[rancid] Re: Cisco ASA Backup with Preshared Keys

john heasley heas at shrubbery.net
Tue Nov 4 18:58:26 UTC 2008


Mon, Nov 03, 2008 at 10:45:21AM -0700, Lance Vermilion:
> John,
> 
> Can we include this fix?
> 
> Jeremy et all,
> 
> You could also simply just add the following before the other
> WriteTerm items in the commandtable inside of <rancid home>/bin/rancid
> so it would then get that info. The command would be attempted to be
> ran on non ASA like devices but if the command is invalid (like the
> already existing logic) it will just continue down the list of
> commands. If it is successful running it will then mark it as
> found_end and no longer process the rest of the commands in
> "WriteTerm".
> 
>         {'more system:running-config'   => 'WriteTerm'},
> 
> Dwi C Taniel,
> 
> Since the show running-config does NOT include the pre-shared-key
> RANCID would not replace it with <REMOVED>. If you wanted to filter it
> out you would need to augment rancid by adding this below the isakmp
> removed line under the sub WriteTerm
> 
>         if (/^( pre-shared-key ).*/ && $filter_pwds >= 1) {
>             ProcessHistory("","","","!$1 <removed> $'"); next;
>         }

Any others to be filtered, besides failover key?

> Example
> 
> tunnel-group xx.xx.xx.xx ipsec-attributes
>  pre-shared-key *
> 
> Todd is correct with the more system:running-config
> 
> Here is a Cisco document backing up his comment.
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml
> 
> I have also found but not verified "Another way to get unencrypted
> keys is to go to the /admin/config page with a web browser. This works
> for 7.x and 8.x. On a Pix running 6.x, go to /config."
> 
> On Mon, Nov 3, 2008 at 9:50 AM, Dwi C Taniel <dc at dwichandra.info> wrote:
> > Hi all,
> >
> > I had one incident that I have to backup the config while showing the
> > pre-shared key in PIX/ASA. (only <20 devices with <10 pair of tunnels)
> >
> > To what I remember, I commented out several lines in
> > /usr/local/rancid/bin/rancid
> >
> > One of the line read as follow: (mine is at line 1541 - 1543)
> >       if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) {
> >             ProcessHistory("","","","!$1 <removed> $'"); next;
> >         }
> >
> > ... and I think I also commented out several other line(s) but can't
> > remember which one.
> >
> > Now, if you commented out that line in rancid script, please bear the
> > following point(s) in mind (CMIIW please):
> > - all devices using /usr/local/rancid/bin/rancid will have that
> > particular keyword unmasked -> instead of *** will be the actual
> > value. So this will apply to all devices marked as 'cisco' in router.db
> > - whoever can access /usr/local/rancid/var (or any location that was
> > configured to store the rancid-run results) will be able to see the
> > crypto/ ISAKMP keys
> >
> > I might have missed other line(s) to comment out either in
> > /usr/local/rancid/bin/rancid or /usr/local/rancid/clogin, so for those
> > that is more intimate with those scripts, please share it to the list.
> >
> > Hope that helps ;)
> >
> > P.S.: I'm no longer have access to PIX anymore, so for those that
> > still have those access, please give it a try and let me know ;)
> >
> > Cheers,
> >
> > Dwi
> >
> >
> > On 11/01/2008, Todd Heide <Todd at equivoice.com> wrote:
> >
> >> There is only one way to see the pre-share keys on an ASA.
> >>
> >>
> >>
> >> More system:running-config
> >>
> >>
> >>
> >> Not sure how Rancid can do that, but if someone can set it up to issue
> >> that command, then you should be able to back up the VPN keys.
> >>
> >>
> >>
> >> From: rancid-discuss-bounces at shrubbery.net
> >> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy
> >> Sent: Saturday, November 01, 2008 8:56 AM
> >> To: rancid-discuss at shrubbery.net
> >> Subject: [rancid] Cisco ASA Backup with Preshared Keys
> >>
> >>
> >>
> >> I use rancid to backup all of my configurations, including two Cisco ASA
> >> 5520's.  The only problem I have run into is that when rancid backs up
> >> the configs on the ASA, the actual preshared keys are displayed as an
> >> asterisk (*) rather than the actual preshared key.
> >>
> >>
> >>
> >> Is there a way to get rancid to backup the actual config file?  I assume
> >> it's just doing a screen scrape (sh running-config) and capturing the
> >> output rather than copying the actual file.  This is fine for most
> >> equipment, but if I have a failure on the ASA and needed to restore the
> >> config, I would have to re-enter all the preshared keys (not fun with
> >> several hundred tunnels).
> >>
> >>
> >>
> >> Any help is greatly appreciated,
> >>
> >>
> >>
> >> Jeremy Keys
> >>
> >> jeremy_keys at memorial.org
> >>
> >>
> >>
> >>
> >>
> >>
> >> This message and accompanying documents are covered by
> >> the Electronic Communications Privacy Act 18
> >> U.S.C. "Sections 2510-2521," and contain information
> >> intended for the specified individual(s) only. This
> >> information is confidential.  If you are not the intended
> >> recipient or an agent responsible for delivering it to
> >> the intended recipient, you are hereby notified that you
> >> have received this document in error and that any review,
> >> dissemination, copying, or the taking of any action based
> >> on the contents of this information is strictly
> >> prohibited.  If you have received this communication in
> >> error, please notify us immediately by e-mail, and delete
> >> the original message.
> >>
> >>
> >>
> >>
> >
> >
> >
> > ----------------------------------------------------------------
> > This message was sent using IMP, the Internet Messaging Program.
> >
> >
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> >
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


More information about the Rancid-discuss mailing list