Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Automated ASA Config Backup

Does anyone know of a way to automatically backup an ASA config using SNMP or some other method?

Thanks

Frank

8 REPLIES
Silver

Re: Automated ASA Config Backup

You could look into the RANCID network administrator software.

New Member

Re: Automated ASA Config Backup

We use...

http://www.kiwisyslog.com/kiwi-cattools-overview/

Never had any probs with it...

HTH

Steve

New Member

Automated ASA Config Backup

I'm using an Expect script from a linux host that leverages SSH and SCP. Feel free to look at it here:

http://paklids.blogspot.com/2012/01/securely-backup-cisco-firewall-asa-fwsm.html

I usually kick off the expect scipt to add some other fancy features, but I'll post that later.

--paklids.

New Member

Automated ASA Config Backup

Hey Robin,

You are writing

"TFTP is convenient but NOT secure."

and at the same time you are keeping plain text login and enable passwords for a firewall in file

"firewall_list".

Do you have a clue how to do that backup via TFTP direct? I understand it's not secure but I don't provide a password.

Thank you.

George

New Member

Re: Automated ASA Config Backup

Yeah, you can back it up via TFTP without an authentication challenge - that's not a problem. You can even build an ACL to limit the IP addresses that can perform a TFTP GET against the ASA (to pull the config). There are a number of scripts and tools that make backups of ASAs & PIXs using TFTP (or you could just modify the script I published depending on your comfort level in Expect)

The problem I had in my situation is that I couldn't trust the path to the device, and in the case of TFTP it can be vulnerable to a MITM. As you probably already know, once someone gets your device config in its entirety they can plan an attack of the device that is likely to succeed.

Keeping credentials in a file are not desirable, but out of all the systems used to perform the backup, the host running the script was the one I trusted the most.  There are ways to really secure that using tools (in both Expect and Shell scripts) to convert the credentials to a hash that is decrypted only when the script is run, I just haven't tied that in with my script yet.

New Member

Re: Automated ASA Config Backup

Robin,

I'm trying to find out how to do it via TFTP just to avoid keeping the password anywhere but in the device.

Any suggestions?

Thank you.

George

New Member

Re: Automated ASA Config Backup

Have you already looked at the Cisco doc that describes the process?

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008072142a.shtml

If you need to automate it, there are suggestions in the Cisco doc for that. Otherwise you'll need to learn how to script it (in a language like Bash or Expect). Google can help if you decide to roll your own solution.

New Member

Re: Automated ASA Config Backup

Hey Robin,

I don't have a problem to write pretty much any script.

The dark side for me is the ASA configuration and how exactly to make it accessible from a certain machine outside.

The document you point me to is saying everything about how to backup from inside ASA.

I guess ASA is not like the other IOS devices (this is the reason it doesn't run IOS) and there is no file which could be copied directly without first putting it in the flash as your script is doing.

I think this is the answer and that's the reason cannot be done with TFTP without first moving it to the flash.

13981
Views
0
Helpful
8
Replies