ASAReaper: Grab Configs From Multiple Cisco Devices Over SSH
(Demos PExpect and AES Encrypted INI Files in Python)
(Demos PExpect and AES Encrypted INI Files in Python)
I got put in charge of managing a bunch of Cisco ASAs (Adaptive Security Appliances [firewalls, VPNs and such]). It was a new experience for me, and one of the first problems I encountered was backing up the configs, or getting them into text files so they were easier to search through. I would have thought there would be a free tool for this, but I found nothing. I could have tried to SCP files off, but SCP was not always configured and change management was such that I could not just enable it on a whim. FTP was a possibility, but I did not want my passwords flying across the network in plain text. SSH was there, so I wanted to use it. I ended up writing a script using several Python libraries to accomplish my goal of automatically sucking down Cisco configs using "show run" over an SSH connection. Here are some of the features of this Python script:
- Uses PExpect to send commands to a Cisco ASA over SSH
- Uses threading to do more than one Cisco device at a time and make it fast
- Saves configuration in an AES encrypted INI file so you only have to use one password
- Goes through every context on an ASA and saves the configs in separate text files for backup or viewing offline
Even if you don't manage Cisco ASAs, the code should be easy to modify for other Cisco devices you can access over SSH. You might even be interested in only using the encrypted INI portion.
Useage it is simple:
First run with non-existent config file to set it up (asa.txt contains the IPs, line by line, of the Cisco devices to backup the configs from).
irongeek@igbox:~/backups$ ./asareaper.py myconfig.ini
Give me the config password or Die!!! : <does not echo>
Host Names File: asas.txt
ASA User: irongeek
ASA User Password: <does not echo>
Enable Password: <does not echo>
Running on 192.168.2.2
Running on 192.168.2.3
Working on 192.168.2.2 in the context admin...
Working on 192.168.2.3 the context admin...
Working on 192.168.2.2 in the context context1...
Working on 192.168.2.3 in the context context1...
Working on 192.168.2.2 in the context context2...
Working on 192.168.2.3 in the context context2...
irongeek@igbox:~/backups$
You should now have a bunch of text files in the same directory with names in the form of <asa name>-<context>-<timestamp>.TXT. The next time you run it, you should only have to put in one password:
irongeek@igbox:~/backups$ ./asareaper.py myconfig.ini
Give me the config password or Die!!! : <does not echo>
Running on 192.168.2.2
Running on 192.168.2.3
Working on 192.168.2.2 in the context admin...
Working on 192.168.2.3 the context admin...
Working on 192.168.2.2 in the context context1...
Working on 192.168.2.3 in the context context1...
Working on 192.168.2.2 in the context context2...
Working on 192.168.2.3 in the context context2.
irongeek@igbox:~/backups$
Easy. You can also use the -d option to turn on more debugging. The script should be pretty harmless, but I take no liability if it screws something up. If you have a different setup, you can just use this script as a template for other tasks (I've used it to return the version number and serials of every ASA in a list before). Hope it is useful to someone.
Change Log:
06/13/2013: Updated the code to make it easier to maintain and to fix a timeout issue. Also, Arne Lovius told me about a tool called Rancid (http://www.shrubbery.net/rancid) that can do the same thing as my script and more, but I figured the sample code is still of help to some.
02/01/2013:
02/01/2013:
Source-
0 comments:
Post a Comment