[c-nsp] How to easily and securely pull configuration from a PIX/ASA
Thorsten Dahm
t.dahm at resolution.de
Thu Dec 6 16:03:39 EST 2007
Marc Haber wrote:
> On Thu, Dec 06, 2007 at 12:48:19AM +0000, Thorsten Dahm wrote:
>> Marc Haber schrieb:
>>> I am wondering what's the easiest way to pull the full configuration
>>> (sans passwords/keys, if that makes things any easier) from a PIX or
>>> ASA box.
>> Use RANCID over SSH. If necessary you can change the RANCID scripts to
>> work as you want.
>
> The site already has a management tool in place, and they want just
> the config pulled independently and securely, without deploying more
> software.
Why not using the clogin-script from RANCID without the rest of the
tool. The alternate would be to write a script by your own. If you want
to do that: ping me, I have already a script which should do the trick ;-)
> And, they have a decidedly anti-open-source stance :-(
No worries, if I'm forced to I'll accept a high amount of money for my
"PIX-Tool". :)
> Which access privileges would RANCID need, and how far can the RANCID
> account be restricted?
The same as any user who is able to to a "sh run".
> The administrators of the boxes are not very
> keen on handing out unrestricted privilege 15 accounts to automated
> processes.
They may can restrict the user to the "sh run" command only.
cheers,
Thorsten
More information about the cisco-nsp
mailing list