[rancid] ASA Config for Rancid
Piegorsch, Weylin William
weylin at bu.edu
Tue Sep 26 14:39:00 UTC 2017
I finally got it working for ASA post-8.3. I thought I’d share my findings.
For refresher, I historically had an ASA-specific .cloginrc that overrode the “method” field and then called the primary .cloginrc. This was for rancid-1.x - we started with rancid sometime around 2001 or 2002 - where I just copied clogin and rancid as clogin-asa and rancid-asa and change the one line from “rancid” to “rancid –f cloginrc-asa” (a few other small tweaks, but you get the point). When the 15yr-old-server finally died, we moved to a VM running rancid-v3.x; rather than try to figure out how to make it work, I just set about trying to figure out how to make ASAs work the way they’re supposed to.
The kicker? I need telnet as the first method to support my bulk deployment of really old Cisco Catalysts that don’t support SSH and cause rancid to timeout on that, but that was causing timeout errors for ASAs. Yes, I could have fixed the SSH problem instead, or even raised RANCiD’s timeout, but I’m trying to avoid server-side customizations - since I head a network shop that only uses servers where I need to, Cisco configs are easier to manage policy and compliance rules than server configs.
How to fix ASAs to work with rancid, without enabling telnet:
1. Apply the global config “service resetoutside”
This tells the ASA to send a TCP RST packet if a connection request is denied, but only when the IP destination is the ASA itself. By default, the ASA silently discards the TCP SYN when the connection is denied. Without the RST, telnet times out before returning control back to the shell. Unfortunately, the telnet timeout was longer than rancid’s timeout.
2. Do not apply the global configs “service resetinbout” or “service resetoutbound”
I never figured out why this was necessary, but under some conditions the three commands together weren’t playing nice with each other. Feel free to play with this if you need it.
3. Do not allow telnet to the least-secure interface from anywhere.
if telnet is allowed to the least-secure interface, AKA the interface with the lowest security-level (check with packet-tracer, you’ll see it at the end despite all the “ALLOW” results), and if your telnet connection attempt is trying to connect to that interface, the ASA silently drops the connection request despite the resetoutside command. Personally I think it’s a bug to override the “resetoutside” command, though I never confirmed it. I also didn’t experiment with any interface except the least-secure interface.
weylin
From: Weylin Piegorsch <weylin at bu.edu>
Date: Thursday, September 14, 2017 at 07:53
To: "Gauthier, Chris" <cgauthier at comscore.com>, Ryan West <rwest at zyedge.com>, Dan Anderson <dan.w.anderson at gmail.com>, "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Subject: Re: [rancid] ASA Config for Rancid
Hmm...
https://www.zenoss.com/product/zenpacks/rancid-integration-community
We are in fact using ZenOSS for monitoring/alerting (free version, we can’t afford the licensed version). Now THAT is something interesting to evaluate. I’ll ask someone on my team to evaluate that. Allowing telnet <shudder> is another possibility. We had also considered shifting everything into PRIME Insfrastructure (which we will anyway for other reasons than config backups - we did get enough licensing for that at least), but RANCiD has some capabilities that I like that PRIME doesn’t do so well - consider all the hijinks you can do in Linux, like aggregating certain parameters occurs across a subset of devices by doing something like... I don’t know if I have the syntax right, this is just quickly off the top of my head “echo $[`for $(find –name <pattern> –exec egrep –L <chassis_model> \{} \; ) do grep <another_regex> | awk ‘{print $3}’ ; done | tr ‘\n’ ‘+’ | sed ‘s/+$//’`]” . We haven’t yet found a good way to do that in PRIME.
Thanks everyone for the help!
weylin
From: "Gauthier, Chris" <cgauthier at comscore.com>
Date: Tuesday, September 12, 2017 at 17:23
To: Ryan West <rwest at zyedge.com>, Weylin Piegorsch <weylin at bu.edu>, Dan Anderson <dan.w.anderson at gmail.com>, "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Subject: Re: [rancid] ASA Config for Rancid
Zenoss is a tool that has RANCiD integration/pluin connectivity.
Chris Gauthier
Senior Network Engineer
|
comScore, Inc.
o +1
503-331-2704<tel:503-331-2704>
cgauthier at comscore.com<mailto:cgauthier at comscore.com>
317 SW Alder St, Suite 500 | Portland | OR 97204
............................................................................................................................................................................................................................
On 9/12/17, 1:42 PM, "Rancid-discuss on behalf of Ryan West" <rancid-discuss-bounces at shrubbery.net on behalf of rwest at zyedge.com> wrote:
On Tue, Sep 12, 2017 at 15:40:52, Piegorsch, Weylin William wrote:
>
> Thanks Ryan. We used to do exactly that, but it got to the point that ASAs
> were doing far more than merely firewall – to name a few:
>
> VPN
> ... well ok these are just ASAs
>
> Firewall
> PIX, ASA, PaloAlto 3k, PaloAlto 7k, PaloAlto 500, and I think there’s a
> CheckPoint somewhere we haven’t yet replaced
>
> NAT
> ASA, ASR1k, Catalyst6k, 7301, 3825
>
> Routing
> Oh let me count the ways....
>
> BGP Service Advertisement
> Nexus7k, ASR9k, ASR1k, 7301, ASA
>
> Since the devices performing a function are so varied, the naming standard
> cannot take model into account, merely function. It got to the point where I
> was essentially starting to list every ASA by specific name; after a few of
> these it became clear this approach wouldn’t scale.
>
> And to answer the other question – somewhere around 20,000 devices;
> 11,000+ VoIP handsets, 6,000–7,000 access points, and 3,000+ of everything
> else (though largely only that last are needed in rancid).
>
Sounds like a fun problem to have. There are some open source NMS products out there that integrate with RANCID and can probably write out the file for you, otherwise you would need to modify how RANCID works and have it switch to the type of device after login with a show ver command or something similar. Let us know if you come up with anything though, I like the idea of having the device login decide the type, or at least a discovery mechanism for RANCID that would write out the proper lines to .cloginrc.
-ryan
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20170926/dda4361c/attachment.html>
More information about the Rancid-discuss
mailing list