[rancid] Re: Cisco ASA Backup with Preshared Keys

Lance Vermilion rancid at gheek.net
Tue Nov 4 19:04:37 UTC 2008


The VPN keys is the only one I know of. I didn't look at the failover
keys. Great point.

On Tue, Nov 4, 2008 at 11:58 AM, john heasley <heas at shrubbery.net> wrote:
> Mon, Nov 03, 2008 at 10:45:21AM -0700, Lance Vermilion:
>> John,
>>
>> Can we include this fix?
>>
>> Jeremy et all,
>>
>> You could also simply just add the following before the other
>> WriteTerm items in the commandtable inside of <rancid home>/bin/rancid
>> so it would then get that info. The command would be attempted to be
>> ran on non ASA like devices but if the command is invalid (like the
>> already existing logic) it will just continue down the list of
>> commands. If it is successful running it will then mark it as
>> found_end and no longer process the rest of the commands in
>> "WriteTerm".
>>
>>         {'more system:running-config'   => 'WriteTerm'},
>>
>> Dwi C Taniel,
>>
>> Since the show running-config does NOT include the pre-shared-key
>> RANCID would not replace it with <REMOVED>. If you wanted to filter it
>> out you would need to augment rancid by adding this below the isakmp
>> removed line under the sub WriteTerm
>>
>>         if (/^( pre-shared-key ).*/ && $filter_pwds >= 1) {
>>             ProcessHistory("","","","!$1 <removed> $'"); next;
>>         }
>
> Any others to be filtered, besides failover key?
>
>> Example
>>
>> tunnel-group xx.xx.xx.xx ipsec-attributes
>>  pre-shared-key *
>>
>> Todd is correct with the more system:running-config
>>
>> Here is a Cisco document backing up his comment.
>> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml
>>
>> I have also found but not verified "Another way to get unencrypted
>> keys is to go to the /admin/config page with a web browser. This works
>> for 7.x and 8.x. On a Pix running 6.x, go to /config."
>>
>> On Mon, Nov 3, 2008 at 9:50 AM, Dwi C Taniel <dc at dwichandra.info> wrote:
>> > Hi all,
>> >
>> > I had one incident that I have to backup the config while showing the
>> > pre-shared key in PIX/ASA. (only <20 devices with <10 pair of tunnels)
>> >
>> > To what I remember, I commented out several lines in
>> > /usr/local/rancid/bin/rancid
>> >
>> > One of the line read as follow: (mine is at line 1541 - 1543)
>> >       if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) {
>> >             ProcessHistory("","","","!$1 <removed> $'"); next;
>> >         }
>> >
>> > ... and I think I also commented out several other line(s) but can't
>> > remember which one.
>> >
>> > Now, if you commented out that line in rancid script, please bear the
>> > following point(s) in mind (CMIIW please):
>> > - all devices using /usr/local/rancid/bin/rancid will have that
>> > particular keyword unmasked -> instead of *** will be the actual
>> > value. So this will apply to all devices marked as 'cisco' in router.db
>> > - whoever can access /usr/local/rancid/var (or any location that was
>> > configured to store the rancid-run results) will be able to see the
>> > crypto/ ISAKMP keys
>> >
>> > I might have missed other line(s) to comment out either in
>> > /usr/local/rancid/bin/rancid or /usr/local/rancid/clogin, so for those
>> > that is more intimate with those scripts, please share it to the list.
>> >
>> > Hope that helps ;)
>> >
>> > P.S.: I'm no longer have access to PIX anymore, so for those that
>> > still have those access, please give it a try and let me know ;)
>> >
>> > Cheers,
>> >
>> > Dwi
>> >
>> >
>> > On 11/01/2008, Todd Heide <Todd at equivoice.com> wrote:
>> >
>> >> There is only one way to see the pre-share keys on an ASA.
>> >>
>> >>
>> >>
>> >> More system:running-config
>> >>
>> >>
>> >>
>> >> Not sure how Rancid can do that, but if someone can set it up to issue
>> >> that command, then you should be able to back up the VPN keys.
>> >>
>> >>
>> >>
>> >> From: rancid-discuss-bounces at shrubbery.net
>> >> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy
>> >> Sent: Saturday, November 01, 2008 8:56 AM
>> >> To: rancid-discuss at shrubbery.net
>> >> Subject: [rancid] Cisco ASA Backup with Preshared Keys
>> >>
>> >>
>> >>
>> >> I use rancid to backup all of my configurations, including two Cisco ASA
>> >> 5520's.  The only problem I have run into is that when rancid backs up
>> >> the configs on the ASA, the actual preshared keys are displayed as an
>> >> asterisk (*) rather than the actual preshared key.
>> >>
>> >>
>> >>
>> >> Is there a way to get rancid to backup the actual config file?  I assume
>> >> it's just doing a screen scrape (sh running-config) and capturing the
>> >> output rather than copying the actual file.  This is fine for most
>> >> equipment, but if I have a failure on the ASA and needed to restore the
>> >> config, I would have to re-enter all the preshared keys (not fun with
>> >> several hundred tunnels).
>> >>
>> >>
>> >>
>> >> Any help is greatly appreciated,
>> >>
>> >>
>> >>
>> >> Jeremy Keys
>> >>
>> >> jeremy_keys at memorial.org
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> This message and accompanying documents are covered by
>> >> the Electronic Communications Privacy Act 18
>> >> U.S.C. "Sections 2510-2521," and contain information
>> >> intended for the specified individual(s) only. This
>> >> information is confidential.  If you are not the intended
>> >> recipient or an agent responsible for delivering it to
>> >> the intended recipient, you are hereby notified that you
>> >> have received this document in error and that any review,
>> >> dissemination, copying, or the taking of any action based
>> >> on the contents of this information is strictly
>> >> prohibited.  If you have received this communication in
>> >> error, please notify us immediately by e-mail, and delete
>> >> the original message.
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > ----------------------------------------------------------------
>> > This message was sent using IMP, the Internet Messaging Program.
>> >
>> >
>> > _______________________________________________
>> > Rancid-discuss mailing list
>> > Rancid-discuss at shrubbery.net
>> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>> >
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-discuss at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>


More information about the Rancid-discuss mailing list