[c-nsp] How to easily and securely pull configuration from a PIX/ASA
William
willay at gmail.com
Wed Dec 5 10:14:01 EST 2007
Hi Marc,
Try sshing to the box and once you are enabled run 'more system:running-config'
This way you will see preshared keys for vpns which are normally
starred out when you do a wr t.
Does that help?
Cheers,
W
On 05/12/2007, Marc Haber <mh+cisco-nsp at zugschlus.de> wrote:
> [Disclaimer: I haven't seriously touched Cisco gear in years, but
> occasionally, people still ask me for advice]
>
> Hi,
>
> I am wondering what's the easiest way to pull the full configuration
> (sans passwords/keys, if that makes things any easier) from a PIX or
> ASA box.
>
> On a Unix system, I'd write something along the lines
>
> from="172.16.42.24",command="show run" ssh-rsa AAAAB3NzaC1y...
>
> into /root/.ssh/authorized_keys, and be done. That way, the ssh key in
> question would only be accepted from 172.16.42.24, and only the
> command "show run" would be permitted.
>
> Can this somehow be done on a PIX/ASA? As far as I know, there is no
> TACACS in the game, all accounts are local.
>
> One hint that I already got was to use an SNMP request to make the
> PIX/ASA dump its config to a tftp server, but both SNMP and tftp are
> unencrypted, which is not desireable. I guess that I could build an
> IPSEC tunnel for the SNMP and tftp connections, but I'd rather prefer
> to avoid this.
>
> Any hints would be appreciated.
>
> Greetings
> Marc
>
> --
> -----------------------------------------------------------------------------
> Marc Haber | "I don't trust Computers. They | Mailadresse im Header
> Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
> Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list