[c-nsp] How to easily and securely pull configuration from a PIX/ASA
Justin Shore
justin at justinshore.com
Fri Dec 7 10:26:00 EST 2007
Marc Haber wrote:
> On Thu, Dec 06, 2007 at 09:03:39PM +0000, Thorsten Dahm wrote:
>> Marc Haber wrote:
>>> Which access privileges would RANCID need, and how far can the RANCID
>>> account be restricted?
>> The same as any user who is able to to a "sh run".
>
> Which access privileges are needed to do a "sh run"?
sh run gives you the nuts and bolts of the system, the most important
and sensitive information. That implies the highest privilege level
possible. Like others have said you could grant sh run access to lower
privs but all users that have access to that lower priv or higher will
have access to that command unless you use TACACS and authorization.
Also, SNMP on the PIX/ASA products is read-only. You're not going to be
able to command it to do anything with SNMP.
The only option I can think of here if for you to grant access to a
userid that is allowed to run 'copy running-config
tftp://aaa.bbb.ccc.ddd/upload/pix.cfg' where aaa.bbb.ccc.ddd is the IP
of the authorized TFTP server on a secured portion of your LAN. That
way the userid can only upload the config to a secured server and
doesn't have the ability to view it on the FW. Of course that level of
control would likely imply TACACS with Authorization again.
For the record I use RANCID for all my devices. When I don't have AAA
to work with I create a dedicated RANCID userid on each device.
Justin
More information about the cisco-nsp
mailing list