[rancid] Re: Pulling down context configs from a Cisco FWSM

Lance rancid at gheek.net
Thu Mar 29 22:24:26 UTC 2007


True, True.

BTW, how would you access each context? By way of ssh to each IP?

-lance

> -------- Original Message --------
> Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM
> From: Justin Shore <justin at justinshore.com>
> Date: Thu, March 29, 2007 3:17 pm
> To: Krzysztof Adamski <kadamski at akn.ca>
> Cc: rancid-discuss at shrubbery.net
>
> That's always a possibility though it would require a userid like you
> mentioned as well as allowing SSH into the context from the outside.
> This would likely freak out some security-paranoid customers, even
> though you really aren't compromising security if the ACL is set up in a
> sane manner.  It's a thought but it could present additional problems.
>
> Our SME last week did mention something about a way to have a common DMZ
> in each context, though he said it was extremely difficult and would of
> course compromise security if that machine was ever rooted.
>
> Justin
>
>
> Krzysztof Adamski wrote:
> > I should start this email by saying I have not ever used context on the ASA.
> >
> > Now saying this, if you are allowing users to SSH into individual context, maybe
> > you can backup the context separately by having each context listed in the rancid
> > database as separate PIXes. You will need to have a username for rancid in each
> > context, this may be a show stopper.
> >
> > K
> >
> >  On Wed, 28 Mar 2007, Rob Shepherd wrote:
> >
> >> Lance wrote:
> >>> Rob,
> >>>
> >>> When you do a "show run" after changing contexts does it give you a
> >>> slightly different config or an entirely different config.
> >> It's an entirely different config. Each context is like a virtual PIX.
> >> (until you get down to feature completeness and command compatability
> >> that is :) )
> >>
> >>> Unfortunately at my place of business we only have a need to run 2
> >>> basic contexts, the default admin and system. So I don't work with
> >>> them.
> >>>
> >>> I don't intend on this being a context session 101, but why do you
> >>> create contexts for each customer you have (as it appears to me)? You
> >>> might enlighten me and I might switch to such a model. :-D
> >>>
> >> I do this because it permits me to hand off control of a context to a
> >> particular customer, if they want to do the config themselves.
> >>
> >> They can then SSH or PDM independently.
> >>
> >> Also there is some limitations with things like DNS/DHCP. I havn't found
> >> a way to have different DNS server options outputted by the dhcpd
> >> service on different interfaces. Same for extra options, like vendor
> >> specific 43, which different for each customer, for Alcatel AVA.
> >>
> >> I'm really eager to get the context's + system backed up automatically
> >> by rancid. I do it manually at present. :(
> >>
> >> If there's anything I can do to progress the development of such a
> >> feature, somebody please enlighten me. I'm not a perl devel though, but
> >> there's one sat next to me, who isn't a network engineer however. If I
> >> know what to code I can help get it done.....
> >> But i need the input from somebody who knows the architecture of rancid....
> >>
> >> Cheers
> >>
> >> Rob
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd
> >> Technium CAST | LL57 4HJ | http://www.techniumcast.com
> >> rob at techniumcast.com | 01248 675024 | 077988 72480
> >> _______________________________________________
> >> Rancid-discuss mailing list
> >> Rancid-discuss at shrubbery.net
> >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> >>
> >
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> >
> >
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss




More information about the Rancid-discuss mailing list