Hi,

Marvin: thanks for your quick reply and very detailed description - much appreciated... !

I already have Rancid installed for our switches, but would have expected that Cisco already have a build-in solution for basic functions like secure automatic scheduled backups and easy secure restores...

Is there really no one-liner CLI command that makes sure you get everything (like in the webinterface)... or do I really have to backup everything individually following your nice but extensive guide above (and constantly live with the possibility of having forgotten something)...!?!?!

Thanks in advance !

~maymann

Well, I listed all of the items above just to be exhaustively complete. Depending on your environment, a simple "more system:running-config" may suffice 98% of the time and the 2% of the time it doesn't it may be simpler to just recover the lost bits manually.

Much of what's really necessary depends on how you are using your ASA and how many people actually have the ability to log in and change things.

For instance, a 3-person IT shop with a small number of ASAs used only as basic firewalls and site-site plus IPSec VPN can get by fine with RANCID and an operational procedure to manually back up those few things that don't get swept up in the running-config.

A big multi-national with dozens of appliances leveraging many features (certificate, portal customization, etc.) may need the "complete" backup more regularly.

Hi,

Marvin: Thanks for your reply. I had time to play with this a bit yesterday.

Is it possible to SCP files instead of listing info to stdout. This would create a much better backup for a quick restore (as I then don't have to manually sort out each information peace) and would also enable me to diff running-config startup-config (to daily check if someone forgot to save their changes)...

Would anyone know the location of _ALL_ the ASA_local_files needed for a _FULL_ backup, so I can _EASILY_ make a _FULL_ restore if needed ?

Thanks in advance !

~maymann

There is also a very convenient option of taking backup using Smart Call

home option on ASA. Below are some configuration examples:

https://supportforums.cisco.com/docs/DOC-14958

Inside the snapshot config, you can configure whatever commands you like and

have the ASA email or HTTPS POST the output to a location of your choosing.

This includes doing things like 'export webvpn url-list stdout', etc.

Let me know if this option helps and suits your requirement.

Regards,

Sachin

Hi,

Svaish: thanks for your reply.

we don't have a internal mailserver, so emailing my firewall configs are a definite no-go.

Regarding HTTPS POST:

1. This sounds interesting - security wise, but:

2. I have to setup/configure a webserver for this purpose - I would rather not

3. I still have to CP the files from webserver location to my backup location afterwards - I would rather not

3. How do I restore from this output - Is this a trivial task, or do I have to feed the ASA information manually ?

In the perfect world:

1. login: use 4096-bit RSA SSH-pubkey to passwordlessly login using Rancid

2. backup: issue the command "backup scp @:" (equal to ASDM backup)

3. restore: issue the command "restore scp @:" (equal to ASDM restore)

Current situation:

I would much rather just use SCP (with SSH-pubkeys) and transfer _ALL_ the needed ASA_local_files directly to my backup location, so that I can restore these files as-is without manually handpicking information and applying it.

Is this possible, and if so: where are the needed files located on the ASA ?

Thanks in advance !

~maymann

Hi Maymann,

As far as I believe using SCS can be a tedious task in the long run as it can not be automated alteast without using any script as far as i know.

However Smart call home is a fully automated process once initialized.

Secondaly you can run a http server on your backup location using any free software.

Cisco also provides the capability of using Pearl script for fully automated process of backing up the configuration files

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1063700

All the files that you need resided on the flash

Regards,

Sachin

Hi Sachin,

yes SCP will be tedious, but only because there is no CLI command creating a _FULL_ backup like it does from ASDM.

SmartCallHome sounds easy, but not very flexible:

e.g. I create a new directory in my backup-dir and gathers all configs from my network equipment in here every day - I'm guessing it is not possile to configure the variable to change to the right dir when setting up SmartCallHome...?

I have HP ProCurves (Switches) and BlueCoat (Proxies) and these are really VERY easy to backup/restore using CLI - but my Cisco equipment (ASA's+WLC's) are really not... no CLI support for backup/restore without setting up all kind of services (webserver/mailserver/ftp-server/tftp-server) - and only the HTTPS Smart Call Home is actually secure and not-clear-text !

I'm just stating here, when it comes to backup/restore - being the nr1 network company - this should be something that just worked anyway the customer want it - starting with secure easy protocols like SCP and CLI commands that take care of all the tedious work of gathering the right information for a _FULL_ backup and restore...

Can you provide the location on the flash where all needed files are located for a _FULL_ backup ?

Thanks in advance !

~maymann

Hi again,

Trying to configure client-pub-keys in ASA, but found several forums where they state: this is not possible - like at all !!!

Then I have to put my VERY_DELICATE_ADMIN_PASSWORD (I gues I need that to retreive all the delicate information/files from ASA?) in a Rancid conf-file... ?!?!?

Then when I have this insecure solution configured, I need to figure out how to get the information out securely and in a way so it is easily restorable... this just keep getting better and better...!

Sorry to say: but I'm not impressed - not one bit... !

I'm running ASA8.3(2) - is this authorized_keys perhaps implemented in a newer release ?

It seems the best solution for me is to install a SmartCallHome HTTPS server - but:

1. Is this easily restoreable ?

2. Can this be used for my WLC's also, or do I need another server for that aswell ?

If anyone has a _EASY_ solution that works _SECURELY_ and that is _EASILY_RESTORABLE_: please let me know !

Thanks in advance !

~maymann

Hi

Did you check

Cisco also provides the capability of using Pearl script for fully automated process of backing up the configuration files

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1063700

Regards,

Sachin

Hi,

Svaish: thanks for your reply, but the perl script is just using insecure, cleartext TFTP aswell. Besides it will have processes running on my backup host with password/enable_password showing in clear-text for everyone logged-in to see... !

The commands doesn't say where the files are located on the ASA, so in that sense I can't use it.

Do you know of a HTTPS howto somewhere ?

But thanks for this anywhay... !

Br.

~maymann

Hi

Smart call home configuration

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_smart_call_home.html

You can backup all the files that are in the flash of the ASA

Regards,

Sachin