Does RANCID handle Cisco PIX devices?
Hopper, Faron W.
faron.hopper at capgemini.com
Wed Dec 29 21:37:39 UTC 2004
That is a good idea, I will check into it. I thought that the account
had level 15, but I will verify it.
-----Original Message-----
From: Gee-clough, Aaron (NIH/CIT) [mailto:geecla at mail.nih.gov]
Sent: Wednesday, December 29, 2004 3:29 PM
To: Hopper, Faron W.
Cc: rancid-discuss at shrubbery.net
Subject: RE: Does RANCID handle Cisco PIX devices?
Does the account you're logging in as have the rights to run all the
commands rancid wants to do on the PIX? I supsect that the rancid run
is taking forever because it's trying to run a whole list of things, and
one of them (write term, perhaps?) is being refused....rancid then
hangs, and the connection only dies when it times out.
Aaron
---------------------
Aaron Gee-Clough
NIH/CIT/DNST/NEB/NSS
Contractor, geek, etc
Never try to teach a pig to sing. It wastes your time and annoys the
pig.
> -----Original Message-----
> From: Hopper, Faron W. [mailto:faron.hopper at capgemini.com]
> Sent: Wednesday, December 29, 2004 4:25 PM
> To: Gee-clough, Aaron (NIH/CIT)
> Cc: rancid-discuss at shrubbery.net
> Subject: RE: Does RANCID handle Cisco PIX devices?
>
>
>
> Aaron,
>
> If I remove the autoenable line, I can use clogin to log into the
> PIX (see below).
> However, my rancid-run process now takes forever to complete (it is
> taking hours instead of minutes; it used to run about 20 minutes....)
> This,
>
> is probably due to my lack of understanding in how to setup the
> .cloginrc file .....anyway, when that rancid-run process finishes, I
> do not have any updates in the cvs database. (cvsweb.cgi lists the
> rev as 1.1) I have run the rancid-run process 2-3 times since
> removing the autoenable and the dead.letter file now has many devices
> that it can't contact....more stuff to work on.
> Anyway, is there any reason why it would not update the pixhq device?
> (it is
>
> not listed in the dead.letter file....)?
>
> Thanks,
> Faron
>
>
> $ /usr/local/libexec/rancid/clogin -c "show version" -f .cloginrc
> pixhq
> pixhq
>
> spawn telnet pixhq
> Trying 10.1.1.1...
> telnet: connect to address 10.1.1.1: Connection refused
> telnet: Unable to connect to remote host spawn ssh -c 3des -x -l
> net-cfg-bak pixhq net-cfg-bak at pixhq's password:
> Type help or '?' for a list of available commands.
> PIXHQ>
> PIXHQ> enable
> Another session is writing configuration to memory, please wait a
> moment for it to finish...
> Password: ********
> PIXHQ#
> PIXHQ# term length 0
> Type help or '?' for a list of available commands.
> PIXHQ# show version
>
> Cisco PIX Firewall Version 6.3(3)
> Cisco PIX Device Manager Version 2.1(1)
>
> Compiled on Wed 13-Aug-03 13:55 by morlee
>
> KCSCAFW1 up 87 days 2 hours
>
> Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
> Flash E28F128J3 @ 0x300, 16MB
> BIOS Flash AM29F400B @ 0xfffd8000, 32KB
>
> 0: ethernet0: address is 0005.9bca.350f, irq 10
> 1: ethernet1: address is 0005.9bca.3511, irq 11
> 2: ethernet2: address is 00e0.b604.fb6b, irq 11
> 3: ethernet3: address is 00e0.b604.fb6a, irq 10
> 4: ethernet4: address is 00e0.b604.fb69, irq 9
> 5: ethernet5: address is 00e0.b604.fb68, irq 5
> 6: gb-ethernet0: address is 0003.4725.3a71, irq 5
> 7: gb-ethernet1: address is 0003.4725.38e5, irq 11 Licensed Features:
> Failover: Enabled
> VPN-DES: Enabled
> VPN-3DES-AES: Enabled
> Maximum Physical Interfaces: 8
> Maximum Interfaces: 12
> Cut-through Proxy: Enabled
> Guards: Enabled
> URL-filtering: Enabled
> Inside Hosts: Unlimited
> Throughput: Unlimited
> IKE peers: Unlimited
>
> This PIX has an Unrestricted (UR) license.
>
> Serial Number: 405200333 (0x1826ddcd)
> Running Activation Key: 0xa94bffde 0x802610c9 0x25221732 0x585f4871
> Configuration last modified by net-cfg-bak at 14:44:44.067 UTC Wed Dec
> 29 2004
> PIXHQ#exit
>
> Logoff
>
> Connection to pixhq closed.
>
>
> -----Original Message-----
> From: Gee-clough, Aaron (NIH/CIT) [mailto:geecla at mail.nih.gov]
>
> Sent: Tuesday, December 28, 2004 3:40 PM
> To: Hopper, Faron W.
> Subject: RE: Does RANCID handle Cisco PIX devices?
>
> Try it without the autoenable line...you still have to enter enable on
> the PIX. (I'm running rancid w/PIXs right now, so it should work.)
>
> Can you clogin to any of the PIXs directly? That's the common test I
> use to see if rancid will be okay (and often tells me what error
> actually occurs).
>
> Aaron
> ---------------------
> Aaron Gee-Clough
> NIH/CIT/DNST/NEB/NSS
> Contractor, geek, etc
> Never try to teach a pig to sing.
>
> It wastes your time and annoys the pig.
>
> > -----Original Message-----
> > From: Hopper, Faron W. [mailto:faron.hopper at capgemini.com]
> > Sent: Tuesday, December 28, 2004 3:14 PM
> > To: joshua sahala
> > Cc: rancid-discuss at shrubbery.net
> > Subject: RE: Does RANCID handle Cisco PIX devices?
> >
>
> >
>
> >
>
> >
>
> >
>
> > I have tried setting these devices to cisco from cat5. There is no
>
> > change.
> > Rancid is not able to log into my PIXes. The PIX's don't
> have telnet
>
> > enabled,
> >
>
> > but this shouldn't be a big deal for RANCID. Could the
> problem be in
>
> > how
> >
>
> > I have setup the .cloginrc file?
> >
>
> > my .cloginrc file is as follows
> >
>
> > add method * {telnet} {ssh}
> > add autoenable * {1}
> > add enauser * {net\-cfg\-bak}
> > add user * {net-cfg-bak}
> > add password * {pass}
> >
>
> >
>
> > # set ssh encryption type, dflt: 3des
> > add cyphertype * {3des}
> >
>
> > The other thought that I had is that something might be configured
> >
>
> > differently (misconfigured?) on TACACAS.
>
> >
>
> >
>
> > My TACACS+ username is net-cfg-bak
> >
>
> >
>
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server TACACS+ (outside) host 10.2.1.61 key timeout 15
> > aaa-server TACACS+ (outside) host 10.2.1.62 key timeout 15
> > aaa-server RADIUS protocol radius
> > aaa-server LOCAL protocol tacacs+
> > aaa-server local protocol tacacs+
> > aaa authentication ssh console TACACS+
> > aaa authentication telnet console TACACS+
> > aaa authentication enable console TACACS+
> >
>
> > Any thoughts?
> >
>
> > Thanks,
> > Faron
> > -----Original Message-----
> > From: joshua sahala [mailto:jejs+rancid at sahala.org]
> >
>
> > Sent: Tuesday, December 28, 2004 11:35 AM
> > To: Hopper, Faron W.
> > Cc: rancid-discuss at shrubbery.net
> > Subject: Re: Does RANCID handle Cisco PIX devices?
> >
>
> > On (28/12/04 12:19), Hopper, Faron W. wrote:
> > >
> >
>
> > > Hello all, I am still exploring RANCID's capabilities.
>
> > Does it have
> >
>
> > > the ablility to back up Cisco PIX configs? I have added
> the one of
> >
>
> > > our PIX's names to the router.db file and set the type to
> > >
> >
>
> > > pixhq:cat5:up
> > > pixhq2:cat5:up
> > >
> >
>
> >
>
> > use cisco...pix runs ios not catos
> >
>
> > i've used rancid with varios models of pix and they all work fine,
>
> > with or without tac+ for aaa.
> >
>
> > /joshua
> > --
> > What difference does it make to the dead, the orphans, and the
>
> > homeless, whether the mad destruction is wrought under the name of
>
> > totalitarianism or the holy name of liberty and democracy?
> > - Mohandas Karamchand (Mahatma) Gandhi -
More information about the Rancid-discuss
mailing list