Does RANCID handle Cisco PIX devices?

Hopper, Faron W. faron.hopper at capgemini.com
Wed Dec 29 21:25:23 UTC 2004 

Aaron,
    If I remove the autoenable line, I can use clogin to log into the
PIX (see below).
However, my rancid-run process now takes forever to complete (it is
taking
hours instead of minutes; it used to run about 20 minutes....)  This,
is probably due to my lack of understanding in how to setup the
.cloginrc file
.....anyway, when that rancid-run process finishes, I do not have any
updates
in the cvs database.  (cvsweb.cgi lists the rev as 1.1)  I have run the
rancid-run process 2-3 times since removing the autoenable and the
dead.letter
file now has many devices that it can't contact....more stuff to work
on.
Anyway, is there any reason why it would not update the pixhq device?
(it is
not listed in the dead.letter file....)?

Thanks,
Faron


$ /usr/local/libexec/rancid/clogin -c "show version" -f .cloginrc pixhq
pixhq	
spawn telnet pixhq
Trying 10.1.1.1...
telnet: connect to address 10.1.1.1: Connection refused
telnet: Unable to connect to remote host
spawn ssh -c 3des -x -l net-cfg-bak pixhq
net-cfg-bak at pixhq's password:
Type help or '?' for a list of available commands.
PIXHQ>
PIXHQ> enable
Another session is writing configuration to memory,
please wait a moment for it to finish...
Password: ********
PIXHQ#
PIXHQ# term length 0
Type help or '?' for a list of available commands.
PIXHQ#  show version

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 2.1(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

KCSCAFW1 up 87 days 2 hours

Hardware:   PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0005.9bca.350f, irq 10
1: ethernet1: address is 0005.9bca.3511, irq 11
2: ethernet2: address is 00e0.b604.fb6b, irq 11
3: ethernet3: address is 00e0.b604.fb6a, irq 10
4: ethernet4: address is 00e0.b604.fb69, irq 9
5: ethernet5: address is 00e0.b604.fb68, irq 5
6: gb-ethernet0: address is 0003.4725.3a71, irq 5
7: gb-ethernet1: address is 0003.4725.38e5, irq 11
Licensed Features:
Failover:                    Enabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 8
Maximum Interfaces:          12
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: 405200333 (0x1826ddcd)
Running Activation Key: 0xa94bffde 0x802610c9 0x25221732 0x585f4871
Configuration last modified by net-cfg-bak at 14:44:44.067 UTC Wed Dec
29 2004
PIXHQ#exit

Logoff

Connection to pixhq closed.

-----Original Message-----
From: Gee-clough, Aaron (NIH/CIT) [mailto:geecla at mail.nih.gov]
Sent: Tuesday, December 28, 2004 3:40 PM
To: Hopper, Faron W.
Subject: RE: Does RANCID handle Cisco PIX devices?

Try it without the autoenable line...you still have to enter enable on
the PIX.  (I'm running rancid w/PIXs right now, so it should work.)

Can you clogin to any of the PIXs directly?  That's the common test I
use to see if rancid will be okay (and often tells me what error
actually occurs).

Aaron
---------------------
Aaron Gee-Clough
NIH/CIT/DNST/NEB/NSS
Contractor, geek, etc
Never try to teach a pig to sing. 
It wastes your time and annoys the pig.

> -----Original Message-----
> From: Hopper, Faron W. [mailto:faron.hopper at capgemini.com]
> Sent: Tuesday, December 28, 2004 3:14 PM
> To: joshua sahala
> Cc: rancid-discuss at shrubbery.net
> Subject: RE: Does RANCID handle Cisco PIX devices?
>
>
>
>
>
> I have tried setting these devices to cisco from cat5.  There is no
> change.
> Rancid is not able to log into my PIXes.  The PIX's don't have telnet
> enabled,
>
> but this shouldn't be a big deal for RANCID.  Could the problem be in
> how
>
> I have setup the .cloginrc file?
>
> my .cloginrc file is as follows
>
>     add method              *     {telnet} {ssh}
>     add autoenable          *     {1}
>     add enauser             *     {net\-cfg\-bak}
>     add user                *     {net-cfg-bak}
>     add password            *     {pass}
>
>
>     # set ssh encryption type, dflt: 3des
>     add cyphertype *                {3des}
>
> The other thought that I had is that something might be configured
>
> differently (misconfigured?) on TACACAS.
>
>
> My TACACS+ username is net-cfg-bak
>
>
> 	aaa-server TACACS+ protocol tacacs+
> 	aaa-server TACACS+ (outside) host 10.2.1.61 key timeout 15
> 	aaa-server TACACS+ (outside) host 10.2.1.62 key timeout 15
> 	aaa-server RADIUS protocol radius
> 	aaa-server LOCAL protocol tacacs+
> 	aaa-server local protocol tacacs+
> 	aaa authentication ssh console TACACS+
> 	aaa authentication telnet console TACACS+
> 	aaa authentication enable console TACACS+
>
> Any thoughts?
>
> Thanks,
> Faron
> -----Original Message-----
> From: joshua sahala [mailto:jejs+rancid at sahala.org]
>
> Sent: Tuesday, December 28, 2004 11:35 AM
> To: Hopper, Faron W.
> Cc: rancid-discuss at shrubbery.net
> Subject: Re: Does RANCID handle Cisco PIX devices?
>
> On (28/12/04 12:19), Hopper, Faron  W. wrote:
> >
>
> > Hello all,  I am still exploring RANCID's capabilities. 
> Does it have
>
> > the ablility to back up Cisco PIX configs?  I have added the one of
>
> > our PIX's names to the router.db file and set the type to
> >
>
> >     pixhq:cat5:up
> >     pixhq2:cat5:up
> >
>
>
> use cisco...pix runs ios not catos
>
> i've used rancid with varios models of pix and they all work fine,
> with or without tac+ for aaa.
>
> /joshua
> --
> What difference does it make to the dead, the orphans, and the
> homeless, whether the mad destruction is wrought under the name of
> totalitarianism or the holy name of liberty and democracy?
> 	- Mohandas Karamchand (Mahatma) Gandhi -
>
>

More information about the Rancid-discuss mailing list