cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1445
Views
0
Helpful
7
Replies

ASA backup and restore

miras
Level 5
Level 5

What is the process to backup the configurations from a bad ASA to a new one (same model)?

I am asking specifically for certificates and keys for VPNs.

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

If you use ASDM, the "Tools > Backup configurations" menu choice allows you to backup not only the configuration file but identity certificates, plain text keys, etc. You can also select only those bits if that's all you want.

Note also that if you pull your configuration from the cli using "more system:running-config" you will get plaintext snmp community strings (v1 and v2 but not v3 credentials) and pre-shared keys.

What about the RSA keys? are those backed up and restored as well?

Another question, kinda off the topic is that, what if there is an IPS module installed in it?

When you backup the certificates using the ASDM tool, it creates a PKCS12 file. That file format includes both the certificate and associated private key. Assuming that's your default RSA key (which it usually is but doesn't need to be) you  will have it there.

If you didn't use your RSA key to sign your self-signed certificates (or your CSR in the event of 3rd party certificates) then you won't have a backup copy of it. But if it's not tied to any certificates, it's no real loss to recreate it fresh on a new unit in the event of hardware replacement.

By backing up the startup config of the existing ASA and restoring it to the new one, does that also backup and restore the RSA keys or do i have to recreate them again?

And if i have to recreate them, how do i know what modulus has been used?

As I noted earlier, only when you backup certificates will it restore the RSA keys. The running-config does not include the RSA key.

If the current key has not been used to sign any certificates, you can recreate it as you need on any new hardware or even create it anew on the current hardware - for instance if the previous admin neglected to use a 2048-bit key as may be required for a current audit or just just to keep up with best practices.

The thing is that, how do i recreate the exact copy of RSA? Because when we generate RSA, it has some inputs, like domain name, modulus size, etc.

How do i check modulus size so i can recreate the exact copy of RSA so i can use to sign my certificates that i already backed up.

Backup the certificates using the ASDM backup tool. That will combine the certificate itself along with the signing RSA private key. When you restore a certificate using the backed up PKCS file, it will restore both items.

Review Cisco Networking for a $25 gift card