Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Question about archived configs

We had a Pix Firewall device go down and we are trying to find out where do the configs get archived. Is there anyway to pull down the configs in clear text so we can pull down the encryption keys from the devices?

4 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Question about archived configs

If the shadow config shows asterisks for the isakmp key, then that is how the PIX provided it when a show run was issued. That means there will be no place in LMS where that key would be visible in clear text.

Cisco Employee

Re: Question about archived configs

Pushing the config back would likely set the isakmp key to ****** which would be useless. Sounds like you'll need to look elsewhere for that key. This is akin to the problem we face with SNMPv3 users :-(.

Cisco Employee

Re: Question about archived configs

This method is hardcoded, and cannot be changed without recompiling parts of the PIX device package.

Cisco Employee

Re: Question about archived configs

A feature request by TAC doesn't hold much weight. A feature request made by the sales organization which can back things up with dollar figures means a whole lot more. Typically, TAC encourages customers to talk to their account team, SE, account manager, etc. to open a PERS ticket requesting a new or enhanced feature.

21 REPLIES

Re: Question about archived configs

the latest collected running config will be stored in the 'shadow' directory if this option is not disabled (Resource Manager Essentials > Admin > Config Mgmt > Archive Mgmt > Archive Settings)

for LMS 3.0 default shadow directory is

var/adm/CSCOpx/files/rme/dcma/shadow (solaris)

NMSROOT\files\rme\dcma\shadow (windows)

where NMSROOT is the installation directory of LMS (default: C:\Program Files\CSCOpx)

for LMS 2.6 it is

/var/adm/CSCOpx/files/rme/archive/shadow

NMSROOT\files\rme\archive\shadow

New Member

Re: Question about archived configs

Thanks.....still trying to figure out why are all my isakmp keys are showing ******* i'm trying to retrieve those passwords to get my pix up and running. Any ideas.

This info is very helpful.

Cisco Employee

Re: Question about archived configs

The shadow directory, as mermel pointed out, is where you want to look. All the configs in those directories are in clear text. They are exactly as the device provides them. If there is one place where the passwords should show up in clear text, that is it. You can push shadow configs back to devices as-is (e.g. for disaster recovery).

New Member

Re: Question about archived configs

Got you that would seem logical as I can see some passwords and not the others. Once again thanks for helping me out.

New Member

Re: Question about archived configs

So would it be logical to push that config back to the particular device affected with the *****

? Would I still need to type does manually or leave it as is?

Cisco Employee

Re: Question about archived configs

Pushing the config back would likely set the isakmp key to ****** which would be useless. Sounds like you'll need to look elsewhere for that key. This is akin to the problem we face with SNMPv3 users :-(.

Cisco Employee

Re: Question about archived configs

If the shadow config shows asterisks for the isakmp key, then that is how the PIX provided it when a show run was issued. That means there will be no place in LMS where that key would be visible in clear text.

New Member

Re: Question about archived configs

Awesome....thanks for you help. Good information to pass along to my engineers.

New Member

Re: Question about archived configs

One other thing my engineers want to know how exactly does Ciscoworks pulls the configuration off the devices.

Cisco Employee

Re: Question about archived configs

Depends on the device. For PIX, we telnet/SSH in, and run show running (running-config) and show config (startup-config).

New Member

Re: Question about archived configs

Can we change the way we pull the files on the PIX Firewalls? My engineer believes this is why we are only seeing asterisks.

Cisco Employee

Re: Question about archived configs

This method is hardcoded, and cannot be changed without recompiling parts of the PIX device package.

New Member

Re: Question about archived configs

Thanks.....You are a great source of information

New Member

Re: Question about archived configs

One last question and I'm done....my engineer just asked me this question and I'm not sure how to answer.

So Ciscoworks does not have the ability to log into the box via ssh and tftp the configuration vs. doing a show startup-configuration and pasting it into a text file on the Ciscoworks server

Cisco Employee

Re: Question about archived configs

Ah, I think I see. When you copy the config from the PIX, the credentials come through. Unfortunately, this would require an architectural change to RME to allow for this.

Cisco Employee

Re: Question about archived configs

What command could be used to get the full config suitable for disaster recovery? As far as I know, show running will always provide a starred out isakmp key as well as things like vpdn passwords. Other passwords will be encrypted.

New Member

Re: Question about archived configs

Okay here is the scenario. Let me know can this be done in CiscoWorks.

1) SSH to the PIX

2) wr net 192.168.10.10:Filename

This would tftp the startup configuration to the Ciscoworks server. Of course Ciscoworks would need to have a tftp server active for this to work.

Cisco Employee

Re: Question about archived configs

This is not currently possible. The trick is RME would need to be taught to pre-create the file on the TFTP server, then process the file once the download is complete. The changes would be non-trivial.

I do see a clear value for this, though. It is something you should pursue with your account team as a feature request.

New Member

Re: Question about archived configs

No problem. Can a Tac Case be opened to request this feature request to have this done? Can you clarify what do you mean by our account team?

Cisco Employee

Re: Question about archived configs

A feature request by TAC doesn't hold much weight. A feature request made by the sales organization which can back things up with dollar figures means a whole lot more. Typically, TAC encourages customers to talk to their account team, SE, account manager, etc. to open a PERS ticket requesting a new or enhanced feature.

New Member

Re: Question about archived configs

Thanks for clarifying on what needs to be done on our end.

170
Views
0
Helpful
21
Replies