Saturday, March 22, 2014

Backup and Restore an ASA Config File

I was asked to backup an ASA 5510 firewall at work. This is in preparation for a possible upgrade to a 5525-X platform. A quick way to do this is via TFTP and using the write net command. We first make sure the TFTP server is reachable.

ciscoasa# ping 10.1.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ciscoasa# write ?

  erase     Clear flash memory configuration
  memory    Save active configuration to the flash
  net       Save the active configuration to the tftp server
  standby   Save the active configuration on the active unit to the flash on
            the standby unit
  terminal  Display the current active configuration
  <cr>
ciscoasa# write net ?

  WORD  IP address of tftp server and file name <tftp_ip>:<file>. Place IPv6
        address within square brackets.
  <cr>
ciscoasa# write net 10.1.1.10:fw-config   
Building configuration...
INFO: Default tftp-server not set, using highest security interface
Cryptochecksum: d18a5c1b a5542172 28c35cc0 5caa7ab3
!
[OK]


Once successfully transferred, it is preferred to open the backup file using a Word Pad. Alternatively, you can also use the more system command to view the ASA config. You can start copy and pasting the command lines to the new ASA device.

ciscoasa# more system:running-config
Cryptochecksum: d18a5c1b a5542172 28c35cc0 5caa7ab3
: Saved
: Written by enable_15 at 07:26:14.259 UTC Wed Mar 19 2014
!
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

<OUTPUT TRUNCATED>


To restore the ASA config, you issue the copy tftp startup-config command and perform a reload on the box.

ciscoasa# copy tftp startup-config

Address or name of remote host [10.1.1.10]?

Source filename [asdm-649.bin]? fw-config

Accessing tftp://10.1.1.10/fw-config...!
Writing system file...
!
2229 bytes copied in 0.20 secs

ciscoasa# reload
Proceed with reload? [confirm]


The same can be done using the ASDM (also restore startup-config). The ASA device uses a .zip compressed file.











Finally, reload the ASA device.



No comments:

Post a Comment