Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: RANCID: Users

Cisco ASA Backup with Preshared Keys

 

 

RANCID users RSS feed   Index | Next | Previous | View Threaded


Jeremy_Keys at memorial

Nov 1, 2008, 5:56 AM

Post #1 of 8 (1842 views)
Permalink
Cisco ASA Backup with Preshared Keys

I use rancid to backup all of my configurations, including two Cisco ASA
5520's. The only problem I have run into is that when rancid backs up
the configs on the ASA, the actual preshared keys are displayed as an
asterisk (*) rather than the actual preshared key.



Is there a way to get rancid to backup the actual config file? I assume
it's just doing a screen scrape (sh running-config) and capturing the
output rather than copying the actual file. This is fine for most
equipment, but if I have a failure on the ASA and needed to restore the
config, I would have to re-enter all the preshared keys (not fun with
several hundred tunnels).



Any help is greatly appreciated,



Jeremy Keys

jeremy_keys at memorial.org







This message and accompanying documents are covered by
the Electronic Communications Privacy Act 18
U.S.C. "Sections 2510-2521," and contain information
intended for the specified individual(s) only. This
information is confidential. If you are not the intended
recipient or an agent responsible for delivering it to
the intended recipient, you are hereby notified that you
have received this document in error and that any review,
dissemination, copying, or the taking of any action based
on the contents of this information is strictly
prohibited. If you have received this communication in
error, please notify us immediately by e-mail, and delete
the original message.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081101/388eed89/attachment.html


Todd at equivoice

Nov 1, 2008, 7:40 PM

Post #2 of 8 (1824 views)
Permalink
Re: Cisco ASA Backup with Preshared Keys [In reply to]

There is only one way to see the pre-share keys on an ASA.



More system:running-config



Not sure how Rancid can do that, but if someone can set it up to issue
that command, then you should be able to back up the VPN keys.



From: rancid-discuss-bounces [at] shrubbery
[mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy
Sent: Saturday, November 01, 2008 8:56 AM
To: rancid-discuss at shrubbery.net
Subject: [rancid] Cisco ASA Backup with Preshared Keys



I use rancid to backup all of my configurations, including two Cisco ASA
5520's. The only problem I have run into is that when rancid backs up
the configs on the ASA, the actual preshared keys are displayed as an
asterisk (*) rather than the actual preshared key.



Is there a way to get rancid to backup the actual config file? I assume
it's just doing a screen scrape (sh running-config) and capturing the
output rather than copying the actual file. This is fine for most
equipment, but if I have a failure on the ASA and needed to restore the
config, I would have to re-enter all the preshared keys (not fun with
several hundred tunnels).



Any help is greatly appreciated,



Jeremy Keys

jeremy_keys at memorial.org






This message and accompanying documents are covered by
the Electronic Communications Privacy Act 18
U.S.C. "Sections 2510-2521," and contain information
intended for the specified individual(s) only. This
information is confidential. If you are not the intended
recipient or an agent responsible for delivering it to
the intended recipient, you are hereby notified that you
have received this document in error and that any review,
dissemination, copying, or the taking of any action based
on the contents of this information is strictly
prohibited. If you have received this communication in
error, please notify us immediately by e-mail, and delete
the original message.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081101/e6f2b4c7/attachment.html


dc at dwichandra

Nov 3, 2008, 8:50 AM

Post #3 of 8 (1840 views)
Permalink
Re: Cisco ASA Backup with Preshared Keys [In reply to]

Hi all,

I had one incident that I have to backup the config while showing the
pre-shared key in PIX/ASA. (only <20 devices with <10 pair of tunnels)

To what I remember, I commented out several lines in
/usr/local/rancid/bin/rancid

One of the line read as follow: (mine is at line 1541 - 1543)
if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 <removed> $'"); next;
}

... and I think I also commented out several other line(s) but can't
remember which one.

Now, if you commented out that line in rancid script, please bear the
following point(s) in mind (CMIIW please):
- all devices using /usr/local/rancid/bin/rancid will have that
particular keyword unmasked -> instead of *** will be the actual
value. So this will apply to all devices marked as 'cisco' in router.db
- whoever can access /usr/local/rancid/var (or any location that was
configured to store the rancid-run results) will be able to see the
crypto/ ISAKMP keys

I might have missed other line(s) to comment out either in
/usr/local/rancid/bin/rancid or /usr/local/rancid/clogin, so for those
that is more intimate with those scripts, please share it to the list.

Hope that helps ;)

P.S.: I'm no longer have access to PIX anymore, so for those that
still have those access, please give it a try and let me know ;)

Cheers,

Dwi


On 11/01/2008, Todd Heide <Todd at equivoice.com> wrote:

> There is only one way to see the pre-share keys on an ASA.
>
>
>
> More system:running-config
>
>
>
> Not sure how Rancid can do that, but if someone can set it up to issue
> that command, then you should be able to back up the VPN keys.
>
>
>
> From: rancid-discuss-bounces at shrubbery.net
> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy
> Sent: Saturday, November 01, 2008 8:56 AM
> To: rancid-discuss at shrubbery.net
> Subject: [rancid] Cisco ASA Backup with Preshared Keys
>
>
>
> I use rancid to backup all of my configurations, including two Cisco ASA
> 5520's. The only problem I have run into is that when rancid backs up
> the configs on the ASA, the actual preshared keys are displayed as an
> asterisk (*) rather than the actual preshared key.
>
>
>
> Is there a way to get rancid to backup the actual config file? I assume
> it's just doing a screen scrape (sh running-config) and capturing the
> output rather than copying the actual file. This is fine for most
> equipment, but if I have a failure on the ASA and needed to restore the
> config, I would have to re-enter all the preshared keys (not fun with
> several hundred tunnels).
>
>
>
> Any help is greatly appreciated,
>
>
>
> Jeremy Keys
>
> jeremy_keys at memorial.org
>
>
>
>
>
>
> This message and accompanying documents are covered by
> the Electronic Communications Privacy Act 18
> U.S.C. "Sections 2510-2521," and contain information
> intended for the specified individual(s) only. This
> information is confidential. If you are not the intended
> recipient or an agent responsible for delivering it to
> the intended recipient, you are hereby notified that you
> have received this document in error and that any review,
> dissemination, copying, or the taking of any action based
> on the contents of this information is strictly
> prohibited. If you have received this communication in
> error, please notify us immediately by e-mail, and delete
> the original message.
>
>
>
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


dc at dwichandra

Nov 3, 2008, 9:21 AM

Post #4 of 8 (1806 views)
Permalink
Re: Cisco ASA Backup with Preshared Keys [In reply to]

Anyway, just to add one safer approach on Jeremy's request:

Based on
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch1_:_Network_Backups_With_Rancid#Initial_Rancid_Configuration

I'm quoting the paragraph:
By default Rancid filters out passwords and SNMP community strings.
You may want to set the FILTER_PWDS and NOCOMMSTR variables to "NO" to
prevent this.

#
# Sample rancid.conf
#
LIST_OF_GROUPS="networking"
FILTER_PWDS=NO; export FILTER_PWDS
NOCOMMSTR=NO; export NOCOMMSTR

So, I think, what you need is only the FILTER_PWDS=NO; export
FILTER_PWDS, without tempering /usr/local/rancid/bin/rancid too much ;)

Hope that helps.

Cheers,

Dwi

On 11/01/2008, "Keys, Jeremy" <Jeremy_Keys at memorial.org> wrote:

> I use rancid to backup all of my configurations, including two Cisco ASA
> 5520's. The only problem I have run into is that when rancid backs up
> the configs on the ASA, the actual preshared keys are displayed as an
> asterisk (*) rather than the actual preshared key.
>
>
>
> Is there a way to get rancid to backup the actual config file? I assume
> it's just doing a screen scrape (sh running-config) and capturing the
> output rather than copying the actual file. This is fine for most
> equipment, but if I have a failure on the ASA and needed to restore the
> config, I would have to re-enter all the preshared keys (not fun with
> several hundred tunnels).
>
>
>
> Any help is greatly appreciated,
>
>
>
> Jeremy Keys
>
> jeremy_keys at memorial.org
>
>
>
>
>
>
>
> This message and accompanying documents are covered by
> the Electronic Communications Privacy Act 18
> U.S.C. "Sections 2510-2521," and contain information
> intended for the specified individual(s) only. This
> information is confidential. If you are not the intended
> recipient or an agent responsible for delivering it to
> the intended recipient, you are hereby notified that you
> have received this document in error and that any review,
> dissemination, copying, or the taking of any action based
> on the contents of this information is strictly
> prohibited. If you have received this communication in
> error, please notify us immediately by e-mail, and delete
> the original message.
>
>
>
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


rancid at gheek

Nov 3, 2008, 9:45 AM

Post #5 of 8 (1858 views)
Permalink
Re: Cisco ASA Backup with Preshared Keys [In reply to]

John,

Can we include this fix?

Jeremy et all,

You could also simply just add the following before the other
WriteTerm items in the commandtable inside of <rancid home>/bin/rancid
so it would then get that info. The command would be attempted to be
ran on non ASA like devices but if the command is invalid (like the
already existing logic) it will just continue down the list of
commands. If it is successful running it will then mark it as
found_end and no longer process the rest of the commands in
"WriteTerm".

{'more system:running-config' => 'WriteTerm'},

Dwi C Taniel,

Since the show running-config does NOT include the pre-shared-key
RANCID would not replace it with <REMOVED>. If you wanted to filter it
out you would need to augment rancid by adding this below the isakmp
removed line under the sub WriteTerm

if (/^( pre-shared-key ).*/ && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 <removed> $'"); next;
}

Example

tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key *

Todd is correct with the more system:running-config

Here is a Cisco document backing up his comment.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml

I have also found but not verified "Another way to get unencrypted
keys is to go to the /admin/config page with a web browser. This works
for 7.x and 8.x. On a Pix running 6.x, go to /config."

On Mon, Nov 3, 2008 at 9:50 AM, Dwi C Taniel <dc at dwichandra.info> wrote:
> Hi all,
>
> I had one incident that I have to backup the config while showing the
> pre-shared key in PIX/ASA. (only <20 devices with <10 pair of tunnels)
>
> To what I remember, I commented out several lines in
> /usr/local/rancid/bin/rancid
>
> One of the line read as follow: (mine is at line 1541 - 1543)
> if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) {
> ProcessHistory("","","","!$1 <removed> $'"); next;
> }
>
> ... and I think I also commented out several other line(s) but can't
> remember which one.
>
> Now, if you commented out that line in rancid script, please bear the
> following point(s) in mind (CMIIW please):
> - all devices using /usr/local/rancid/bin/rancid will have that
> particular keyword unmasked -> instead of *** will be the actual
> value. So this will apply to all devices marked as 'cisco' in router.db
> - whoever can access /usr/local/rancid/var (or any location that was
> configured to store the rancid-run results) will be able to see the
> crypto/ ISAKMP keys
>
> I might have missed other line(s) to comment out either in
> /usr/local/rancid/bin/rancid or /usr/local/rancid/clogin, so for those
> that is more intimate with those scripts, please share it to the list.
>
> Hope that helps ;)
>
> P.S.: I'm no longer have access to PIX anymore, so for those that
> still have those access, please give it a try and let me know ;)
>
> Cheers,
>
> Dwi
>
>
> On 11/01/2008, Todd Heide <Todd at equivoice.com> wrote:
>
>> There is only one way to see the pre-share keys on an ASA.
>>
>>
>>
>> More system:running-config
>>
>>
>>
>> Not sure how Rancid can do that, but if someone can set it up to issue
>> that command, then you should be able to back up the VPN keys.
>>
>>
>>
>> From: rancid-discuss-bounces at shrubbery.net
>> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy
>> Sent: Saturday, November 01, 2008 8:56 AM
>> To: rancid-discuss at shrubbery.net
>> Subject: [rancid] Cisco ASA Backup with Preshared Keys
>>
>>
>>
>> I use rancid to backup all of my configurations, including two Cisco ASA
>> 5520's. The only problem I have run into is that when rancid backs up
>> the configs on the ASA, the actual preshared keys are displayed as an
>> asterisk (*) rather than the actual preshared key.
>>
>>
>>
>> Is there a way to get rancid to backup the actual config file? I assume
>> it's just doing a screen scrape (sh running-config) and capturing the
>> output rather than copying the actual file. This is fine for most
>> equipment, but if I have a failure on the ASA and needed to restore the
>> config, I would have to re-enter all the preshared keys (not fun with
>> several hundred tunnels).
>>
>>
>>
>> Any help is greatly appreciated,
>>
>>
>>
>> Jeremy Keys
>>
>> jeremy_keys at memorial.org
>>
>>
>>
>>
>>
>>
>> This message and accompanying documents are covered by
>> the Electronic Communications Privacy Act 18
>> U.S.C. "Sections 2510-2521," and contain information
>> intended for the specified individual(s) only. This
>> information is confidential. If you are not the intended
>> recipient or an agent responsible for delivering it to
>> the intended recipient, you are hereby notified that you
>> have received this document in error and that any review,
>> dissemination, copying, or the taking of any action based
>> on the contents of this information is strictly
>> prohibited. If you have received this communication in
>> error, please notify us immediately by e-mail, and delete
>> the original message.
>>
>>
>>
>>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>


dc at dwichandra

Nov 4, 2008, 12:33 AM

Post #6 of 8 (1802 views)
Permalink
Re: Cisco ASA Backup with Preshared Keys [In reply to]

Thanks for your enlightenment and correction Lance :)
Turned out that I mixed up the changes that I did and the rancid script
itself :P

Cheers,

Dwi

-----Original Message-----
From: rancid-discuss-bounces [at] shrubbery
[mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Lance Vermilion
Sent: Monday, November 03, 2008 9:45 AM
To: rancid-discuss at shrubbery.net
Subject: [rancid] Re: Cisco ASA Backup with Preshared Keys

John,

Can we include this fix?

Jeremy et all,

You could also simply just add the following before the other
WriteTerm items in the commandtable inside of <rancid home>/bin/rancid
so it would then get that info. The command would be attempted to be
ran on non ASA like devices but if the command is invalid (like the
already existing logic) it will just continue down the list of
commands. If it is successful running it will then mark it as
found_end and no longer process the rest of the commands in
"WriteTerm".

{'more system:running-config' => 'WriteTerm'},

Dwi C Taniel,

Since the show running-config does NOT include the pre-shared-key
RANCID would not replace it with <REMOVED>. If you wanted to filter it
out you would need to augment rancid by adding this below the isakmp
removed line under the sub WriteTerm

if (/^( pre-shared-key ).*/ && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 <removed> $'"); next;
}

Example

tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key *

Todd is correct with the more system:running-config

Here is a Cisco document backing up his comment.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918
6a00807f2d37.shtml

I have also found but not verified "Another way to get unencrypted
keys is to go to the /admin/config page with a web browser. This works
for 7.x and 8.x. On a Pix running 6.x, go to /config."

On Mon, Nov 3, 2008 at 9:50 AM, Dwi C Taniel <dc at dwichandra.info> wrote:
> Hi all,
>
> I had one incident that I have to backup the config while showing the
> pre-shared key in PIX/ASA. (only <20 devices with <10 pair of tunnels)
>
> To what I remember, I commented out several lines in
> /usr/local/rancid/bin/rancid
>
> One of the line read as follow: (mine is at line 1541 - 1543)
> if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) {
> ProcessHistory("","","","!$1 <removed> $'"); next;
> }
>
> ... and I think I also commented out several other line(s) but can't
> remember which one.
>
> Now, if you commented out that line in rancid script, please bear the
> following point(s) in mind (CMIIW please):
> - all devices using /usr/local/rancid/bin/rancid will have that
> particular keyword unmasked -> instead of *** will be the actual
> value. So this will apply to all devices marked as 'cisco' in router.db
> - whoever can access /usr/local/rancid/var (or any location that was
> configured to store the rancid-run results) will be able to see the
> crypto/ ISAKMP keys
>
> I might have missed other line(s) to comment out either in
> /usr/local/rancid/bin/rancid or /usr/local/rancid/clogin, so for those
> that is more intimate with those scripts, please share it to the list.
>
> Hope that helps ;)
>
> P.S.: I'm no longer have access to PIX anymore, so for those that
> still have those access, please give it a try and let me know ;)
>
> Cheers,
>
> Dwi
>
>
> On 11/01/2008, Todd Heide <Todd at equivoice.com> wrote:
>
>> There is only one way to see the pre-share keys on an ASA.
>>
>>
>>
>> More system:running-config
>>
>>
>>
>> Not sure how Rancid can do that, but if someone can set it up to issue
>> that command, then you should be able to back up the VPN keys.
>>
>>
>>
>> From: rancid-discuss-bounces at shrubbery.net
>> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy
>> Sent: Saturday, November 01, 2008 8:56 AM
>> To: rancid-discuss at shrubbery.net
>> Subject: [rancid] Cisco ASA Backup with Preshared Keys
>>
>>
>>
>> I use rancid to backup all of my configurations, including two Cisco ASA
>> 5520's. The only problem I have run into is that when rancid backs up
>> the configs on the ASA, the actual preshared keys are displayed as an
>> asterisk (*) rather than the actual preshared key.
>>
>>
>>
>> Is there a way to get rancid to backup the actual config file? I assume
>> it's just doing a screen scrape (sh running-config) and capturing the
>> output rather than copying the actual file. This is fine for most
>> equipment, but if I have a failure on the ASA and needed to restore the
>> config, I would have to re-enter all the preshared keys (not fun with
>> several hundred tunnels).
>>
>>
>>
>> Any help is greatly appreciated,
>>
>>
>>
>> Jeremy Keys
>>
>> jeremy_keys at memorial.org
>>
>>
>>
>>
>>
>>
>> This message and accompanying documents are covered by
>> the Electronic Communications Privacy Act 18
>> U.S.C. "Sections 2510-2521," and contain information
>> intended for the specified individual(s) only. This
>> information is confidential. If you are not the intended
>> recipient or an agent responsible for delivering it to
>> the intended recipient, you are hereby notified that you
>> have received this document in error and that any review,
>> dissemination, copying, or the taking of any action based
>> on the contents of this information is strictly
>> prohibited. If you have received this communication in
>> error, please notify us immediately by e-mail, and delete
>> the original message.
>>
>>
>>
>>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


heas at shrubbery

Nov 4, 2008, 10:58 AM

Post #7 of 8 (1813 views)
Permalink
Re: Cisco ASA Backup with Preshared Keys [In reply to]

Mon, Nov 03, 2008 at 10:45:21AM -0700, Lance Vermilion:
> John,
>
> Can we include this fix?
>
> Jeremy et all,
>
> You could also simply just add the following before the other
> WriteTerm items in the commandtable inside of <rancid home>/bin/rancid
> so it would then get that info. The command would be attempted to be
> ran on non ASA like devices but if the command is invalid (like the
> already existing logic) it will just continue down the list of
> commands. If it is successful running it will then mark it as
> found_end and no longer process the rest of the commands in
> "WriteTerm".
>
> {'more system:running-config' => 'WriteTerm'},
>
> Dwi C Taniel,
>
> Since the show running-config does NOT include the pre-shared-key
> RANCID would not replace it with <REMOVED>. If you wanted to filter it
> out you would need to augment rancid by adding this below the isakmp
> removed line under the sub WriteTerm
>
> if (/^( pre-shared-key ).*/ && $filter_pwds >= 1) {
> ProcessHistory("","","","!$1 <removed> $'"); next;
> }

Any others to be filtered, besides failover key?

> Example
>
> tunnel-group xx.xx.xx.xx ipsec-attributes
> pre-shared-key *
>
> Todd is correct with the more system:running-config
>
> Here is a Cisco document backing up his comment.
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml
>
> I have also found but not verified "Another way to get unencrypted
> keys is to go to the /admin/config page with a web browser. This works
> for 7.x and 8.x. On a Pix running 6.x, go to /config."
>
> On Mon, Nov 3, 2008 at 9:50 AM, Dwi C Taniel <dc at dwichandra.info> wrote:
> > Hi all,
> >
> > I had one incident that I have to backup the config while showing the
> > pre-shared key in PIX/ASA. (only <20 devices with <10 pair of tunnels)
> >
> > To what I remember, I commented out several lines in
> > /usr/local/rancid/bin/rancid
> >
> > One of the line read as follow: (mine is at line 1541 - 1543)
> > if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) {
> > ProcessHistory("","","","!$1 <removed> $'"); next;
> > }
> >
> > ... and I think I also commented out several other line(s) but can't
> > remember which one.
> >
> > Now, if you commented out that line in rancid script, please bear the
> > following point(s) in mind (CMIIW please):
> > - all devices using /usr/local/rancid/bin/rancid will have that
> > particular keyword unmasked -> instead of *** will be the actual
> > value. So this will apply to all devices marked as 'cisco' in router.db
> > - whoever can access /usr/local/rancid/var (or any location that was
> > configured to store the rancid-run results) will be able to see the
> > crypto/ ISAKMP keys
> >
> > I might have missed other line(s) to comment out either in
> > /usr/local/rancid/bin/rancid or /usr/local/rancid/clogin, so for those
> > that is more intimate with those scripts, please share it to the list.
> >
> > Hope that helps ;)
> >
> > P.S.: I'm no longer have access to PIX anymore, so for those that
> > still have those access, please give it a try and let me know ;)
> >
> > Cheers,
> >
> > Dwi
> >
> >
> > On 11/01/2008, Todd Heide <Todd at equivoice.com> wrote:
> >
> >> There is only one way to see the pre-share keys on an ASA.
> >>
> >>
> >>
> >> More system:running-config
> >>
> >>
> >>
> >> Not sure how Rancid can do that, but if someone can set it up to issue
> >> that command, then you should be able to back up the VPN keys.
> >>
> >>
> >>
> >> From: rancid-discuss-bounces at shrubbery.net
> >> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy
> >> Sent: Saturday, November 01, 2008 8:56 AM
> >> To: rancid-discuss at shrubbery.net
> >> Subject: [rancid] Cisco ASA Backup with Preshared Keys
> >>
> >>
> >>
> >> I use rancid to backup all of my configurations, including two Cisco ASA
> >> 5520's. The only problem I have run into is that when rancid backs up
> >> the configs on the ASA, the actual preshared keys are displayed as an
> >> asterisk (*) rather than the actual preshared key.
> >>
> >>
> >>
> >> Is there a way to get rancid to backup the actual config file? I assume
> >> it's just doing a screen scrape (sh running-config) and capturing the
> >> output rather than copying the actual file. This is fine for most
> >> equipment, but if I have a failure on the ASA and needed to restore the
> >> config, I would have to re-enter all the preshared keys (not fun with
> >> several hundred tunnels).
> >>
> >>
> >>
> >> Any help is greatly appreciated,
> >>
> >>
> >>
> >> Jeremy Keys
> >>
> >> jeremy_keys at memorial.org
> >>
> >>
> >>
> >>
> >>
> >>
> >> This message and accompanying documents are covered by
> >> the Electronic Communications Privacy Act 18
> >> U.S.C. "Sections 2510-2521," and contain information
> >> intended for the specified individual(s) only. This
> >> information is confidential. If you are not the intended
> >> recipient or an agent responsible for delivering it to
> >> the intended recipient, you are hereby notified that you
> >> have received this document in error and that any review,
> >> dissemination, copying, or the taking of any action based
> >> on the contents of this information is strictly
> >> prohibited. If you have received this communication in
> >> error, please notify us immediately by e-mail, and delete
> >> the original message.
> >>
> >>
> >>
> >>
> >
> >
> >
> > ----------------------------------------------------------------
> > This message was sent using IMP, the Internet Messaging Program.
> >
> >
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> >
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


rancid at gheek

Nov 4, 2008, 11:04 AM

Post #8 of 8 (1797 views)
Permalink
Re: Cisco ASA Backup with Preshared Keys [In reply to]

The VPN keys is the only one I know of. I didn't look at the failover
keys. Great point.

On Tue, Nov 4, 2008 at 11:58 AM, john heasley <heas at shrubbery.net> wrote:
> Mon, Nov 03, 2008 at 10:45:21AM -0700, Lance Vermilion:
>> John,
>>
>> Can we include this fix?
>>
>> Jeremy et all,
>>
>> You could also simply just add the following before the other
>> WriteTerm items in the commandtable inside of <rancid home>/bin/rancid
>> so it would then get that info. The command would be attempted to be
>> ran on non ASA like devices but if the command is invalid (like the
>> already existing logic) it will just continue down the list of
>> commands. If it is successful running it will then mark it as
>> found_end and no longer process the rest of the commands in
>> "WriteTerm".
>>
>> {'more system:running-config' => 'WriteTerm'},
>>
>> Dwi C Taniel,
>>
>> Since the show running-config does NOT include the pre-shared-key
>> RANCID would not replace it with <REMOVED>. If you wanted to filter it
>> out you would need to augment rancid by adding this below the isakmp
>> removed line under the sub WriteTerm
>>
>> if (/^( pre-shared-key ).*/ && $filter_pwds >= 1) {
>> ProcessHistory("","","","!$1 <removed> $'"); next;
>> }
>
> Any others to be filtered, besides failover key?
>
>> Example
>>
>> tunnel-group xx.xx.xx.xx ipsec-attributes
>> pre-shared-key *
>>
>> Todd is correct with the more system:running-config
>>
>> Here is a Cisco document backing up his comment.
>> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml
>>
>> I have also found but not verified "Another way to get unencrypted
>> keys is to go to the /admin/config page with a web browser. This works
>> for 7.x and 8.x. On a Pix running 6.x, go to /config."
>>
>> On Mon, Nov 3, 2008 at 9:50 AM, Dwi C Taniel <dc at dwichandra.info> wrote:
>> > Hi all,
>> >
>> > I had one incident that I have to backup the config while showing the
>> > pre-shared key in PIX/ASA. (only <20 devices with <10 pair of tunnels)
>> >
>> > To what I remember, I commented out several lines in
>> > /usr/local/rancid/bin/rancid
>> >
>> > One of the line read as follow: (mine is at line 1541 - 1543)
>> > if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) {
>> > ProcessHistory("","","","!$1 <removed> $'"); next;
>> > }
>> >
>> > ... and I think I also commented out several other line(s) but can't
>> > remember which one.
>> >
>> > Now, if you commented out that line in rancid script, please bear the
>> > following point(s) in mind (CMIIW please):
>> > - all devices using /usr/local/rancid/bin/rancid will have that
>> > particular keyword unmasked -> instead of *** will be the actual
>> > value. So this will apply to all devices marked as 'cisco' in router.db
>> > - whoever can access /usr/local/rancid/var (or any location that was
>> > configured to store the rancid-run results) will be able to see the
>> > crypto/ ISAKMP keys
>> >
>> > I might have missed other line(s) to comment out either in
>> > /usr/local/rancid/bin/rancid or /usr/local/rancid/clogin, so for those
>> > that is more intimate with those scripts, please share it to the list.
>> >
>> > Hope that helps ;)
>> >
>> > P.S.: I'm no longer have access to PIX anymore, so for those that
>> > still have those access, please give it a try and let me know ;)
>> >
>> > Cheers,
>> >
>> > Dwi
>> >
>> >
>> > On 11/01/2008, Todd Heide <Todd at equivoice.com> wrote:
>> >
>> >> There is only one way to see the pre-share keys on an ASA.
>> >>
>> >>
>> >>
>> >> More system:running-config
>> >>
>> >>
>> >>
>> >> Not sure how Rancid can do that, but if someone can set it up to issue
>> >> that command, then you should be able to back up the VPN keys.
>> >>
>> >>
>> >>
>> >> From: rancid-discuss-bounces at shrubbery.net
>> >> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy
>> >> Sent: Saturday, November 01, 2008 8:56 AM
>> >> To: rancid-discuss at shrubbery.net
>> >> Subject: [rancid] Cisco ASA Backup with Preshared Keys
>> >>
>> >>
>> >>
>> >> I use rancid to backup all of my configurations, including two Cisco ASA
>> >> 5520's. The only problem I have run into is that when rancid backs up
>> >> the configs on the ASA, the actual preshared keys are displayed as an
>> >> asterisk (*) rather than the actual preshared key.
>> >>
>> >>
>> >>
>> >> Is there a way to get rancid to backup the actual config file? I assume
>> >> it's just doing a screen scrape (sh running-config) and capturing the
>> >> output rather than copying the actual file. This is fine for most
>> >> equipment, but if I have a failure on the ASA and needed to restore the
>> >> config, I would have to re-enter all the preshared keys (not fun with
>> >> several hundred tunnels).
>> >>
>> >>
>> >>
>> >> Any help is greatly appreciated,
>> >>
>> >>
>> >>
>> >> Jeremy Keys
>> >>
>> >> jeremy_keys at memorial.org
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> This message and accompanying documents are covered by
>> >> the Electronic Communications Privacy Act 18
>> >> U.S.C. "Sections 2510-2521," and contain information
>> >> intended for the specified individual(s) only. This
>> >> information is confidential. If you are not the intended
>> >> recipient or an agent responsible for delivering it to
>> >> the intended recipient, you are hereby notified that you
>> >> have received this document in error and that any review,
>> >> dissemination, copying, or the taking of any action based
>> >> on the contents of this information is strictly
>> >> prohibited. If you have received this communication in
>> >> error, please notify us immediately by e-mail, and delete
>> >> the original message.
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > ----------------------------------------------------------------
>> > This message was sent using IMP, the Internet Messaging Program.
>> >
>> >
>> > _______________________________________________
>> > Rancid-discuss mailing list
>> > Rancid-discuss at shrubbery.net
>> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>> >
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-discuss at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>

RANCID users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.