[rancid] Re: Cisco ASA Backup with Preshared Keys

Tue Nov 4 08:33:58 UTC 2008

Thanks for your enlightenment and correction Lance :)
Turned out that I mixed up the changes that I did and the rancid script
itself :P

Cheers,

Dwi

-----Original Message-----
From: rancid-discuss-bounces at shrubbery.net
[mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Lance Vermilion
Sent: Monday, November 03, 2008 9:45 AM
To: rancid-discuss at shrubbery.net
Subject: [rancid] Re: Cisco ASA Backup with Preshared Keys

John,

Can we include this fix?

Jeremy et all,

You could also simply just add the following before the other
WriteTerm items in the commandtable inside of <rancid home>/bin/rancid
so it would then get that info. The command would be attempted to be
ran on non ASA like devices but if the command is invalid (like the
already existing logic) it will just continue down the list of
commands. If it is successful running it will then mark it as
found_end and no longer process the rest of the commands in
"WriteTerm".

        {'more system:running-config'   => 'WriteTerm'},

Dwi C Taniel,

Since the show running-config does NOT include the pre-shared-key
RANCID would not replace it with <REMOVED>. If you wanted to filter it
out you would need to augment rancid by adding this below the isakmp
removed line under the sub WriteTerm

        if (/^( pre-shared-key ).*/ && $filter_pwds >= 1) {
            ProcessHistory("","","","!$1 <removed> $'"); next;
        }

Example

tunnel-group xx.xx.xx.xx ipsec-attributes
 pre-shared-key *

Todd is correct with the more system:running-config

Here is a Cisco document backing up his comment.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918
6a00807f2d37.shtml

I have also found but not verified "Another way to get unencrypted
keys is to go to the /admin/config page with a web browser. This works
for 7.x and 8.x. On a Pix running 6.x, go to /config."

On Mon, Nov 3, 2008 at 9:50 AM, Dwi C Taniel <dc at dwichandra.info> wrote:
> Hi all,
>
> I had one incident that I have to backup the config while showing the
> pre-shared key in PIX/ASA. (only <20 devices with <10 pair of tunnels)
>
> To what I remember, I commented out several lines in
> /usr/local/rancid/bin/rancid
>
> One of the line read as follow: (mine is at line 1541 - 1543)
>       if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) {
>             ProcessHistory("","","","!$1 <removed> $'"); next;
>         }
>
> ... and I think I also commented out several other line(s) but can't
> remember which one.
>
> Now, if you commented out that line in rancid script, please bear the
> following point(s) in mind (CMIIW please):
> - all devices using /usr/local/rancid/bin/rancid will have that
> particular keyword unmasked -> instead of *** will be the actual
> value. So this will apply to all devices marked as 'cisco' in router.db
> - whoever can access /usr/local/rancid/var (or any location that was
> configured to store the rancid-run results) will be able to see the
> crypto/ ISAKMP keys
>
> I might have missed other line(s) to comment out either in
> /usr/local/rancid/bin/rancid or /usr/local/rancid/clogin, so for those
> that is more intimate with those scripts, please share it to the list.
>
> Hope that helps ;)
>
> P.S.: I'm no longer have access to PIX anymore, so for those that
> still have those access, please give it a try and let me know ;)
>
> Cheers,
>
> Dwi
>
>
> On 11/01/2008, Todd Heide <Todd at equivoice.com> wrote:
>
>> There is only one way to see the pre-share keys on an ASA.
>>
>>
>>
>> More system:running-config
>>
>>
>>
>> Not sure how Rancid can do that, but if someone can set it up to issue
>> that command, then you should be able to back up the VPN keys.
>>
>>
>>
>> From: rancid-discuss-bounces at shrubbery.net
>> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy
>> Sent: Saturday, November 01, 2008 8:56 AM
>> To: rancid-discuss at shrubbery.net
>> Subject: [rancid] Cisco ASA Backup with Preshared Keys
>>
>>
>>
>> I use rancid to backup all of my configurations, including two Cisco ASA
>> 5520's.  The only problem I have run into is that when rancid backs up
>> the configs on the ASA, the actual preshared keys are displayed as an
>> asterisk (*) rather than the actual preshared key.
>>
>>
>>
>> Is there a way to get rancid to backup the actual config file?  I assume
>> it's just doing a screen scrape (sh running-config) and capturing the
>> output rather than copying the actual file.  This is fine for most
>> equipment, but if I have a failure on the ASA and needed to restore the
>> config, I would have to re-enter all the preshared keys (not fun with
>> several hundred tunnels).
>>
>>
>>
>> Any help is greatly appreciated,
>>
>>
>>
>> Jeremy Keys
>>
>> jeremy_keys at memorial.org
>>
>>
>>
>>
>>
>>
>> This message and accompanying documents are covered by
>> the Electronic Communications Privacy Act 18
>> U.S.C. "Sections 2510-2521," and contain information
>> intended for the specified individual(s) only. This
>> information is confidential.  If you are not the intended
>> recipient or an agent responsible for delivering it to
>> the intended recipient, you are hereby notified that you
>> have received this document in error and that any review,
>> dissemination, copying, or the taking of any action based
>> on the contents of this information is strictly
>> prohibited.  If you have received this communication in
>> error, please notify us immediately by e-mail, and delete
>> the original message.
>>
>>
>>
>>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss