[rancid] Re: Pulling down context configs from a Cisco FWSM

Justin Shore justin at justinshore.com
Thu Mar 29 22:17:52 UTC 2007


That's always a possibility though it would require a userid like you 
mentioned as well as allowing SSH into the context from the outside. 
This would likely freak out some security-paranoid customers, even 
though you really aren't compromising security if the ACL is set up in a 
sane manner.  It's a thought but it could present additional problems.

Our SME last week did mention something about a way to have a common DMZ 
in each context, though he said it was extremely difficult and would of 
course compromise security if that machine was ever rooted.

Justin


Krzysztof Adamski wrote:
> I should start this email by saying I have not ever used context on the ASA.
> 
> Now saying this, if you are allowing users to SSH into individual context, maybe
> you can backup the context separately by having each context listed in the rancid
> database as separate PIXes. You will need to have a username for rancid in each
> context, this may be a show stopper.
> 
> K
> 
>  On Wed, 28 Mar 2007, Rob Shepherd wrote:
> 
>> Lance wrote:
>>> Rob,
>>>
>>> When you do a "show run" after changing contexts does it give you a
>>> slightly different config or an entirely different config.
>> It's an entirely different config. Each context is like a virtual PIX.
>> (until you get down to feature completeness and command compatability
>> that is :) )
>>
>>> Unfortunately at my place of business we only have a need to run 2
>>> basic contexts, the default admin and system. So I don't work with
>>> them.
>>>
>>> I don't intend on this being a context session 101, but why do you
>>> create contexts for each customer you have (as it appears to me)? You
>>> might enlighten me and I might switch to such a model. :-D
>>>
>> I do this because it permits me to hand off control of a context to a
>> particular customer, if they want to do the config themselves.
>>
>> They can then SSH or PDM independently.
>>
>> Also there is some limitations with things like DNS/DHCP. I havn't found
>> a way to have different DNS server options outputted by the dhcpd
>> service on different interfaces. Same for extra options, like vendor
>> specific 43, which different for each customer, for Alcatel AVA.
>>
>> I'm really eager to get the context's + system backed up automatically
>> by rancid. I do it manually at present. :(
>>
>> If there's anything I can do to progress the development of such a
>> feature, somebody please enlighten me. I'm not a perl devel though, but
>> there's one sat next to me, who isn't a network engineer however. If I
>> know what to code I can help get it done.....
>> But i need the input from somebody who knows the architecture of rancid....
>>
>> Cheers
>>
>> Rob
>>
>>
>>
>>
>>
>>
>>
>> --
>> Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd
>> Technium CAST | LL57 4HJ | http://www.techniumcast.com
>> rob at techniumcast.com | 01248 675024 | 077988 72480
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-discuss at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>>
> 
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> 
> 




More information about the Rancid-discuss mailing list