topic When you backup the in Network Security

ASA backup and restore

miras — Tue, 12 Mar 2019 04:57:11 GMT

What is the process to backup the configurations from a bad ASA to a new one (same model)?

I am asking specifically for certificates and keys for VPNs.

If you use ASDM, the "Tools >

Marvin Rhoads — Fri, 17 Oct 2014 18:49:43 GMT

If you use ASDM, the "Tools > Backup configurations" menu choice allows you to backup not only the configuration file but identity certificates, plain text keys, etc. You can also select only those bits if that's all you want.

Note also that if you pull your configuration from the cli using "more system:running-config" you will get plaintext snmp community strings (v1 and v2 but not v3 credentials) and pre-shared keys.

What about the RSA keys? are

miras — Fri, 17 Oct 2014 19:03:24 GMT

What about the RSA keys? are those backed up and restored as well?

Another question, kinda off the topic is that, what if there is an IPS module installed in it?

When you backup the

Marvin Rhoads — Fri, 17 Oct 2014 19:55:40 GMT

When you backup the certificates using the ASDM tool, it creates a PKCS12 file. That file format includes both the certificate and associated private key. Assuming that's your default RSA key (which it usually is but doesn't need to be) you will have it there.

If you didn't use your RSA key to sign your self-signed certificates (or your CSR in the event of 3rd party certificates) then you won't have a backup copy of it. But if it's not tied to any certificates, it's no real loss to recreate it fresh on a new unit in the event of hardware replacement.

By backing up the startup

miras — Fri, 17 Oct 2014 20:59:03 GMT

By backing up the startup config of the existing ASA and restoring it to the new one, does that also backup and restore the RSA keys or do i have to recreate them again?

And if i have to recreate them, how do i know what modulus has been used?

As I noted earlier, only when

Marvin Rhoads — Fri, 17 Oct 2014 21:03:06 GMT

As I noted earlier, only when you backup certificates will it restore the RSA keys. The running-config does not include the RSA key.

If the current key has not been used to sign any certificates, you can recreate it as you need on any new hardware or even create it anew on the current hardware - for instance if the previous admin neglected to use a 2048-bit key as may be required for a current audit or just just to keep up with best practices.

The thing is that, how do i

miras — Fri, 17 Oct 2014 21:12:11 GMT

The thing is that, how do i recreate the exact copy of RSA? Because when we generate RSA, it has some inputs, like domain name, modulus size, etc.

How do i check modulus size so i can recreate the exact copy of RSA so i can use to sign my certificates that i already backed up.

Backup the certificates using

Marvin Rhoads — Fri, 17 Oct 2014 21:14:46 GMT

Backup the certificates using the ASDM backup tool. That will combine the certificate itself along with the signing RSA private key. When you restore a certificate using the backed up PKCS file, it will restore both items.