[c-nsp] How to easily and securely pull configuration from a PIX/ASA
Marc Haber
mh+cisco-nsp at zugschlus.de
Wed Dec 5 09:36:28 EST 2007
[Disclaimer: I haven't seriously touched Cisco gear in years, but
occasionally, people still ask me for advice]
Hi,
I am wondering what's the easiest way to pull the full configuration
(sans passwords/keys, if that makes things any easier) from a PIX or
ASA box.
On a Unix system, I'd write something along the lines
from="172.16.42.24",command="show run" ssh-rsa AAAAB3NzaC1y...
into /root/.ssh/authorized_keys, and be done. That way, the ssh key in
question would only be accepted from 172.16.42.24, and only the
command "show run" would be permitted.
Can this somehow be done on a PIX/ASA? As far as I know, there is no
TACACS in the game, all accounts are local.
One hint that I already got was to use an SNMP request to make the
PIX/ASA dump its config to a tftp server, but both SNMP and tftp are
unencrypted, which is not desireable. I guess that I could build an
IPSEC tunnel for the SNMP and tftp connections, but I'd rather prefer
to avoid this.
Any hints would be appreciated.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
More information about the cisco-nsp
mailing list