topic Re: Backup of ASA5500's in Network Security

Backup of ASA5500's

maymann76 — Mon, 11 Mar 2019 22:38:03 GMT

Hi community,

I would like to schedule automatic backups of our ASA5500's OoO-hours:

1. SSH from secure server and create _FULL_ backup - what would be the CLI command(s) ?

2. SCP from secure server and retreive file(s) - what is the location of the file(s) ?

Thanks in advance !

~maymann

Re: Backup of ASA5500's

Marvin Rhoads — Sat, 03 Mar 2012 18:04:48 GMT

Most people use a tool like RANCID or CiscoWorks to get configuration backups.

The running-config and startup-config are straigtforward commands to get them from enable mode.

more system:running-config

show startup-config

That first command will make sure you get plaintext preshared keys for any VPNs you have setup with PSKs. "show running-config" will mask all PSKs. All backup methods will mask the device's enable password.

A _FULL_ backup would include things like customization, certificates, Anyonnect images, xml profiles, etc. It's not easily scripted but is built into ASDM GUI (Tools, Backup Configurations). Here's a list of what happens "under the covers" when you do that:

Backup CLI: more system:running-config

Finish backup Running Configuration; next backup is Startup Configuration

Backup CLI: show startup-config

Finish backup Startup Configuration; next backup is Translation table

Backup CLI: export webvpn translation-table webvpn language ru stdout

Backup CLI: export webvpn translation-table customization language ru stdout

Backup CLI: export webvpn translation-table PortForwarder language ru stdout

Backup CLI: export webvpn translation-table webvpn language ja stdout

Backup CLI: export webvpn translation-table plugin-vnc language ja stdout

Backup CLI: export webvpn translation-table plugin-ssh,telnet language ja stdout

Backup CLI: export webvpn translation-table customization language ja stdout

Backup CLI: export webvpn translation-table csd language ja stdout

Backup CLI: export webvpn translation-table PortForwarder language ja stdout

Backup CLI: export webvpn translation-table webvpn language fr stdout

Backup CLI: export webvpn translation-table plugin-vnc language fr stdout

Backup CLI: export webvpn translation-table plugin-ssh,telnet language fr stdout

Backup CLI: export webvpn translation-table customization language fr stdout

Backup CLI: export webvpn translation-table csd language fr stdout

Backup CLI: export webvpn translation-table PortForwarder language fr stdout

Backup CLI: export webvpn translation-table AnyConnect language en-us stdout

Finish backup Translation table; next backup is Customization

Backup CLI: export webvpn customization xxxxxxx stdout

Backup CLI: export webvpn customization Vendor stdout

Backup CLI: export webvpn customization DfltCustomization stdout

Backup CLI: export webvpn customization Template stdout

Finish backup Customization; next backup is Plug-in

Backup CLI: export webvpn plug-in protocol vnc stdout

Backup CLI: export webvpn plug-in protocol ssh,telnet stdout

Backup CLI: export webvpn plug-in protocol rdp stdout

Backup CLI: export webvpn plug-in protocol ica stdout

Finish backup Plug-in; next backup is Bookmarks

Backup CLI: export webvpn url-list xxxxxxx stdout

Backup CLI: export webvpn url-list Administrative_Access stdout

Backup CLI: export webvpn url-list Limited stdout

Backup CLI: export webvpn url-list Vendor stdout

Backup CLI: export webvpn url-list Template stdout

Finish backup Bookmarks; next backup is Dynamic Access Policy

Finish backup Dynamic Access Policy; next backup is Identity Certificates

Trustpoint entry 'ASDM_TrustPoint0' cert '-- None --'

Backup CLI: crypto ca export ASDM_TrustPoint0 pkcs12 cisco

Finish backup Identity Certificates; next backup is Pre-fill Scripts for Connection Profile

Finish backup Pre-fill Scripts for Connection Profile; next backup is Application Profile Custom Framework

Finish backup Application Profile Custom Framework; next backup is Proxy Auto-Config

Finish backup Proxy Auto-Config; next backup is Secure Desktop Configuration

VersionHandler.setCSDVersion csd_3.6.1001-k9

Finish backup Secure Desktop Configuration; next backup is AnyConnect(SVC) Client Image and Profiles

Finish backup AnyConnect(SVC) Client Image and Profiles; next backup is Cisco Secure Desktop Image

Finish backup Cisco Secure Desktop Image; next backup is Web Content

Backup CLI: export webvpn webcontent /+CSCOU+/xxxxxxx_banner.gif stdout

Backup CLI: export webvpn webcontent /+CSCOU+/xxxxxxx_logo.gif stdout

Backup CLI: export webvpn webcontent /+CSCOU+/xxxxxxx.GIF stdout

Finish backup Web Content; next backup is VPN Pre-shared Keys

An scp of the files would normally be able to pull the images, certificates etc. from the root directory of disk0: (the internal comapct flash card). That is their default location but one could use the external slot (disk1:) as well if desired.

startup-config is stored in a hidden directory - disk0:/.private/startup-config

running-config is in DRAM and not directly "scp-able" AFAIK. If you're following best common practices, running-config should not be out of sync with startup-config.

Re: Backup of ASA5500's

maymann76 — Sun, 04 Mar 2012 18:54:31 GMT

Hi,

Marvin: thanks for your quick reply and very detailed description - much appreciated... !

I already have Rancid installed for our switches, but would have expected that Cisco already have a build-in solution for basic functions like secure automatic scheduled backups and easy secure restores...

Is there really no one-liner CLI command that makes sure you get everything (like in the webinterface)... or do I really have to backup everything individually following your nice but extensive guide above (and constantly live with the possibility of having forgotten something)...!?!?!

Thanks in advance !

~maymann

Re: Backup of ASA5500's

Marvin Rhoads — Sun, 04 Mar 2012 19:36:06 GMT

Well, I listed all of the items above just to be exhaustively complete. Depending on your environment, a simple "more system:running-config" may suffice 98% of the time and the 2% of the time it doesn't it may be simpler to just recover the lost bits manually.

Much of what's really necessary depends on how you are using your ASA and how many people actually have the ability to log in and change things.

For instance, a 3-person IT shop with a small number of ASAs used only as basic firewalls and site-site plus IPSec VPN can get by fine with RANCID and an operational procedure to manually back up those few things that don't get swept up in the running-config.

A big multi-national with dozens of appliances leveraging many features (certificate, portal customization, etc.) may need the "complete" backup more regularly.

Re: Backup of ASA5500's

maymann76 — Wed, 07 Mar 2012 07:44:55 GMT

Hi,

Marvin: Thanks for your reply. I had time to play with this a bit yesterday.

Is it possible to SCP files instead of listing info to stdout. This would create a much better backup for a quick restore (as I then don't have to manually sort out each information peace) and would also enable me to diff running-config startup-config (to daily check if someone forgot to save their changes)...

Would anyone know the location of _ALL_ the ASA_local_files needed for a _FULL_ backup, so I can _EASILY_ make a _FULL_ restore if needed ?

Thanks in advance !

~maymann

Re: Backup of ASA5500's

svaish — Wed, 07 Mar 2012 08:41:38 GMT

There is also a very convenient option of taking backup using Smart Call

home option on ASA. Below are some configuration examples:

https://supportforums.cisco.com/docs/DOC-14958

Inside the snapshot config, you can configure whatever commands you like and

have the ASA email or HTTPS POST the output to a location of your choosing.

This includes doing things like 'export webvpn url-list stdout', etc.

Let me know if this option helps and suits your requirement.

Regards,

Sachin

Re: Backup of ASA5500's

maymann76 — Wed, 07 Mar 2012 09:56:16 GMT

Hi,

Svaish: thanks for your reply.

we don't have a internal mailserver, so emailing my firewall configs are a definite no-go.

Regarding HTTPS POST:

1. This sounds interesting - security wise, but:

2. I have to setup/configure a webserver for this purpose - I would rather not

3. I still have to CP the files from webserver location to my backup location afterwards - I would rather not

3. How do I restore from this output - Is this a trivial task, or do I have to feed the ASA information manually ?

In the perfect world:

1. login: use 4096-bit RSA SSH-pubkey to passwordlessly login using Rancid

2. backup: issue the command "backup scp @:" (equal to ASDM backup)

3. restore: issue the command "restore scp @:" (equal to ASDM restore)

Current situation:

I would much rather just use SCP (with SSH-pubkeys) and transfer _ALL_ the needed ASA_local_files directly to my backup location, so that I can restore these files as-is without manually handpicking information and applying it.

Is this possible, and if so: where are the needed files located on the ASA ?

Thanks in advance !

~maymann

Re: Backup of ASA5500's

svaish — Wed, 07 Mar 2012 10:28:46 GMT

Hi Maymann,

As far as I believe using SCS can be a tedious task in the long run as it can not be automated alteast without using any script as far as i know.

However Smart call home is a fully automated process once initialized.

Secondaly you can run a http server on your backup location using any free software.

Cisco also provides the capability of using Pearl script for fully automated process of backing up the configuration files

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1063700

All the files that you need resided on the flash

Regards,

Sachin

Re: Backup of ASA5500's

maymann76 — Wed, 07 Mar 2012 13:13:08 GMT

Hi Sachin,

yes SCP will be tedious, but only because there is no CLI command creating a _FULL_ backup like it does from ASDM.

SmartCallHome sounds easy, but not very flexible:

e.g. I create a new directory in my backup-dir and gathers all configs from my network equipment in here every day - I'm guessing it is not possile to configure the variable to change to the right dir when setting up SmartCallHome...?

I have HP ProCurves (Switches) and BlueCoat (Proxies) and these are really VERY easy to backup/restore using CLI - but my Cisco equipment (ASA's+WLC's) are really not... no CLI support for backup/restore without setting up all kind of services (webserver/mailserver/ftp-server/tftp-server) - and only the HTTPS Smart Call Home is actually secure and not-clear-text !

I'm just stating here, when it comes to backup/restore - being the nr1 network company - this should be something that just worked anyway the customer want it - starting with secure easy protocols like SCP and CLI commands that take care of all the tedious work of gathering the right information for a _FULL_ backup and restore...

Can you provide the location on the flash where all needed files are located for a _FULL_ backup ?

Thanks in advance !

~maymann

Re: Backup of ASA5500's

maymann76 — Thu, 08 Mar 2012 09:42:46 GMT

Hi again,

Trying to configure client-pub-keys in ASA, but found several forums where they state: this is not possible - like at all !!!

Then I have to put my VERY_DELICATE_ADMIN_PASSWORD (I gues I need that to retreive all the delicate information/files from ASA?) in a Rancid conf-file... ?!?!?

Then when I have this insecure solution configured, I need to figure out how to get the information out securely and in a way so it is easily restorable... this just keep getting better and better...!

Sorry to say: but I'm not impressed - not one bit... !

I'm running ASA8.3(2) - is this authorized_keys perhaps implemented in a newer release ?

It seems the best solution for me is to install a SmartCallHome HTTPS server - but:

1. Is this easily restoreable ?

2. Can this be used for my WLC's also, or do I need another server for that aswell ?

If anyone has a _EASY_ solution that works _SECURELY_ and that is _EASILY_RESTORABLE_: please let me know !

Thanks in advance !

~maymann

Re: Backup of ASA5500's

svaish — Thu, 08 Mar 2012 10:14:09 GMT

Did you check

Cisco also provides the capability of using Pearl script for fully automated process of backing up the configuration files

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1063700

Regards,

Sachin

Re: Backup of ASA5500's

maymann76 — Thu, 08 Mar 2012 11:13:55 GMT

Hi,

Svaish: thanks for your reply, but the perl script is just using insecure, cleartext TFTP aswell. Besides it will have processes running on my backup host with password/enable_password showing in clear-text for everyone logged-in to see... !

The commands doesn't say where the files are located on the ASA, so in that sense I can't use it.

Do you know of a HTTPS howto somewhere ?

But thanks for this anywhay... !

Br.

~maymann

Re: Backup of ASA5500's

svaish — Thu, 08 Mar 2012 11:20:39 GMT

Smart call home configuration

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_smart_call_home.html

You can backup all the files that are in the flash of the ASA

Regards,

Sachin