[rancid] Revisiting Cisco ASA 5500 / FWSM in multiple context mode

Daniel Tuecks dtuecks at googlemail.com
Thu Jul 26 09:26:00 UTC 2012 

Hi Rich,

if it's possible I would also treat each context as its own device.
Unfortunately this wasn't possible for me as policies only allowed to
access a context by the 'changeto context' command. I also fiddled
with dns CNAMES and custom scripts but it turned out to be rather
complicated. Then I tried the usercmd patch (Thats the patch Ryan West
also suggested ->
http://www.shrubbery.net/pipermail/rancid-discuss/2006-May/001490.html).
This patch makes it really easy to backup contexts / most out-of-band
devices plus I don't need all the CNAMES. I'll show you a sample
config:

# Backup device aka 'admin context'
# 'my-context-enabled-device' has an A RECORD and is accessible via
ssh. This is a standard rancid .clogin config.
add user my-context-enabled-device-standby ADMINUSER
add password my-context-enabled-device-standby PWD ENAPWD
add method my-context-enabled-device-standby {ssh:22}
add autoenable my-context-enabled-device-standby {0}
add cyphertype my-context-enabled-device-standby 3des

# Backup system context
# 'my-context-enabled-device-sys' is just a name for rancid. No DNS or
address is needed.
# The magic happens one line below: login to
my-context-enabled-device-sys via {clogin} for
{my-context-enabled-device}
# When logged in, change to system context and backup
add method my-context-enabled-device-sys {usercmd}
add usercmd my-context-enabled-device-sys {clogin} {my-context-enabled-device}
add usercmd_chat my-context-enabled-device-sys
{my-context-enabled-device/admin#} {changeto system\r}
{my-context-enabled-device#} {\r}

# Backup SOMECONTEXT
# same as for the 'system' backup but changeto 'SOMECONTEXT'
afterwards. Backup. Done.
# again 'my-context-enabled-device-SOMECONTEXT' is just a name for
rancid. No DNS or address is needed.
add method my-context-enabled-device-SOMECONTEXT {usercmd}
add usercmd my-context-enabled-device-SOMECONTEXT {clogin}
{my-context-enabled-device}
add usercmd_chat my-context-enabled-device-SOMECONTEXT
{my-context-enabled-device/admin#} {changeto system\r}
{my-context-enabled-device#} {changeto context SOMECONTEXT\r}
{my-context-enabled-device/SOMECONTEXT#} {\r}

The router.db looks like this:

my-context-enabled-device:cisco:up
my-context-enabled-device-sys:cisco:up
my-context-enabled-device-SOMECONTEXT:cisco:up

Daniel

2012/7/26 Richard Laxton <Richard.Laxton at applicable.com>:
> Sorry to reply to my own message, but I was on digest only and didn't get
> the individual replies. Newbie moment over.
>
> I've got a 99% working solution in place now; once I have dealt with the
> last issue I will post the code for consideration and re-use.
>
> I've done as follows:
>
> site/router.db
> ===========
> firewall1-context1:cisco:up
> firewall1-context2:cisco:up
> firewall1-admincontext:cisco:up
> firewall1-system:cisco:up
>
> In DNS
> ===========
> firewall1-context1 A 10.10.10.10
> firewall1-context2 A 10.10.20.20
> firewall1-admincontext A 10.1.1.1
> firewall1-system CNAME firewall1-admincontext
>
> I've then patched CLOGIN to check for "-system" in the $router hostname
> variable. If its there, it'll issue a "changeto system" once, and then
> assume the prompt is now firewall1 instead of firewall1/admincontext.
>
> The script proceeds through all the commands as normal, except for some
> reason it misses command show running-config, despite the fact that you can
> type that at the command line normally and more system:running-config works.
> I'll try and work out why, or have that skipped for "-system". This is the
> last issue I mentioned.
>
> Is this a perfect automated solution? No. Does it get your configs backed up
> without any manual intervention? Yep, just set the DNS records and off you
> go. This method assumes of course that you need to be able to SSH to each
> context directly. All contexts are for my internal customer separation as
> part of a managed service so no direct user access - therefore its not an
> issue for me to allow this, however I see no reason why this method couldn't
> be expanded upon quite simply so you can do the following in router.db,
> based on some older posts from 2009 I saw suggesting a similar thing:
>
> firewall1[context context1]:cisco:up
> firewall1[context context2]:cisco:up
> firewall1[system]:cisco:up
>
> (or indeed to make a new var in .cloginrc)
>
> Then instead of where I've put a static command to 'changeto system', you
> can issue 'changeto $some_var'.
>
> If I ever get round to making this happen I'll post that code too.
>
> -----Original Message-----
> From: Richard Laxton
> Sent: 24 July 2012 18:00
> To: 'rancid-discuss at shrubbery.net'
> Subject: Revisiting Cisco ASA 5500 / FWSM in multiple context mode
>
> Hi everyone,
>
> Forgive me if I'm breaching etiquette here, I've never posted to a mailling
> list before. I'm eager to get a resolution to the issue of how to grab the
> "system" context configuration when using ASA in multiple context mode.
>
> I've accommodated the individual contexts by simply adding them to router.db
> as additional 'cisco' devices and ensuring that they are reachable on an
> interface from RANCID. I'm (personally) happy with that solution.
>
> The issue I've got is then how to get into the system context reliably.
>
> I've copied rancid to asarancid and added it to rancid-fe as "asa" - I've
> then added my firewall as firewall:asa:up in router.db.
>
> Inside asarancid I've trimmed the commandtable down a bit for now, to get
> started:
>
> @commandtable = (
> {'changeto system' => 'DoNothing'},
> {'show version' => 'ShowVersion'},
> {'show boot' => 'ShowBoot'},
> {'show flash' => 'ShowFlash'},
> {'show running-config' => 'WriteTerm'},
> );
>
> In order to bypass the "prompt has changed" issue, I've simply commented out
> those lines, however it then rejects the 'changeto system' command as
> follows:
>
> firewall: found unexpected command - "changeto system"
>
> I'm unable to resolve how I define this as an expected command.
>
> Can you please assist me in my endeavours? I'll post the script at the end
> for anyone who may find it useful, or alternatively if anyone has resolved
> this could you kindly provide me a copy of your own scripts? I've tried a
> web search and searching on the web interface but despite some comments
> about people looking at this before I can't see any (obvious) place where a
> user script has been published.
>
> Thanks,
>
> Rich.
>
> ________________________________
> This electronic message contains information from Applicable, which may be
> privileged or confidential. The information is intended for use only by the
> individual(s) or entity named above. If you are not the intended recipient,
> be aware that any disclosure, copying, distribution or use of the contents
> of this information is strictly prohibited. If you have received this
> electronic message in error, please notify the sender. Activity and use of
> the Applicable Ltd e-mail system is monitored to secure its effective
> operation and for other lawful business purposes. Communications using this
> system will also be monitored and may be recorded to secure effective
> operation and for other lawful business purposes. Applicable Ltd. Registered
> office: 5-6 Northumberland Buildings, Queen Square, Bath, Somerset, BA1 2JE.
> Registered in England no: 03426111
> ________________________________
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

More information about the Rancid-discuss mailing list