[rancid] Re: Pulling down context configs from a Cisco FWSM
justin at justinshore.com
Thu Mar 29 22:17:52 UTC 2007
That's always a possibility though it would require a userid like you
mentioned as well as allowing SSH into the context from the outside.
This would likely freak out some security-paranoid customers, even
though you really aren't compromising security if the ACL is set up in a
sane manner. It's a thought but it could present additional problems.
Our SME last week did mention something about a way to have a common DMZ
in each context, though he said it was extremely difficult and would of
course compromise security if that machine was ever rooted.
Krzysztof Adamski wrote:
> I should start this email by saying I have not ever used context on the ASA.
> Now saying this, if you are allowing users to SSH into individual context, maybe
> you can backup the context separately by having each context listed in the rancid
> database as separate PIXes. You will need to have a username for rancid in each
> context, this may be a show stopper.
> On Wed, 28 Mar 2007, Rob Shepherd wrote:
>> Lance wrote:
>>> When you do a "show run" after changing contexts does it give you a
>>> slightly different config or an entirely different config.
>> It's an entirely different config. Each context is like a virtual PIX.
>> (until you get down to feature completeness and command compatability
>> that is :) )
>>> Unfortunately at my place of business we only have a need to run 2
>>> basic contexts, the default admin and system. So I don't work with
>>> I don't intend on this being a context session 101, but why do you
>>> create contexts for each customer you have (as it appears to me)? You
>>> might enlighten me and I might switch to such a model. :-D
>> I do this because it permits me to hand off control of a context to a
>> particular customer, if they want to do the config themselves.
>> They can then SSH or PDM independently.
>> Also there is some limitations with things like DNS/DHCP. I havn't found
>> a way to have different DNS server options outputted by the dhcpd
>> service on different interfaces. Same for extra options, like vendor
>> specific 43, which different for each customer, for Alcatel AVA.
>> I'm really eager to get the context's + system backed up automatically
>> by rancid. I do it manually at present. :(
>> If there's anything I can do to progress the development of such a
>> feature, somebody please enlighten me. I'm not a perl devel though, but
>> there's one sat next to me, who isn't a network engineer however. If I
>> know what to code I can help get it done.....
>> But i need the input from somebody who knows the architecture of rancid....
>> Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd
>> Technium CAST | LL57 4HJ | http://www.techniumcast.com
>> rob at techniumcast.com | 01248 675024 | 077988 72480
>> Rancid-discuss mailing list
>> Rancid-discuss at shrubbery.net
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
More information about the Rancid-discuss