[rancid] ASA Config for Rancid

Doug Hughes doug.hughes at keystonenap.com
Tue Sep 26 14:56:11 UTC 2017 

Nice summary. thanks!


On 9/26/2017 10:39 AM, Piegorsch, Weylin William wrote:
>
> I finally got it working for ASA post-8.3.  I thought I’d share my
> findings.
>
>  
>
> For refresher, I historically had an ASA-specific .cloginrc that
> overrode the “method” field and then called the primary .cloginrc. 
> This was for rancid-1.x - we started with rancid sometime around 2001
> or 2002 - where I just copied clogin and rancid as clogin-asa and
> rancid-asa and change the one line from “rancid” to “rancid –f
> cloginrc-asa” (a few other small tweaks, but you get the point).  When
> the 15yr-old-server finally died, we moved to a VM running
> rancid-v3.x; rather than try to figure out how to make it work, I just
> set about trying to figure out how to make ASAs work the way they’re
> supposed to.
>
>  
>
> The kicker? I need telnet as the first method to support my bulk
> deployment of really old Cisco Catalysts that don’t support SSH and
> cause rancid to timeout on that, but that was causing timeout errors
> for ASAs.  Yes, I could have fixed the SSH problem instead, or even
> raised RANCiD’s timeout, but I’m trying to avoid server-side
> customizations - since I head a network shop that only uses servers
> where I need to, Cisco configs are easier to manage policy and
> compliance rules than server configs.
>
>  
>
> How to fix ASAs to work with rancid, without enabling telnet:
>
>  
>
> 1. Apply the global config “service resetoutside”
>
> This tells the ASA to send a TCP RST packet if a connection request is
> denied, but only when the IP destination is the ASA itself.  By
> default, the ASA silently discards the TCP SYN when the connection is
> denied.  Without the RST, telnet times out before returning control
> back to the shell.  Unfortunately, the telnet timeout was longer than
> rancid’s timeout.
>
>  
>
> 2. Do not apply the global configs “service resetinbout” or “service
> resetoutbound”
>
> I never figured out why this was necessary, but under some conditions
> the three commands together weren’t playing nice with each
> other.  Feel free to play with this if you need it.
>
>  
>
> 3. Do not allow telnet to the least-secure interface from anywhere.
>
> if telnet is allowed to the least-secure interface, AKA the interface
> with the lowest security-level (check with packet-tracer, you’ll see
> it at the end despite all the “ALLOW” results), and if your telnet
> connection attempt is trying to connect to that interface, the ASA
> silently drops the connection request despite the resetoutside
> command.  Personally I think it’s a bug to override the “resetoutside”
> command, though I never confirmed it.  I also didn’t experiment with
> any interface except the least-secure interface.
>
>  
>
> weylin
>
>  
>
> *From: *Weylin Piegorsch <weylin at bu.edu>
> *Date: *Thursday, September 14, 2017 at 07:53
> *To: *"Gauthier, Chris" <cgauthier at comscore.com>, Ryan West
> <rwest at zyedge.com>, Dan Anderson <dan.w.anderson at gmail.com>,
> "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
> *Subject: *Re: [rancid] ASA Config for Rancid
>
>  
>
> Hmm...
>
> https://www.zenoss.com/product/zenpacks/rancid-integration-community
>
>  
>
> We are in fact using ZenOSS for monitoring/alerting (free version, we
> can’t afford the licensed version).  Now THAT is something interesting
> to evaluate.  I’ll ask someone on my team to evaluate that.  Allowing
> telnet <shudder> is another possibility.  We had also considered
> shifting everything into PRIME Insfrastructure (which we will anyway
> for other reasons than config backups - we did get enough licensing
> for that at least), but RANCiD has some capabilities that I like that
> PRIME doesn’t do so well - consider all the hijinks you can do in
> Linux, like aggregating certain parameters occurs across a subset of
> devices by doing something like... I don’t know if I have the syntax
> right, this is just quickly off the top of my head “echo $[`for $(find
> –name <pattern> –exec egrep –L <chassis_model> \{} \; ) do  grep
> <another_regex>   |   awk ‘{print $3}’   ;   done  |   tr ‘\n’ ‘+’ |
> sed ‘s/+$//’`]” . We haven’t yet found a good way to do that in PRIME.
>
>  
>
> Thanks everyone for the help!
>
>  
>
> weylin
>
>  
>
> *From: *"Gauthier, Chris" <cgauthier at comscore.com>
> *Date: *Tuesday, September 12, 2017 at 17:23
> *To: *Ryan West <rwest at zyedge.com>, Weylin Piegorsch <weylin at bu.edu>,
> Dan Anderson <dan.w.anderson at gmail.com>,
> "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
> *Subject: *Re: [rancid] ASA Config for Rancid
>
>  
>
> Zenoss is a tool that has RANCiD integration/pluin connectivity.
>
>
>  
>
> *Chris Gauthier*
>
> 	
>
>   
>
> 	
>
> Senior Network Engineer
>
> 	
>
>  | 
>
> 	
>
> comScore, Inc.
>
> o +1 
>
> 	
>
> *503-331-2704* <tel:503-331-2704>
>
> 	
>
>   
>
> 	
>
> *cgauthier at comscore.com* <mailto:cgauthier at comscore.com>
>
> 317 SW Alder St, Suite 500 | Portland | OR 97204
>
> ............................................................................................................................................................................................................................
>
>
>  
>
> On 9/12/17, 1:42 PM, "Rancid-discuss on behalf of Ryan West"
> <rancid-discuss-bounces at shrubbery.net on behalf of rwest at zyedge.com>
> wrote:
>
> On Tue, Sep 12, 2017 at 15:40:52, Piegorsch, Weylin William wrote:
> >
> > Thanks Ryan. We used to do exactly that, but it got to the point
> that ASAs
> > were doing far more than merely firewall – to name a few:
> >
> > VPN
> > ... well ok these are just ASAs
> >
> > Firewall
> > PIX, ASA, PaloAlto 3k, PaloAlto 7k, PaloAlto 500, and I think there’s a
> > CheckPoint somewhere we haven’t yet replaced
> >
> > NAT
> > ASA, ASR1k, Catalyst6k, 7301, 3825
> >
> > Routing
> > Oh let me count the ways....
> >
> > BGP Service Advertisement
> > Nexus7k, ASR9k, ASR1k, 7301, ASA
> >
> > Since the devices performing a function are so varied, the naming
> standard
> > cannot take model into account, merely function. It got to the point
> where I
> > was essentially starting to list every ASA by specific name; after a
> few of
> > these it became clear this approach wouldn’t scale.
> >
> > And to answer the other question – somewhere around 20,000 devices;
> > 11,000+ VoIP handsets, 6,000–7,000 access points, and 3,000+ of
> everything
> > else (though largely only that last are needed in rancid).
> >
>
> Sounds like a fun problem to have. There are some open source NMS
> products out there that integrate with RANCID and can probably write
> out the file for you, otherwise you would need to modify how RANCID
> works and have it switch to the type of device after login with a show
> ver command or something similar. Let us know if you come up with
> anything though, I like the idea of having the device login decide the
> type, or at least a discovery mechanism for RANCID that would write
> out the proper lines to .cloginrc.
>
> -ryan
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss

-- 
Doug Hughes
Keystone NAP
Fairless Hills, PA
1.844.KEYBLOCK (539.2562) 	

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20170926/09c6c4f4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keystone-nap.png
Type: image/png
Size: 3476 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20170926/09c6c4f4/attachment.png>

More information about the Rancid-discuss mailing list