LINICKX.com

Multi-Context HTTPS backups of Cisco ASA Script

Nick Bettison — Tue, 28 Jul 2015 16:04:00 +0100

If you look in the Cisco forums for scripts to backup ASAs you'll find various SSH / Expect , complicated examples... not sure why since in 2006 I showed it can be done with a single wget command ;-)

Recently I needed something that would support Multi-Context firewalls, so I pimped my one line command into the below shell script.

Copy/paste into a new file as backup_cisco_asa.sh then chmod 700 the file as necessary.

Run the file with no options ./backup_cisco_asa.sh and it'll ask you for IP address, username and password to make the connection.

For this to work the ASA needs appropriate HTTP statements (i.e. allow ASDM access from where you are running the script)

The file supports in-line backup of a single device such as ./backup_cisco_asa.sh 10.10.10.10

Multi-context support is via an environment variable or a config file ~/.asa_config. You must set an array containing entries for each context you want to backup. e.g.

ASA_CONTEXTS=( 
 "172.31.9.10:system"
 "172.31.9.10:admin"
 "172.31.9.10:Edge"
 "172.31.2.254:system"
 "172.31.2.254:admin"
 "172.31.2.254:Core" )

If you're feeling insecure you can also save your username/password variables into the ~/.asa_config as ASA_UID and ASA_PW respectively (or as environment variables)

Given that the script is a bash shell script I assume that SCP isn't required (because you are probably already on your linux SSH/SCP server running the script) but to keep the router team happy you might need to copy the files up via TFTP, this can be set with the ASA_TFTP_IP variable in ~/.asa_config.

By default the backup files will be saved to ./ (i.e. where ever you run the script from) and you can change that with the ASA_FILEPATH variable.

backup_cisco_asa.sh

#!/bin/bash

# Nick Bettison - LINICKX.com - 2015 - v1
# Bash Shell Scipt for backing up Cisco ASA's via HTTPS (i.e. ASDM)
# 
# Read the file comments, you can setup a config file ~/.asa_config to store variables.
# ASA_UID & ASA_PW for credentials (if you're feeling insecure)
# ASA_CONTEXTS for multi-context support
# and ASA_TFTP_IP for copying the files via TFTP (for insecure router boys)
#
# Tested on.
# Cisco Adaptive Security Appliance Software Version 9.2(3)4 <context>
# Device Manager Version 7.4(2)

# Timestamp for file names
TIMESTAMP=`date "+%Y%m%d-%H%M%S"`

# Allow single ASA IP address to be passed from CLI
# e.g ./backup_cisco_asa.sh 10.10.10.10
if [ -n "$1" ]
    then
    ASA_IP="$1"
fi

# Check for Curl
type curl >/dev/null 2>&1 || { echo >&2 "I require curl but it's not installed.  Aborting."; exit 1; }

# Read Variables from a config file (if it exits)
# The config file can be used for storing multi-context configurations... and for the insecure username/password ;-)
if [ -e ~/.asa_config ]
then
  . ~/.asa_config
fi

# Default File Path
if [ -z "$ASA_FILEPATH" ]
    then
    ASA_FILEPATH="./"
fi

# Check for UID/PW Variables - Ask if not found
if [ -z "$ASA_UID" ]
        then
        read -p "ASA Username:" ASA_UID
fi
if [ -z "$ASA_PW" ]
        then
        read -s -p "ASA Password:" ASA_PW
        echo
fi

# Check to see if single or multi-context mode.
if [ -z "$ASA_CONTEXTS" ]
        then
        if [ -z "$ASA_IP" ]
                then
                read -p "ASA IP Address:" ASA_IP
        fi

        ASA_tFILE="$ASA_FILEPATH.$TIMESTAMP.asaconfig.txt"

        # Download the "show run" via the unofficial CLI.
        curl -s -k -o $ASA_tFILE -u $ASA_UID:$ASA_PW "https://$ASA_IP/admin/exec/show%20running-config%20asdm/show%20running-config"

        if [ -e $ASA_tFILE ]
            then
            # Look for hostname in config file
            ASA_HOSTNAME=`grep ^hostname $ASA_tFILE | awk '{print $2}'`
            # rename the temp file to something sensible.
            mv $ASA_tFILE "$ASA_FILEPATH$TIMESTAMP.$ASA_HOSTNAME.txt"
            # Setup an array for TFTP later.
            ASA_FILES=("${ASA_FILES[@]}" "$ASA_FILEPATH$TIMESTAMP.$ASA_HOSTNAME.txt")
            # Done.
            echo "DONE: $ASA_FILEPATH$TIMESTAMP.$ASA_HOSTNAME.txt"
        else
            echo "FAILED: $ASA_IP"
            exit 1
        fi
else
    # Example ASA_CONTEXTS array:
    # 172.31.9.10 is the admin context IP, admin & Edge are the names of the two contexts to backup.
    # 172.31.2.254 is the admin context IP, admin & Core are the names of the two contexts to backup.
    # "system is obviously the system context"
    # ASA_CONTEXTS=( 
    #     "172.31.9.10:system"
    #     "172.31.9.10:admin"
    #     "172.31.9.10:Edge"
    #     "172.31.2.254:system"
    #     "172.31.2.254:admin"
    #     "172.31.2.254:Core" )

    # Loop through the array
    for firewall in ${ASA_CONTEXTS[@]} ; do
         ASA_IP=${firewall%%:*}
         ASA_CONTEXT=${firewall##*:}

         # Feedback on progress
         printf "Connecting to %s for %s \n" $ASA_IP $ASA_CONTEXT
         # Filename
         ASA_FILE="$ASA_FILEPATH$TIMESTAMP.$ASA_IP.$ASA_CONTEXT.txt"

         # Download the CONTEXT "show run" via the unofficial API.
         curl -s -k -o $ASA_FILE -u $ASA_UID:$ASA_PW "https://$ASA_IP/admin/exec/changeto%20context%20$ASA_CONTEXT/show%20running-config/show%20running-config%20asdm"

         if [ -e $ASA_FILE ]
             then
             # Setup an array for TFTP later.
             ASA_FILES=("${ASA_FILES[@]}" "$ASA_FILE")
             # Done!
             echo "DONE: $ASA_FILE"
         else
             echo "FAILED: $ASA_IP"
         fi
     done
fi

# Optional Backup to insecure tftp - you know, to keep the router boys happy!
if [ -n "$ASA_TFTP_IP" ]
    then
    # Check for TFTP binary
    type tftp >/dev/null 2>&1 || { echo >&2 "tftp client not installed.  Aborting."; exit 1; }
    type wc >/dev/null 2>&1 || { echo >&2 "wc not installed (needed for counting stuff).  Aborting."; exit 1; }
    type awk >/dev/null 2>&1 || { echo >&2 "awk not installed.... seriously?!?!  Aborting."; exit 1; }

    # Loop through array
    for file in ${ASA_FILES[@]} ; do
        LOCAL_FILE=$file
        # backup separator
        OIFS=$IFS
        # Change separator to /
        IFS='/'
        # Split the filename from the path
        AWK_POSITION=`echo $file | wc -w`
        REMOTE_FILE=`echo $file | awk -v w=$AWK_POSITION '{print $w}'`
        # restore separator
        IFS=$OIFS
        # TFTP the file.
        tftp -v $ASA_TFTP_IP -c put $LOCAL_FILE $REMOTE_FILE
    done
fi

Cisco ASA SYSLOG config for Tufin SecureTrack

nick — Mon, 02 Jun 2014 17:27:00 +0100

I'm sure there's a very good reason that the Tufin Secure Track User Guide (R14-1) has 8 pages of screenshots instead of including these 10 lines of config; I just don't yet know what the reason is :)

logging enable
logging timestamp
logging facility 23
logging message 111008 level  notifications
logging device-id  hostname 
logging list securetrack message 111008
logging list securetrack message 106100
logging list securetrack message 106023
logging trap securetrack
logging host inside 1.2.3.4

Replace 1.2.3.4 with the IP address of your ST server.

Cisco ASA Firewalls and IP Ranges in ACLS

nick — Fri, 29 Jul 2011 15:05:00 +0100

I've google'd and I cannot find a way of creating a firewall range style object in an ASA, you know the kind of thing whereby you want to allow IP addresses 192.168.1.10 thru 192.168.1.20 in an ACL.

In my frustration I have given up and created a shell script which converts a CSV into an ASA output, simply create a two column CSV with Col A containing your starting IP and Col B containing you end IP.

The script is a recursive loop so should support large outputs such as 10.1.2.10 to 10.2.1.20 howvere I'm not actually sure you'd want that in your firewall config but I wrote the computability for the fun it!

Have fun, click "more" below if you can't see the script!

#!/bin.bash

# Commas separated VAR....
IFS=","
while read name firstip lastip
# Loop around CSV
do

# Split up our first ip into it's octects
firstipfirstoctect=$(echo $firstip | awk -F "." '{print $1}')
firstipsecondoctect=$(echo $firstip | awk -F "." '{print $2}')
firstipthirdoctect=$(echo $firstip | awk -F "." '{print $3}')
firstipforthoctect=$(echo $firstip | awk -F "." '{print $4}')

# Split up our last IP into it's ocects
lastipfirstoctect=$(echo $lastip | awk -F "." '{print $1}')
lastipsecondoctect=$(echo $lastip | awk -F "." '{print $2}')
lastipthirdoctect=$(echo $lastip | awk -F "." '{print $3}')
lastipforthoctect=$(echo $lastip | awk -F "." '{print $4}')

    # Re-set BASH
    unset IFS

    # Echo out the object GROUP name
    echo "object-group network $name"

    # Loop through 1st Octect
    for a in `seq $firstipfirstoctect $lastipfirstoctect`;
    do
        # test to see if we need to print the whole range
        if [ $firstipfirstoctect -lt $lastipfirstoctect ]
        then
            firstipsecondoctectCOUNTER="0"
            lastipsecondoctectCOUNTER="255"
        fi

        # first IP might not be 1
        if [ $a -eq $firstipfirstoctect ]
        then
            firstipsecondoctectCOUNTER=$firstipsecondoctect
        fi

        # last IP might not be 255
        if [ $a -eq $lastipfirstoctect ]
        then
            lastipsecondoctectCOUNTER=$lastipsecondoctect
        fi

            # Loop through 2nd Octect
            for b in `seq $firstipsecondoctect $lastipsecondoctect`;
            do

                # Same tests as before except, next octect.
                if [ $firstipsecondoctect -lt $lastipsecondoctect ]
                then
                    firstipthirdoctectCOUNTER="0"
                    lastipthirdoctectCOUNTER="255"
                fi

                if [ $b -eq $firstipsecondoctect ]
                then
                    firstipthirdoctectCOUNTER=$firstipthirdoctect
                fi

                if [ $b -eq $lastipsecondoctect ]
                then
                    lastipthirdoctectCOUNTER=$lastipthirdoctect
                fi

                    # Loop through 3rd Octect
                    for c in `seq $firstipthirdoctectCOUNTER $lastipthirdoctectCOUNTER`;
                    do

                        # copy / paste / tweak
                        if [ $firstipthirdoctect -lt $lastipthirdoctect ]
                        then
                            firstipforthoctectCOUNTER="0"
                            lastipforthoctectCOUNTER="255"
                        fi

                        if [ $c -eq $firstipthirdoctect ]
                        then
                            firstipforthoctectCOUNTER=$firstipforthoctect
                        fi

                        if [ $c -eq $lastipthirdoctect ]
                        then
                            lastipforthoctectCOUNTER=$lastipforthoctect
                        fi

                            # final octect... echo result.
                            for d in `seq $firstipforthoctectCOUNTER $lastipforthoctectCOUNTER`;
                            do
                                echo " network-object $a.$b.$c.$d  255.255.255.255"
                            done

                    done
            done
    done

done<./FirewallRanges.csv

Cisco ASA - First steps to a Check Point Style Policy

nick — Wed, 01 Dec 2010 10:14:00 +0000

I've just spotted this in the Cisco ASA 8.3 release notes...

You can now configure access rules that are applied globally, as well as access rules that are applied to an interface. If the configuration specifies both a global access policy and interface-specific access policies, the interface-specific policies are evaluated before the global policy.

The following command was modified: access-group global

For users/companies which have migrated from Check Point to Cisco (usually to save on licensing fees), getting their head around a new interface level policy rather than a system (global) level is usually a bit of a challenge.

I'm looking forward to seeing if this really helps with policy migrations!

Irritating ASDM & Java issues...

nick — Wed, 20 May 2009 18:02:00 +0100

Follow up from this tweet. Every time I tried to connect to the ASA's ASDM Java would crash with a Null Pointer exception, I tried everything from deleting the .asdm folder in my home directory (my documents on windows), uninstalling the asdm launcher didn't help, neither did clearing java's cache or uninstalling and re-installing java.

In the end i had to downgrade, very frustrating!

Strange ASA ARP Replying Behavior

nick — Thu, 10 Jul 2008 09:02:00 +0100

I've been implementing a few Cisco ASA's recently, and I blogged about this strange behavior; well I came across another one yesterday.

Take a look at this debug arp....

CiscoASA# debug arp
debug arp  enabled at level 1
CiscoASA# 
CiscoASA# arp-set: added arp outside 192.168.1.122 001e.7000.1234 and updating NPs at 4301321940
arp-set: added arp inside 192.168.1.61 001a.7100.1234 and updating NPs at 4301321940
arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.120 001e.7a51.1234
arp-in: rqst for me from 192.168.1.125 for 192.168.1.120, on outside
arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660
arp-in: generating reply from 192.168.1.120 001e.7a51.1234 to 192.168.1.125 001a.3000.1234
arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.73 001e.7a51.1234
arp-in: rqst for me from 192.168.1.125 for 192.168.1.73, on outside
arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660
arp-in: generating reply from 192.168.1.73 001e.7a51.1234 to 192.168.1.125 001a.3000.1234
arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.69 001e.7a51.1234
arp-in: rqst for me from 192.168.1.125 for 192.168.1.69, on outside
arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660
arp-in: generating reply from 192.168.1.69 001e.7a51.1234 to 192.168.1.125 001a.3000.1234
arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.123 001e.7a51.1234
arp-in: rqst for me from 192.168.1.125 for 192.168.1.123, on outside
arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660
arp-in: generating reply from 192.168.1.123 001e.7a51.1234 to 192.168.1.125 001a.3000.1234
arp-in: response at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.125 ffff.ffff.ffff
arp-in: updating gratuitous ARP 192.168.1.125 - 001a.3000.1234
arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660
CiscoASA#

The firewall is replying to arp requests even though both the source & destination of the traffic are on the same (outside) interface, now I haven't manged to work out why the firewall was doing this, but I did find a fix on the cisco forums.

sysopt noproxyarp outside

Names, IPs & MAC's have been changed to protect the innocent.
:cool:

Cisco ASA and 7905 IP Phone Weirdness

nick — Tue, 24 Jun 2008 08:30:00 +0100

I came accross something odd the other day, I had some Cisco IP Phones on a DMZ interface and the Call Manager was behind the inside interface. If you made a call from a 7940 to a 7940 everything worked fine, if you made a call from a 7905 to a 7940 it failled!

I ran a packet capture and found that the phone was "bouncing" the RTP stream off the firewall rather than connecting directly to the peer phone... very weird! The problem was solved by enabling...

same-security-traffic permit intra-interface

I thought I post this for some future googlers!

Backup Interface on Cisco ASA Firewall

nick — Tue, 10 Jun 2008 18:06:00 +0100

I tweeted a little while ago about Nokia recently supporting interface failover within IPSO, well it looks like Cisco's ASA Version 8 software can do it now too!

The following example creates two redundant interfaces:

asa(config)# interface redundant 1 asa(config-if)# member-interface gigabitethernet 0/0 asa(config-if)# member-interface gigabitethernet 0/1 asa(config-if)# interface redundant 2 asa(config-if)# member-interface gigabitethernet 0/2 asa(config-if)# member-interface gigabitethernet 0/3

Reference: Adding a Redundant Interface

OSPF & Cisco ASAs

nick — Tue, 24 Jul 2007 15:41:00 +0100

One of the interesting things about ASA's is the fact that it supports running two OSPF Processes. This was a great decision by cisco, if a business has two different OSPF domains the chances are they are owned by two separate parts of the business, so where would be a better place to put a firewall?

: My Lab Setup

: Overview of what we’re doing

I've put together a basic lab / config to test out the functionality, obviously this doesn't address IP conflicts which are quite likely to happen in a real world scenario, but you do get the general idea. In my cisco config directoryyou'll find two router configs and an ASA config. Each router is intended to represent each ospf domain, the ASA will then re-distribute the routes into each process... Note: you'll see some "show" commands at the end of the config files.

I actually put this together as a "just in case" type thing, but I expect this to come in very handy in the future ! :cool: