Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Using SCP to backup your configs safely.

I have installed SSH to use as an encrypted method of logging onto my routers. It works. I also enabled the SCP server on the cli, router config#ip scp server enable. (be careful here because scp has a slight vulnerability where a user with a restricted view can still use it. This has been fixed in the latest, 20050325 releases).

The thing is that the secure copy protocol is dificult to use. There is no information on either Cisco or other web sites on how to use it to back up configs.

I tried WinSCP, and PuTTY pscp. Neither one seem to work as servers, in other words, you can't initiate SCP transfers from the router to the Windows box with these clients. All I manage to get is errors about sftp or ... when trying to initiate from the windows box.

It may be that you need to use Cisco Works LMS to perform the copy. The SCP server service on the router is embeded and may not completely follow standards for the protocol, or ???

Any ideas?

10 REPLIES

Re: Using SCP to backup your configs safely.

How about you setup a SCP server on PC, and then use "copy" command to transfer file from router to it.

Yes, there might be certain compatibility issue between router SCP server and those third party SCP clients.

Silver

Re: Using SCP to backup your configs safely.

very easy as a,b,c:

a- ip domain-name cciesec.com

b- crypto key zerosize rsa

c- crypto key generate rsa -- choose 1024

d- username cciesec privilege 15 pass cisco

e- aaa new-model

f- aaa authentication login default local

g- aaa authorization exec default local

h- line vty 0 4

i- login authentication default

[Expert@NEO-labgw]# scp cciesec@192.168.15.201:running-config .

Password:

running-config 100% 4131 47.4KB/s 00:00

Connection to 192.168.15.201 closed by remote host.

[Expert@NEO-labgw]#

New Member

Re: Using SCP to backup your configs safely.

Easy for you.. A couple of questions. Why not use a 2048 key? Got the part about setting up the Cisco device,

a)create a domain name so that the crypto key generate will work,

b)zeroize the old rsa keys on the Cisco box.

c - i) set up the AAA for SSH and SCP.

The next part, what is going on with the following statement:

[Expert@NEO-labgw]# scp cciesec@192.168.15.201:running-config .

Password:

Are you entering the SCP service from the Cisco device and sending the running-config to the PC running some kind of SCP server?

Thanks.

Silver

Re: Using SCP to backup your configs safely.

Yes, PC is running CentOS Linux version 5.2.

Host "NEO-labgw" is a CentOS Linux box which has scp/sftp built-in by default

New Member

Re: Using SCP to backup your configs safely.

Thanks. I was hoping for a Windows solution. It is good to know that you can PULL a running config from a linux box. It looks like the Cisco SCP service on the Cisco box can look like an SCP client to CentOS Linux. thx

Silver

Re: Using SCP to backup your configs safely.

My solution also works on Windows solution as well, if you use pscp.exe. One thing to keep in mind is that if you use "pscp.exe" for scp, you need to use the "-pscp" option, like this:

C:\temp>pscp.exe -scp cciesec@192.168.15.201:running-config .

Using keyboard-interactive authentication.

Password:

running-config | 4 kB | 4.0 kB/s | ETA: 00:00:00 | 100%

C:\temp>

Again, easy right?

New Member

Re: Using SCP to backup your configs safely.

Still no go.

C:\PuTTY>pscp -scp -v Bruce@192.168.1.1:running-config

Where 192.168.1.1 is the cisco device.

I get the usage info when trying to do it.

C:\PuTTY>pscp -scp -v Bruce@192.168.1.1:running-config

PuTTY Secure Copy client

Release 0.60

Usage: pscp [options] [user@]host:source target

pscp [options] source [source...] [user@]host:target

pscp [options] -ls [user@]host:filespec

Options:

-V print version information and exit

-pgpfp print PGP key fingerprints and exit

-p preserve file attributes

-q quiet, don't show statistics

-r copy directories recursively

-v show verbose messages

-load sessname Load settings from saved session

-P port connect to specified port

-l user connect with specified username

-pw passw login with specified password

-1 -2 force use of particular SSH protocol version

-4 -6 force use of IPv4 or IPv6

-C enable compression

-i key private key file for authentication

-noagent disable use of Pageant

-agent enable use of Pageant

-batch disable all interactive prompts

-unsafe allow server-side wildcards (DANGEROUS)

-sftp force use of SFTP protocol

-scp force use of SCP protocol

I had debug enabled on the device but nothing showed up. My guess is that the command never ran on the Windows box.

New Member

Re: Using SCP to backup your configs safely.

This is a helpful page on the use of putty:

http://the.earth.li/~sgtatham/putty/0.60/puttydoc.txt

I am getting closer though. I got the following error from putty:

C:\PuTTY>pscp -scp Bruce@192.168.1.1:running-config c:\putty

Bruce@192.168.1.1's password:

Privilege denied.

This also was verified with some debug on the network device. I am set to AAA with 15 privilege. I guess something else is needed for the SCP part..

New Member

I know this post is 5 years

I know this post is 5 years old, but found it as I ran into the same issue.
For me pscp works now with an ASR1006

C:\PuTTY>pscp -scp -v Bruce@192.168.1.1:running-config .

You forgot the "dot" at the end of your command (cisco24x7 has it in his post). It is essential, as this is for target. 
This helped ab bit regarding pscp.
But as you pointed out

C:\PuTTY>pscp -scp Bruce@192.168.1.1:running-config c:\putty

did work neither, I asume there was an additional issue with scp server konfig on your router.

Did you solve this in the end?

New Member

I know this is an old post,

I know this is an old post, but this method doesn't seem to currently work. ASA version 9.2(4). It looks like the ASA is looking for "running-config" from the flash: or disk0:.  In order to get the running-config you need to call out the "system:" directory first.  This command works for me from a bash command prompt:

scp user@192.168.0.1:system://running-config .

or

scp user@192.168.0.1:system://running-config newfilename.cfg

23040
Views
10
Helpful
10
Replies
CreatePlease to create content