[c-nsp] How to easily and securely pull configuration from a PIX/ASA

Christian Zeng christian at zengl.net
Sat Dec 8 06:07:08 EST 2007 

Hi,

* Tassos Chatzithomaoglou wrote:
> "sh run" is a special case and cannot be used like this. If you move it to level 1, then a user of 
> level 1 will be able to see only the part of the config which he can configure with that 
> level...which means nothing! You have to change the priv level of all the configure commands that 
> are used in the config to the same level as the user.

This is true for IOS, but not the case for PIX/ASA. You can move the sh 
run command to one of the unused priv levels:

privilege show level 7 mode exec command running-config

This will print the complete config without moving additional config 
mode commands from 15 to 7. No additional access is granted, so 
configure mode access is still not possible (ena 15 does still work, iirc).

Username: priv7
Password: *****
Type help or '?' for a list of available commands.
pixfirewall> ena 7
Password: ****** (enable password for level 7)
pixfirewall# sh curp
Username : enable_7
Current privilege level : 7
Current Mode/s : P_PRIV
pixfirewall# conf t
                ^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
pixfirewall# show run
: Saved
:
PIX Version 7.2(2)
!
hostname pixfirewall
enable password 93fkWsmDm1dopc2h level 7 encrypted
enable password XPPSm.Or8PKz3zl/ encrypted
[...]
username normal password 4ZlAPWH5KYTNKMAZ encrypted
username priv15 password UkOi6bg0MlQFcljE encrypted
username priv7 password HoppQQsJ12XobwfQ encrypted
aaa authentication serial console LOCAL (change serial to SSH or telnet)
aaa authorization command LOCAL
privilege show level 7 mode exec command running-config

Basically, everyone who knows the level 7 enable password can read the 
config. Note that after ena 7, there is only the user 'enable_XX' 
authenticated.

If you don't want separated enable passwords, you can use the user 
password as the enable password and allowing him gaining only access to 
the privilege level he is configured for. You then need to assign 
privilege levels for every user account:

aaa authentication enable console LOCAL
username priv15 password UkOi6bg0MlQFcljE encrypted privilege 15
username priv7 password HoppQQsJ12XobwfQ encrypted privilege 7

Username: priv7
Password: *****
Type help or '?' for a list of available commands.
pixfirewall> en
Password: ***** (user password)
pixfirewall# show curp
Username : priv7
Current privilege level : 7
Current Mode/s : P_PRIV
pixfirewall#
pixfirewall# ena 15
               ^
ERROR: % Invalid input detected at '^' marker.
pixfirewall# ?

   clear       Reset functions
   debug       Debugging functions (see also 'undebug')
   exit        Exit from the EXEC
   help        Interactive help for commands
   logout      Exit from the EXEC
   no          Negate a command or set its defaults
   ping        Send echo messages
   quit        Exit from the EXEC
   show        Show running system information
   test        Test subsystems, memory, interfaces, and configurations
   traceroute  Trace route to destination
   undebug     Disable debugging functions (see also 'debug')
pixfirewall# show ?

   checksum        Display configuration information cryptochecksum
   curpriv         Display current privilege level
   debug           Show state of each debugging option
   flash:          Display information about flash: file system
   history         Display the session command history
   rip             IP RIP show commands
   running-config  Show current operating configuration
   sla             Service Level Agreement (SLA)
   startup-config  Show contents of startup configuration
   track           Tracking information
   version         Display system software version

pixfirewall# show run
: Saved
:
PIX Version 7.2(2)
!
hostname pixfirewall
enable password XPPSm.Or8PKz3zl/ encrypted
names
!
interface Ethernet0
  no nameif
  no security-level
  no ip address
!
interface Ethernet1
  shutdown
  no nameif
  no security-level
  no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 
0:02:00
timeout uauth 0:05:00 absolute
username normal password 4ZlAPWH5KYTNKMAZ encrypted
username priv15 password UkOi6bg0MlQFcljE encrypted
username priv7 password HoppQQsJ12XobwfQ encrypted privilege 7
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
privilege show level 7 mode exec command running-config
prompt hostname context
Cryptochecksum:e1779e7fc5b93ce74d5a294d6e836866
: end



Christian

More information about the cisco-nsp mailing list