take input for the IP address, subnet, and gateway and then program that in to the PIX and then issue the following commands :

- ca zeroize rsa

- ca generate rsa key 1024

- ca save all

- clear crypto isakmp sa

- clear crypto ipsec sa

Thank you for any help or suggestions!!

-Reinier

3 Replies 3

seanm
Level 1
Level 1

I don't believe the PIX offers any scripting engine support, though it would be trivial to write a DOS batch file or PERL script to take some input and produce a text configuration file that could then be pasted in to the device.

sjevans
Level 1
Level 1

This might be blasphemy, but here's one way to do it. Since the PIX is at the remote site, send a laptop with it preconfigured to console into the PIX. Install a HTTP tunneling type remote control client on the laptop, such as GotoMyPc so that you can remotely control the laptop and configure the PIX. As long as the laptop can get the Web, you're good to go.

If remote control gives you heartburn, you could use a scripting language of a telnet client like reflections to query for the needed info from the person at the site and automatically console into the PIX and paste in a config.

shannong
Level 4
Level 4

Configure the Pix as an EzVPN client and use DHCP on its outside interface. It will pull an IP and automatically create the tunnel to your mainsite like the 3002 was doing.

Then if you really want to change the RSA key, a technical person at the mainsite can connect to it provide the necessary changes.

Why do you remove and generate a new RSA key?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: