06-01-2009 10:26 AM - edited 03-11-2019 08:38 AM
Does anyone know of a way to automatically backup an ASA config using SNMP or some other method?
Thanks
Frank
06-01-2009 09:31 PM
You could look into the RANCID network administrator software.
06-02-2009 04:30 AM
01-25-2012 12:43 PM
I'm using an Expect script from a linux host that leverages SSH and SCP. Feel free to look at it here:
http://paklids.blogspot.com/2012/01/securely-backup-cisco-firewall-asa-fwsm.html
I usually kick off the expect scipt to add some other fancy features, but I'll post that later.
--paklids.
05-30-2012 02:58 PM
Hey Robin,
You are writing
"TFTP is convenient but NOT secure."
and at the same time you are keeping plain text login and enable passwords for a firewall in file
"firewall_list".
Do you have a clue how to do that backup via TFTP direct? I understand it's not secure but I don't provide a password.
Thank you.
George
05-30-2012 03:35 PM
Yeah, you can back it up via TFTP without an authentication challenge - that's not a problem. You can even build an ACL to limit the IP addresses that can perform a TFTP GET against the ASA (to pull the config). There are a number of scripts and tools that make backups of ASAs & PIXs using TFTP (or you could just modify the script I published depending on your comfort level in Expect)
The problem I had in my situation is that I couldn't trust the path to the device, and in the case of TFTP it can be vulnerable to a MITM. As you probably already know, once someone gets your device config in its entirety they can plan an attack of the device that is likely to succeed.
Keeping credentials in a file are not desirable, but out of all the systems used to perform the backup, the host running the script was the one I trusted the most. There are ways to really secure that using tools (in both Expect and Shell scripts) to convert the credentials to a hash that is decrypted only when the script is run, I just haven't tied that in with my script yet.
05-30-2012 03:54 PM
Robin,
I'm trying to find out how to do it via TFTP just to avoid keeping the password anywhere but in the device.
Any suggestions?
Thank you.
George
05-30-2012 04:05 PM
Have you already looked at the Cisco doc that describes the process?
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008072142a.shtml
If you need to automate it, there are suggestions in the Cisco doc for that. Otherwise you'll need to learn how to script it (in a language like Bash or Expect). Google can help if you decide to roll your own solution.
05-30-2012 04:17 PM
Hey Robin,
I don't have a problem to write pretty much any script.
The dark side for me is the ASA configuration and how exactly to make it accessible from a certain machine outside.
The document you point me to is saying everything about how to backup from inside ASA.
I guess ASA is not like the other IOS devices (this is the reason it doesn't run IOS) and there is no file which could be copied directly without first putting it in the flash as your script is doing.
I think this is the answer and that's the reason cannot be done with TFTP without first moving it to the flash.
05-09-2023 09:26 AM
I am aware this is a very old post, but there are a few current options for automated ASA backup:
1. Ansible will allow automated backups if you use the Cisco supported (free) ASA module. Ansible also supports NX-OS and IOS with Cisco supported (free) modules.
Ansible example ASA config backup playbook:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide