https://community.cisco.com/t5/network-security/asa-and-the-boot-config-command-from-cli/m-p/2914313#M153918 <P>Hello Guys</P> <P>I wanted to use this forum to collect experience from others about using the boot config command i.e. setting a boot variable to load from a different config file.</P> <P>Here is what I've found out:</P> <P>Usually the startup-config is NOT visible on the ASA. Once you set the boot variable (either through CLI or ASDM) the startup-config becomes "just visible" in flash.</P> <P>I recently had a situation - needed to change IP-Adresses and routing on the outside interface of an ASA without having access to the console - just SSH and or ASDM. Here is what I've found out - what I did.</P> <OL> <LI>Copied some text-file to the flash</LI> <LI>Saved the running-config</LI> <LI>Changed the boot-variable to the name of "some text-file"</LI> <LI>Saved the running-config</LI> </OL> <P>Now - the "some text-file" in flash would be overwritten with the actual running-config of the ASA - ok.</P> <P>Try this at home, in the lab, with an ASA you have access to via console-cable! Lets do the following:</P> <OL> <LI>Download the now filled with running-config&nbsp;"some text-file" to your local PC</LI> <LI>Make the changes you wanted in that text-file</LI> <LI>Upload the changed "some text-file" back to ASA i.e. overwrite the existing one in flash</LI> <LI>Reload the Device</LI> <LI>Watch carefully the CLI!</LI> </OL> <P>What your going to see - well - forget what you see through the boot process. The more interesting part is: will my changes come into play i.e. will I see them now in the running-config?!&nbsp;<STRONG>No I won't!</STRONG>&nbsp;Why? There's this little innocent line at the end of your startup-config "..crypto checksum.." - which I believe is the "culprit".</P> <P>What could you do instead? Well - create a text-file with&nbsp;<STRONG>exactly</STRONG>&nbsp;the commands you need, to change, what you want to be changed. In my case change interface configuration of the outside and routing (no route.. and route ....)</P> <OL> <LI>Upload this file to flash</LI> <LI>Connect via CLI</LI> <LI>Copy the text-file to running-config (copy &lt;name of file&gt; running-config)</LI> <LI>Hope that you hadn't made a mistake <span class="lia-unicode-emoji" title=":winking_face:">😉</span></LI> </OL> <P>I thought that the running-config would be overwritten - hm - it's merging, to be true. The ASA would only alter the parts of running-configuration that I had mentioned in the file I had uploaded to flash and copied to running-config. Save your config <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P></P> <P></P> <P>Has anybody an idea how you would be able to use the boot config boot-variable to actually force the ASA at next reload to come up with a lets say totally different configuration?! Lets say we change the working mode of the ASA from routed to transparent! Hint: crypto checksum of the config-file?!</P> <P></P> <P>Looking forward to your answers.</P> <P>Cheers</P> Tue, 12 Mar 2019 07:44:41 GMT FlorianCokl 2019-03-12T07:44:41Z https://community.cisco.com/t5/network-security/asa-and-the-boot-config-command-from-cli/m-p/2914313#M153918 <P>Hello Guys</P> <P>I wanted to use this forum to collect experience from others about using the boot config command i.e. setting a boot variable to load from a different config file.</P> <P>Here is what I've found out:</P> <P>Usually the startup-config is NOT visible on the ASA. Once you set the boot variable (either through CLI or ASDM) the startup-config becomes "just visible" in flash.</P> <P>I recently had a situation - needed to change IP-Adresses and routing on the outside interface of an ASA without having access to the console - just SSH and or ASDM. Here is what I've found out - what I did.</P> <OL> <LI>Copied some text-file to the flash</LI> <LI>Saved the running-config</LI> <LI>Changed the boot-variable to the name of "some text-file"</LI> <LI>Saved the running-config</LI> </OL> <P>Now - the "some text-file" in flash would be overwritten with the actual running-config of the ASA - ok.</P> <P>Try this at home, in the lab, with an ASA you have access to via console-cable! Lets do the following:</P> <OL> <LI>Download the now filled with running-config&nbsp;"some text-file" to your local PC</LI> <LI>Make the changes you wanted in that text-file</LI> <LI>Upload the changed "some text-file" back to ASA i.e. overwrite the existing one in flash</LI> <LI>Reload the Device</LI> <LI>Watch carefully the CLI!</LI> </OL> <P>What your going to see - well - forget what you see through the boot process. The more interesting part is: will my changes come into play i.e. will I see them now in the running-config?!&nbsp;<STRONG>No I won't!</STRONG>&nbsp;Why? There's this little innocent line at the end of your startup-config "..crypto checksum.." - which I believe is the "culprit".</P> <P>What could you do instead? Well - create a text-file with&nbsp;<STRONG>exactly</STRONG>&nbsp;the commands you need, to change, what you want to be changed. In my case change interface configuration of the outside and routing (no route.. and route ....)</P> <OL> <LI>Upload this file to flash</LI> <LI>Connect via CLI</LI> <LI>Copy the text-file to running-config (copy &lt;name of file&gt; running-config)</LI> <LI>Hope that you hadn't made a mistake <span class="lia-unicode-emoji" title=":winking_face:">😉</span></LI> </OL> <P>I thought that the running-config would be overwritten - hm - it's merging, to be true. The ASA would only alter the parts of running-configuration that I had mentioned in the file I had uploaded to flash and copied to running-config. Save your config <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P></P> <P></P> <P>Has anybody an idea how you would be able to use the boot config boot-variable to actually force the ASA at next reload to come up with a lets say totally different configuration?! Lets say we change the working mode of the ASA from routed to transparent! Hint: crypto checksum of the config-file?!</P> <P></P> <P>Looking forward to your answers.</P> <P>Cheers</P> Tue, 12 Mar 2019 07:44:41 GMT https://community.cisco.com/t5/network-security/asa-and-the-boot-config-command-from-cli/m-p/2914313#M153918 FlorianCokl 2019-03-12T07:44:41Z