[rancid] Re: Cisco ASA Backup with Preshared Keys
Dwi C Taniel
dc at dwichandra.info
Mon Nov 3 16:50:52 UTC 2008
Hi all,
I had one incident that I have to backup the config while showing the
pre-shared key in PIX/ASA. (only <20 devices with <10 pair of tunnels)
To what I remember, I commented out several lines in
/usr/local/rancid/bin/rancid
One of the line read as follow: (mine is at line 1541 - 1543)
if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 <removed> $'"); next;
}
... and I think I also commented out several other line(s) but can't
remember which one.
Now, if you commented out that line in rancid script, please bear the
following point(s) in mind (CMIIW please):
- all devices using /usr/local/rancid/bin/rancid will have that
particular keyword unmasked -> instead of *** will be the actual
value. So this will apply to all devices marked as 'cisco' in router.db
- whoever can access /usr/local/rancid/var (or any location that was
configured to store the rancid-run results) will be able to see the
crypto/ ISAKMP keys
I might have missed other line(s) to comment out either in
/usr/local/rancid/bin/rancid or /usr/local/rancid/clogin, so for those
that is more intimate with those scripts, please share it to the list.
Hope that helps ;)
P.S.: I'm no longer have access to PIX anymore, so for those that
still have those access, please give it a try and let me know ;)
Cheers,
Dwi
On 11/01/2008, Todd Heide <Todd at equivoice.com> wrote:
> There is only one way to see the pre-share keys on an ASA.
>
>
>
> More system:running-config
>
>
>
> Not sure how Rancid can do that, but if someone can set it up to issue
> that command, then you should be able to back up the VPN keys.
>
>
>
> From: rancid-discuss-bounces at shrubbery.net
> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy
> Sent: Saturday, November 01, 2008 8:56 AM
> To: rancid-discuss at shrubbery.net
> Subject: [rancid] Cisco ASA Backup with Preshared Keys
>
>
>
> I use rancid to backup all of my configurations, including two Cisco ASA
> 5520's. The only problem I have run into is that when rancid backs up
> the configs on the ASA, the actual preshared keys are displayed as an
> asterisk (*) rather than the actual preshared key.
>
>
>
> Is there a way to get rancid to backup the actual config file? I assume
> it's just doing a screen scrape (sh running-config) and capturing the
> output rather than copying the actual file. This is fine for most
> equipment, but if I have a failure on the ASA and needed to restore the
> config, I would have to re-enter all the preshared keys (not fun with
> several hundred tunnels).
>
>
>
> Any help is greatly appreciated,
>
>
>
> Jeremy Keys
>
> jeremy_keys at memorial.org
>
>
>
>
>
>
> This message and accompanying documents are covered by
> the Electronic Communications Privacy Act 18
> U.S.C. "Sections 2510-2521," and contain information
> intended for the specified individual(s) only. This
> information is confidential. If you are not the intended
> recipient or an agent responsible for delivering it to
> the intended recipient, you are hereby notified that you
> have received this document in error and that any review,
> dissemination, copying, or the taking of any action based
> on the contents of this information is strictly
> prohibited. If you have received this communication in
> error, please notify us immediately by e-mail, and delete
> the original message.
>
>
>
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the Rancid-discuss
mailing list