Saturday, August 13, 2016

Creating ASA Security Context Backup in Solarwinds NCM (and Pokemon Go)

Pokemon Go was just recently released in Southeast Asia (it almost got banned in some countries) and the game craze is phenomenal. Kids and adults (including me) hang out at popular Poke Stops and Poke Gyms. There's even Pokemon Lure parties being organized everywhere. I hope to catch 'em all soon!


My daughter Sophia and I try to catch Pokemons together in parks and even inside our home since there's always a Pokemon lure near our place.


I was initially doing manual backup on all our ASA security context, which was quite tedious even though we only have several ASA firewalls across the Asia Pacific (APAC) region. But when our monitoring was migrated to Solarwinds, we were able to leverage and use the Network Configuration Manager (NCM) for backing up ASA contexts.

You should configure SNMP and AAA on each ASA context in order for NCM to pull up its configuration. Other core configuration for this setup are creating the Layer 2 VLAN on the switch, Layer 3 IP address for the VLAN gateway (I used a /27 IP subnet to have 30 hosts or ASA contexts), routing to Solarwinds server and a Layer 3 subinterface on the individual ASA context.


Switch

vlan 999
 name Solarwinds


Router

interface GigabitEthernet0/0.999
 description Solarwinds Monitoring Interface
 encapsulation dot1Q 999
 ip address 172.27.255.129 255.255.255.224


ASA

changeto system

<SYSTEM>

interface GigabitEthernet0/1.999
 description Solarwinds Monitoring Interface
 vlan 999

context CUSTOMER-A
 allocate-interface GigabitEthernet0/1.999


changeto context CUSTOMER-A

<CUSTOMER-A>

username admin password Passw0rd! privilege 15

interface GigabitEthernet0/1.999
 nameif Solarwinds
 security-level 100
 ip address 172.27.255.130 255.255.255.224

route Solarwinds 10.111.0.0 255.255.255.0 172.27.255.129

ssh 10.111.0.0 255.255.255.0 Solarwinds

snmp-server group MyGroup v3 priv
snmp-server user Admin MyGroup v3 auth md5 Passw0rd! priv aes 128 Passw0rd!
snmp-server host Solarwinds 10.111.0.71 version 3 Admin

crypto key generate rsa modulus 2048

aaa-server ACS protocol tacacs+
aaa-server ACS (Solarwinds) host 10.111.0.99
 key Passw0rd!  

aaa authentication http console ACS LOCAL
aaa authentication ssh console ACS LOCAL
aaa authentication telnet console ACS LOCAL
aaa authentication enable console ACS LOCAL
aaa authorization command ACS LOCAL


I was able to poll the individual ASA context via SNMP and download both the running and startup config.


No comments:

Post a Comment