cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3564
Views
0
Helpful
3
Replies

CSM 4.1 - ASA Configuration Backup Files via TFTP

mleiby
Level 1
Level 1

      I'm fairly new to CSM so this may be a newbee question.  In the "old days" we would write mem to save the running config to startup, then write net to save the running config to a defined file on an TFTP server.  But now that we use CSM, there is no write net function that happens during the process of  deploying a change to the config.  The actual config is saved in CSM somewhere since we are actually making changes to it before deploying a change, right?  But it's not in a format where I could replace a failed ASA by "copy tftp startup-config?" 

     I read where you can "Preview Configuration" and then Copy/Paste the "ASA(Full)" configuration, but there is a major flaw in that plan.  The displayed output hides all of the passwords. I.E. enable, passwd, tacacs+ or radius keys, local username password.  Beside's, Copy/Paste has never been the best option to initially configure, or to replace a failed unit.  All you are doing is hoping the running config isn't interfering with what you are pasting. (The Factory Config for DHCP comes to mind).

     Is there a function where I can export the entire configuration to a file that is the complete startup configuration?  Or, is there a function I could enable to have the ASA's periodically "Write Net?"

1 Accepted Solution

Accepted Solutions

Todd Pula
Level 7
Level 7

You could configure a FlexConfig for one or more ASAs in order to execute the copy command before and/or after a config push.  I just tested this on my CSM 4.2 server and it worked.  You will want to use the /noconfirm option so that the end device doesn't present interactive prompts to CSM.

View solution in original post

3 Replies 3

Todd Pula
Level 7
Level 7

You could configure a FlexConfig for one or more ASAs in order to execute the copy command before and/or after a config push.  I just tested this on my CSM 4.2 server and it worked.  You will want to use the /noconfirm option so that the end device doesn't present interactive prompts to CSM.

Todd,

     Thanks for the post.  I did try a "write net" like this previously, but I thought it was a once and done thing.  I just tested this again and it sure does run this evertime a change is deployed.   Excellent!  BTW, the "write net" Flex Config  works best for me since I already have my TFTP Server information confgured on each firewall.

     So, does this mean that all Flex Configs are applied again and again each time a change is deployed?

In the current versions, the Flex Config is prepended/appended during each deployment.  In the upcoming 4.3 release, you will have the option to deploy each time or only when a FlexConfig is new or modified.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: