Cisco ASA - Secure Backups with passwords/keys

We have been getting running/startup backups of our ASAs using TFTP. Our security team is requiring that we use a secure file transfer method such as SSH/SFTP. From

what I can tell, the default SSH method does a "show running-config" or "show startup-config", which does not include the pre-shared keys for IPSec tunnels. I've seen seen

other posts where people have recommended using a custom template which does "more system:<config type>". but I have a few questions about it:

This command does not let you get the startup-config (I'm running 8.2.x). I get both configs so I can determine if the running-config was not saved. Is there another way to determine this?
If we have a hard failure on an ASA and need to perform a restore from file, will the passwords/keys for various things such as enable, local users, AAA groups be retained?
Are there any other file transfer options I'm missing? I don't want to use FTP as its not integrated into NCM. SCP doesn't work because the ASA only acts as an SCP server; not an SCP client.

Thanks

Find more posts tagged with

cisco_asa

backup_file

Accepted answers

cvachovecj

Thanks for the information. Now this is a feature request.

Regards,

Jiri

All comments

cvachovecj

Answering question 3:

If you request configs through SSH, you can transfer them via SSH ("direct" download by dumping terminal output), TFTP, or SCP (both "indirect" methods, i.e. transferring files). According to e.g.

http://informationsecuritytips.com/2009/01/use-scp-with-cisco-routers-and-firewalls-to-transfer-files/

Using SCP to transfer files to and from Cisco ASA devices - Hudgins Wiki

SCP should be supported on 8.2.x. It's just disabled by default.

If you have SCP, then you can make sure it works in the same way as TFTP.

Regards,

Jiri

rhombus00

Thanks for the links. I checked them out and I think those websites are wrong (at least for Cisco ASAs). I've tested on both 8.2 and 8.4 and while you can enable SCP via the "ssh scopy enable" command, the copy commands listed on those sites are not valid. The ASA only acts as an SCP server, so NCM would have to act as an SCP client, which it does not. This snippet comes from Cisco's CLI Guide for 8.2:

SCP is a server-only implementation; it will be able to accept and terminate connections for SCP but can not initiate them.

I think SSH is my only option so I can hopefully get answers to my first two questions.

Thanks

rhombus00

So, it looks like there is no way to get secure backups (with passwords/keys) AND compare running vs startup on the Cisco ASA. This is a real bummer. I'm going to open up a ticket with SolarWinds to see if there are any other options.

danielleh

rhombus - did you open a support ticket? If so, could you post your ticket number and any answers you received from support?

Thanks,

Danielle

rjordan

Hey Danielle,

The rhombus account was a temporary account while I waited for Solarwinds to re-activate my original account. Anyways, I originally thought NCM/ASA were capable of doing all this so I put in a ticket regarding SCP login problems (375447). They initially thought that SCP would work, but I was able to confirm that the ASA will only act as an SCP server. They then recommended using the "more system:running-config" command to get a secure backup with keys. This ticket was converted to a feature request so NCM could also act as an SCP client.

Later, I realized that "more system" cannot get the startup config so I would lose the ability to compare running and startup configs. I then created ticket 381201 explaining this limitation and asking them to add this to the feature request in order to hopefully expedite.

In the mean time, I going to use a custom template so my running configs are backed up using "more system:running-config". This will break my startup configs backups, so I'll just run a night job that performs a "write mem".

Thanks

danielleh

Thanks for sharing this information with us. I know you went into this thinking the functionality was there and you ended up submitting feature requests. We do have Feature Request forums where you can create an idea which is then reviewed by the PM. Upon review, the community will then be able to vote on your feature request. Just letting you know for future reference - might save you some time.

Thanks again for the update.

cvachovecj

Thanks for the information. Now this is a feature request.

Regards,

Jiri