Automated ASA Config Backup

Does anyone know of a way to automatically backup an ASA config using SNMP or some other method?
Thanks
Frank

Yeah, you can back it up via TFTP without an authentication challenge - that's not a problem. You can even build an ACL to limit the IP addresses that can perform a TFTP GET against the ASA (to pull the config). There are a number of scripts and tools that make backups of ASAs & PIXs using TFTP (or you could just modify the script I published depending on your comfort level in Expect)
The problem I had in my situation is that I couldn't trust the path to the device, and in the case of TFTP it can be vulnerable to a MITM. As you probably already know, once someone gets your device config in its entirety they can plan an attack of the device that is likely to succeed.
Keeping credentials in a file are not desirable, but out of all the systems used to perform the backup, the host running the script was the one I trusted the most. There are ways to really secure that using tools (in both Expect and Shell scripts) to convert the credentials to a hash that is decrypted only when the script is run, I just haven't tied that in with my script yet.

Similar Messages

Backup tool for ASA config?

Hi,
We are using Solarwinds Kiwi backup tool to backup our ASA configs, however it has hit a bug which they are looking into as it only backs up half of the config. While they search for a fix does anyone know of another free tool I can use to schedule backups of our ASA?
Thanks

Hi Bro
You could look into some freeware tools out there in the market such as Cisco SNMP Tool v2.5 and WinAgents HyperConf. Good luck.
P/S: If you think this comment is useful, please do rate them nicely :-)

ISE Config Backup Failure - Data filesystem full above threshold

Hi,
Both the config and operational backups were working until earlier last month. Now the config backup is failing with the following error. No configuration or repository settings were changed.
ISE 1.2.0.899 Patch 8 - Clustered with persona Node 1 = PAN, SMN, PSN .... Node 2 = SAN, PMN, PSN
CLI history says the same:
The local repository (disk:/) is looking good. The "/" filesystem is taking 77% space.
Although it may not be relevant. Data Purging is set to 30 days in the GUI and Operations -> Reports -> Data Purging Audit indicates its running daily with success i.e. threshold_space = 80GB, used_space = 3GB.
Is there a way to clean "/" filesystem ? It is filling up by roughly 1% every 5 days ? Note: the same on Node 2 is only 24% full.
Any ideas on how to get the config backup issue resolved ?
P.S. If images don't appear inline, please see the attachment
Thanks,
Rick.

922963 wrote:
Hi JK,
Thanks for response. Yes, I am worried that it may not be enough. How about if I increase memory to 32GB, ie. I have two servers, both with 32GB? Will it be sufficient in case of one physical server fail for 8GB data?
What is the point in having the 3rd physical box if two boxes have enough memory/capacity? You know, we need to pay licence according to no of CPU.
thanks,
HenryHi Henry,
actually the recommended minimum number of physical boxes is 4 so that the witness protocol participants can all be on separate machines.
But a minimum of 3 is highly recommended for a number of reasons related to partitioning:
1. If you have only 2, then you are much more vulnerable to split brain scenarios (should for some reason the two servers not be able to communicate with each other, it is harder to decide which half should be the winner). In short how do you decide which box is unable to communicate with the rest of the cluster if there are only 2 boxes?
2. You can't ensure a balanced and also machine safe partition distribution if you have a mismatching number of nodes on only 2 boxes. It would either be balanced or machine safe, but you can't get both at the same time. And you will either have mismatching number of nodes at startup or have mismatching number of nodes after one node failure.
Best regards,
Robert

LMS 4.2 and Shadow Dir/Config Backups

Hi all,
Back with more LMS questions. We have 4.2 running (two separate instances - we have more than one network) and I have a config collection job set up. Upon initial discovery, configs were pulled from all devices into the Shadow director as expected. However, since initial discovery, the Shadow directory has not been updated despite the fact that it is set up to pull config backups daily from all devices.
Under the Archival Summary, it does show that all devices were successful or partially successful (the partials are where VLAN collection failed...I'm unsure why it is even trying given I disabled VLAN collection). So it appears to be working, yet the configurations have not changed in the Shadow directory.
Any ideas why this may be happening? Does it only update the Shadow dir if the device config actually changed since last scheduled job? None of the configs HAVE changed since I discovered them.
We use SNMPv3 and SSH as access methods for LMS.
Thanks in advance for any thoughts!
Jen

You answered it... The shadow directory only contains the current config and only changes when updated.
Thanks.

Migrate Standby ASA to Backup Data Center

Hello Experts,
We have backup data center where I am now planning to provide backup internet service ( in the case where there is internet down or power outage at main server room) .
I have a pair of Cisco ASA's 5540, one of which I need to move to backup data center ( BDC), Presently I have ADSL router at disaster serve room with static public IP from ISP.
Currently, I am publishing all my internal resources through ASA. Now my questions, if I move Standby ASA to Disaster Server Room. How I can publish the same internal resources through standby ASA and make it standby as active during the down time of main server room
Please can anyone suggestion how to achieve this setup. Is is this scenario possible
Thanking in advance.
Samir

Hello,
I knew it.
I'll just tell you from the beginning hope it might help you to understand. I appreciate your help.
Presently at my main data center I'm having a leased line router and then 2 ASA 5540 (with failover active/standby).
I was thinking to move 1 ASA to backup disaster server room. In this regard, I asked earlier how I can still achieve the active/standby after migrating to backup room. But you had anwered my query
Query 2
I have got new ADSL service and router with public static IP at backup server room. Now I moved one of my ASA.
How can I keep publishing the internal resources ( like access to internal webserver, rdp connection) by using this ADSL service if the main server room is completely down .
Hope it is clear.
Thanks

SSM40 and ASA Config

Hello,
I put an SSM40 into production in our ASA last week in promiscuous mode initially to determine what the device is seeing inbound through the ASA. So far, it isn't reporting anything which I suspect isn't correct. This is what I have for a config on the ASA and it appears that packets are making it to the module. Is this correct?
ASA Config to divert traffic to the IPS
access-list IPS permit ip any any
class-map PPI-IPS-CLASS
match access-list IPS
policy-map PPI-IPS-POLICY
class PPI-IPS-CLASS
ips promiscuous fail-open
service-policy PPI-IPS-POLICY interface inside
service-policy PPI-IPS-POLICY interface outside
sho service-policy
Global policy:
Service-policy: global_policy
   Interface Inside:
Service-policy: PPI-IPS-POLICY
    Class-map: PPI-IPS-CLASS
      IPS: card status Up, mode promiscuous fail-open
        packet input 0, packet output 18253556, drop 0, reset-drop 0
Interface Outside:
Service-policy: PPI-IPS-POLICY
    Class-map: PPI-IPS-CLASS
      IPS: card status Up, mode promiscuous fail-open
        packet input 0, packet output 2202573, drop 0, reset-drop 0
The only event the IPS is reporting is the following:
time: Apr 22, 2013 12:45:01 UTC offset=-300 timeZone=CDT
errorMessage: No installable auto update package found on server name=errSystemError time: Apr 22, 2013 12:45:01 UTC offset=-300 timeZone=CDT
errorMessage: No installable auto update package found on server name=errSystemError
So, what have I configured incorrectly, or is this just normal for promiscuous mode?

It looks correct.
You can try enabling the ICMP Echo Request signature and watch it fire on pings to test your setup.
You'll need to add ICMP to your IPS access-list.
- Bob
http://www.cisco.com/en/US/partner/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html#wp1046877

IDS/IPS config Backup through IDM

Hi,
Can we take config backup through IDM, as I regularly upgrade OS & signautures and need to take backup of our config. But in IDM I could not find any option. AS I solely want to use IDM for all purposes.
Currenlty I need to do ssh,take backup and then upgrade thru IDM.

Thanks for your reply! I should then request Cisco developers to give such usefule facility as then we can solely use IDM for all purposes. Its painful to log thru ssh take backup and then upgrade using IDM. or use only ss to do everything then what for IDM is?
Reg.
YT

Advanced mode and automated client config..

Hi,
Is it possible to configure automated client config when server is in advanced mode?
I have looked through the OD manual etc., but can only find info about automated client config for workgroup and standard install..
Am I just looking the wrong places?
Regards,
Kenneth

Hi
You are looking in the right places. No its not possible, leastways not in the sense I think you mean? You can achieve a deep level of client config using Advanced but only in the sense of controlling aspects of what clients can or can't do as well as access to Server Resources amongst other things.
You may have got a 'flavour' of what is achievable if you've been reading the Open Directory Admin Manual? You might also want to have a look at this:
http://images.apple.com/server/macosx/docs/UserManagementv10.5.mnl.pdf
Tony

ASA 5505 Backup Config to TFTP Server

Is there a way to backup the configuration file to a tftp server? I've tried "copy start tftp" and copy run tftp". No luck, I get an error message. Thanks in advance.

What kind of error message did you get?
ciscoasa# write net ? WORD IP address of tftp server and file name :. Place IPv6 address within square brackets.

ASA 5505 - Backup and restore to another device of same model and version

How can I backup the configuration of the ASA 5505 on 8.x and restore it to another ASA 5505 with same version? I have tried to save the running config to a file and then copy it to the new device and use the boot config: filename but it doesn't work. Or is there any other way to try? Thanks.

Thanks Andrew, I had tried it but I was having issues with the fact that I kept both ver 7 and ver 8 of the OS images on the flash. So it booted from the first found (ver 7) and creating confusion for me as the config file was for ver 8.
I noticed that it keeps the 192.168.1.1 IP even though in the config file it has another IP assigned. Is there other things that I need to check that do not change apart the IP address?
Thanks.

LMS 4.2.5 Syslog/Automated Action/Config mgmt issue

LMS 4.2.5 on Windows
We use the server as it's own Syslog server. The Syslog collector status is fine. I see syslogs coming into the server. However, I just made some changes on a router so ran a syslog report on it, but nothing was returned. I Tested the Collector Subscription and everything was fine.
We also have Automated Actions configured on certain syslog messages (duplex mismatch for example). There is an AA configured to send my team e-mails when this event occurs. There was a device that had two days worth of syslog messages complaining about this issue. Yet, we only received about 10 e-mails from the LMS system on it.
Another issue is with Configuration Mgmt. I fixed the duplex mismatch listed above and went to check the config tree to see if or when something changed. The last config archive was pretty old and I know changes were made on the device since then. This tells me that the LMS server didn't get notified of the config change or it would have gone out and checked it.
The one thing in common on all of the above is Syslog messages. LMS will take actions based on receiving these messages and those actions don't seem to be firing.
Any ideas would be greatly appreciated.
Thanks,
Mike S.

To confirm if the device is sending the syslogs and they are being received by LMS server properly, check the $NMSROOT/log/syslog.log and see it has the syslog from the device.
Unless syslog is there on syslog.log, we don't expect LMS to react on any AA.
For configuration backup, try to sync the device config by initiating a manual job to update the latest configuration from device. Even if there is no Automated Action working, you should still have a reoccurring/scheduled job configured to archive configuration backup periodically.
Following is a document I created for Syslog troubleshooting :
Ciscoworks LMS : Syslog in a Nutshell!
-Thanks
Vinod
**Encourage Contributors. RATE Them.**

Best way to reload an asa config?

Hello,
I've been thinking of 2 scenarios that could happen and I woud like to be ready. If a config error was made on our ASA (we have 2 in active/standby mode) what is the best way to recover assuming we have a tftp backup or local flash copy? I know their is a config replace option on routers/switches that will compare the running config and the tftp/local copy and then replace the changes to get you back online without a reload.
Also if we had to replace one of the ASA as it was faulty, I guess I would tftp the config but what abount the license keys?
Any thoughts/experience would be mos welcome.
Thanks

If the mistake is not small enough that you can simply undo the commands with "no ___" then copy the backup file to running-config and write mem to further copy it into the startup-config. Local flash copy will always be faster than tftp but either is of course erasable as well. I'd start with a local copy if available and then fall back to a remote copy where it's not.
The license keys (technically activation keys on an ASA) need to be generated for you by the TAC in the event of an RMA. Of course if the non-failed unit has the necessary licenses (in 8.3+) you don't also need to add them on the replacement unit as a HA pair shares most licenses (with a few exceptions like Security Plus which is a prerequisite to even enable failover on a 5505 or 5510 or 5512-X).

ASA 5505 backup interface

Hello,
I have setup ASA 5505 with 2 ISP, named outside (primary) and backup, the scenario is if outside down, then backup will take over, it works now.
But it is not working when the primary connection cannot reach the gateway with the interface still up.
Is it possible when the primary connection cannot reach the gateway then backup automatically take over?
Thanks before..
My configuration is:
ASA Version 8.2(1)
hostname cisco
domain-name default_domain
enable password ********* encrypted
passwd ********* encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 172.10.10.10 255.255.255.0
interface Vlan3
no forward interface Vlan2
nameif backup
security-level 0
ip address 172.20.10.10 255.255.255.0
interface Ethernet0/0
switchport access vlan 1
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default domain
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_out in interface inside
access-group outside_in in interface outside
access-group backup_in in interface backup
route outside 0.0.0.0 0.0.0.0 172.10.10.1 1
route backup 0.0.0.0 0.0.0.0 172.20.10.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 1048575
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:24af050f332deab3e38eb578f8081d05
: end

Hi Amrin,
you can configure SLA monitoring on ASA and that woudl work fine for you:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Hope that helps.
Thanks,
Varun

ASA 5505 Backup

Hello i have two ASA5505 .
On one i have erased disk0 and i can't access it over ASDM...
I have copied the 2bin files asa-k8.bin and asdm-k8.bin from the working ASA to the ereased still no ASDM...
My questions are :
Are the licenses gone?
What should i do to fix it?
I have a backup.zip from the working one. Can i import it in the ereased with CLI ?
Thanks

Hello,
Can you share to the community how you did it ?
So if someone having the same issue can fix it with this
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
Any question contact me at [email protected]
Cheers,
Julio Carvajal Segura

Old Toad's automator workflow to backup Library6.iPhoto database

Dear Old Toad,
I just today downloaded your workflow to backup the iPhoto database file, and am having problems making it work.
When I run it, either from the dock or the script menu, it launches Automator but then closes without doing anything. I don't get a confirmation screen, and no copy of the database is created.
So I opened it in Automator to see if editing it would help, even though my library is already named iPhoto Library and stored in user/pictures. When I dragged it onto the Automator window, there was only 1 action (Get Specified Finder Items) instead of the 4 that show up in the ReadMe. When I dragged it onto the Automator app to open it, I got nothing.
I downloaded it via Firefox 3.0.1 and got a 1.1MB zip, and I tried downloading it twice in case it had corrupted in the download, but no change with the second try. Downloaded from here:
http://web.mac.com/toad.hall/ToadsCellar/ToadsCellar.html
Running OS 10.4.11, iPhoto 7.1.5, on a G4.
Something else I can try?
Thanks,
Daiya
Message was edited by: Daiya

Yes. Run the application like you would use the Save command in other applications, often. Running it again will overwrite the current backup copy with a new backup that will include all changes you've made to your library, new pictures, deletions, slideshows, books, etc.
I suggested keeping it in the dock so you can quickly run it after any changes you've made to the library. Being in the Dock makes it more convenient than having to go into the Application folder and launching it from there.
TIP: For insurance against the iPhoto database corruption that many users have experienced I recommend making a backup copy of the Library6.iPhoto (iPhoto.Library for iPhoto 5 and earlier) database file and keep it current. If problems crop up where iPhoto suddenly can't see any photos or thinks there are no photos in the library, replacing the working Library6.iPhoto file with the backup will often get the library back. By keeping it current I mean backup after each import and/or any serious editing or work on books, slideshows, calendars, cards, etc. That insures that if a problem pops up and you do need to replace the database file, you'll retain all those efforts. It doesn't take long to make the backup and it's good insurance.
I've created an Automator workflow application (requires Tiger or later), iPhoto dB File Backup, that will copy the selected Library6.iPhoto file from your iPhoto Library folder to the Pictures folder, replacing any previous version of it. It's compatible with iPhoto 6 and 7 libraries and Tiger and Leopard. iPhoto does not have to be closed to run the application, just idle. You can download it at Toad's Cellar. Be sure to read the Read Me pdf file.
Note: There now an Automator backup application for iPhoto 5 that will work with Tiger or Leopard.

Automated ASA Config Backup

Similar Messages

Maybe you are looking for