Cisco ASA 5505 backup and restore config including Access and NAT rules

Raul Numu · ‎01-12-2017

I'm trying to backup config from ASA 5505 that is currently connected to the network and restore it on a backup ASA 5505 which is not connected to the network yet.

Is there a way to backup the entire configuration including Access and NAT rules, policies, etc and restore it on the backup ASA 5505? Or do I have to just manually update the rules?

Karsten Iwen · ‎01-12-2017

It depends on your configuration ...

The easiest way is to backup the full ASA from Tools -> Backup in ASDM and restore it on the other ASA.

Raul Numu · ‎01-12-2017

I tried that. But unfortunately, the Access rules and NAT rules don't show up.

Karsten Iwen · ‎01-12-2017

It really should work that way. How do you restore and is there a failure or success messages after restore?

Raul Numu · ‎01-12-2017

Success messages:
-----------------
Running-configuration available
Translation-table configuration available
Customization configuration available

Failure messages:
-----------------
No plug-in entries / configurations available
No url-list entries / configurations available
No webcontent entries / configurations available
No DAP entries / configurations available
No CSD image entries / configurations available
No SVC entries / configurations available
No APCF entries / configurations available
No certificates available
No Proxy PAC entries / configurations available
No CSD config entries / configurations available

Raul Numu · ‎01-12-2017

Sorry, these are the messages I get when I backup.

Georg Pauwen · ‎01-12-2017

Hello,

on a side note, 'copy run tftp' would back the config up to a TFTP server. Is that an option ?

Or 'write net', although that is an older command as far as I remember...

Raul Numu · ‎01-12-2017

Would it be possible for you to provide more information regarding the copy run tftp process? I downloaded a solarwinds tftp server. But need some directions after that.

Georg Pauwen · ‎01-12-2017

Hello,

basically, you specify the IP address of the TFTP server, e.g.:

ciscoasa#copy run tftp:
Source filename [running-config]?
Address or name of remote host []?

I am not if 'write net' still works, but the syntax is the same. Check this document for an example:

http://www.petenetlive.com/KB/Article/0000076

Raul Numu · ‎01-12-2017

Is the IP address of tftp server the same as the IP of the PC that I'm using to connect to the router via console?

Georg Pauwen · ‎01-12-2017

Hello,

the TFTP server needs to be a device that you can reach by its IP address. I don't think you can ping the PC from the ASA through the console port, so connect it to one of the Ethernet ports.

Raul Numu · ‎01-12-2017

Thanks. I was able to back up configuration using tftp as a config.cfg file.
How do I restore this file on to the new asa 5505?

Georg Pauwen · ‎01-12-2017

You pretty much do the reverse, e.g.:

ciscoasa#copy tftp start

Address or name of remote host []? 192.168.1.1
Source filename []? config.cfg

Raul Numu · ‎01-12-2017

Tried that. Everything went successfully but still access and nat rules are missing on the new asa 5505 :(

Georg Pauwen · ‎01-13-2017

Hello,

weird indeed. There are also ways to do this via HTTP/HTTPS/SCP:

https://supportforums.cisco.com/document/97966/asa-how-download-images-using-tftp-ftp-http-https-and-scp