[rancid] ASA Config for Rancid

Piegorsch, Weylin William weylin at bu.edu
Tue Sep 12 19:40:52 UTC 2017 

Thanks Ryan.  We used to do exactly that, but it got to the point that ASAs were doing far more than merely firewall – to name a few:

VPN
... well ok these are just ASAs

Firewall
  PIX, ASA, PaloAlto 3k, PaloAlto 7k, PaloAlto 500, and I think there’s a CheckPoint somewhere we haven’t yet replaced

NAT
  ASA, ASR1k, Catalyst6k, 7301, 3825

Routing
  Oh let me count the ways....

BGP Service Advertisement
  Nexus7k, ASR9k, ASR1k, 7301, ASA

Since the devices performing a function are so varied, the naming standard cannot take model into account, merely function.  It got to the point where I was essentially starting to list every ASA by specific name; after a few of these it became clear this approach wouldn’t scale.

And to answer the other question – somewhere around 20,000 devices; 11,000+ VoIP handsets, 6,000–7,000 access points, and 3,000+ of everything else (though largely only that last are needed in rancid).

weylin

-----Original Message-----
From: Ryan West <rwest at zyedge.com>
Date: Tuesday, September 12, 2017 at 15:17
To: Weylin Piegorsch <weylin at bu.edu>, Dan Anderson <dan.w.anderson at gmail.com>, "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Subject: RE: [rancid] ASA Config for Rancid

    On Tue, Sep 12, 2017 at 15:06:20, Piegorsch, Weylin William wrote:
    > 
    > Thanks Ryan.  I’m unable to concretely determine a device is an ASA from it’s
    > domain name, unless I populate .cloginrc with every ASA I have.  I used to do
    > that, but it became cumbersome and at somepoint it was clear it would no
    > longer scale.  For a while I also went down the path of having a .cloginrc-asa
    > that had the ASA-specific methods and then included .cloginrc, but for similar
    > manageability reasons I had to abandon that approach as well.
    > 
    > 
    > 
    > Is there a way to do that by some other means?
    > 
    
    Not sure how many devices you're supporting, but I leverage an internal only DNS view that has a location and device type with number, then you can have a catch all in your .cloginrc that identifies them -
    
    ## Firewalls connect this way
    add user *fw*                   {username}
    add password *fw*              {password}	{en_password}
    add method *fw*                 ssh telnet
    add autoenable *fw*             0
    
    -ryan

More information about the Rancid-discuss mailing list