<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Nice summary. thanks!<br>
</p>
<br>
<div class="moz-cite-prefix">On 9/26/2017 10:39 AM, Piegorsch,
Weylin William wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BE5C6BBC-0615-42F6-85C0-761D299D29C2@bu.edu">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Arial;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal">I finally got it working for ASA post-8.3.
I thought I’d share my findings.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">For refresher, I historically had an
ASA-specific .cloginrc that overrode the “method” field and
then called the primary .cloginrc. This was for rancid-1.x -
we started with rancid sometime around 2001 or 2002 - where I
just copied clogin and rancid as clogin-asa and rancid-asa and
change the one line from “rancid” to “rancid –f cloginrc-asa”
(a few other small tweaks, but you get the point). When the
15yr-old-server finally died, we moved to a VM running
rancid-v3.x; rather than try to figure out how to make it
work, I just set about trying to figure out how to make ASAs
work the way they’re supposed to.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The kicker? I need telnet as the first
method to support my bulk deployment of really old Cisco
Catalysts that don’t support SSH and cause rancid to timeout
on that, but that was causing timeout errors for ASAs. Yes, I
could have fixed the SSH problem instead, or even raised
RANCiD’s timeout, but I’m trying to avoid server-side
customizations - since I head a network shop that only uses
servers where I need to, Cisco configs are easier to manage
policy and compliance rules than server configs.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">How to fix ASAs to work with rancid,
without enabling telnet:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">1. Apply the global config “service
resetoutside”<o:p></o:p></p>
<p class="MsoNormal">This tells the ASA to send a TCP RST packet
if a connection request is denied, but only when the IP
destination is the ASA itself. By default, the ASA silently
discards the TCP SYN when the connection is denied. Without
the RST, telnet times out before returning control back to the
shell. Unfortunately, the telnet timeout was longer than
rancid’s timeout.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2. Do not apply the global configs “service
resetinbout” or “service resetoutbound”<o:p></o:p></p>
<p class="MsoNormal">I never figured out why this was necessary,
but under some conditions the three commands together weren’t
playing nice with each other. Feel free to play with this if
you need it.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">3. Do not allow telnet to the least-secure
interface from anywhere.<o:p></o:p></p>
<p class="MsoNormal">if telnet is allowed to the least-secure
interface, AKA the interface with the lowest security-level
(check with packet-tracer, you’ll see it at the end despite
all the “ALLOW” results), and if your telnet connection
attempt is trying to connect to that interface, the ASA
silently drops the connection request despite the resetoutside
command. Personally I think it’s a bug to override the
“resetoutside” command, though I never confirmed it. I also
didn’t experiment with any interface except the least-secure
interface.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">weylin<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:.5in"><b><span
style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Weylin
Piegorsch <a class="moz-txt-link-rfc2396E" href="mailto:weylin@bu.edu"><weylin@bu.edu></a><br>
<b>Date: </b>Thursday, September 14, 2017 at 07:53<br>
<b>To: </b>"Gauthier, Chris"
<a class="moz-txt-link-rfc2396E" href="mailto:cgauthier@comscore.com"><cgauthier@comscore.com></a>, Ryan West
<a class="moz-txt-link-rfc2396E" href="mailto:rwest@zyedge.com"><rwest@zyedge.com></a>, Dan Anderson
<a class="moz-txt-link-rfc2396E" href="mailto:dan.w.anderson@gmail.com"><dan.w.anderson@gmail.com></a>,
<a class="moz-txt-link-rfc2396E" href="mailto:rancid-discuss@shrubbery.net">"rancid-discuss@shrubbery.net"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:rancid-discuss@shrubbery.net"><rancid-discuss@shrubbery.net></a><br>
<b>Subject: </b>Re: [rancid] ASA Config for Rancid<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-left:.5in">Hmm...<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><a
href="https://www.zenoss.com/product/zenpacks/rancid-integration-community"
moz-do-not-send="true">https://www.zenoss.com/product/zenpacks/rancid-integration-community</a><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">We are in fact
using ZenOSS for monitoring/alerting (free version, we can’t
afford the licensed version). Now THAT is something
interesting to evaluate. I’ll ask someone on my team to
evaluate that. Allowing telnet <shudder> is another
possibility. We had also considered shifting everything into
PRIME Insfrastructure (which we will anyway for other reasons
than config backups - we did get enough licensing for that at
least), but RANCiD has some capabilities that I like that
PRIME doesn’t do so well - consider all the hijinks you can do
in Linux, like aggregating certain parameters occurs across a
subset of devices by doing something like... I don’t know if I
have the syntax right, this is just quickly off the top of my
head “echo $[`for $(find –name <pattern> –exec egrep –L
<chassis_model> \{} \; ) do grep
<another_regex> | awk ‘{print $3}’ ; done |
tr ‘\n’ ‘+’ | sed ‘s/+$//’`]” . We haven’t yet found a good
way to do that in PRIME.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Thanks everyone
for the help!<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">weylin<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:1.0in"><b><span
style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">"Gauthier,
Chris" <a class="moz-txt-link-rfc2396E" href="mailto:cgauthier@comscore.com"><cgauthier@comscore.com></a><br>
<b>Date: </b>Tuesday, September 12, 2017 at 17:23<br>
<b>To: </b>Ryan West <a class="moz-txt-link-rfc2396E" href="mailto:rwest@zyedge.com"><rwest@zyedge.com></a>, Weylin
Piegorsch <a class="moz-txt-link-rfc2396E" href="mailto:weylin@bu.edu"><weylin@bu.edu></a>, Dan Anderson
<a class="moz-txt-link-rfc2396E" href="mailto:dan.w.anderson@gmail.com"><dan.w.anderson@gmail.com></a>,
<a class="moz-txt-link-rfc2396E" href="mailto:rancid-discuss@shrubbery.net">"rancid-discuss@shrubbery.net"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:rancid-discuss@shrubbery.net"><rancid-discuss@shrubbery.net></a><br>
<b>Subject: </b>Re: [rancid] ASA Config for Rancid</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:1.0in"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:1.0in">Zenoss
is a tool that has RANCiD integration/pluin connectivity.<br>
<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:1.0in"> <o:p></o:p></p>
<table class="MsoNormalTable"
style="margin-left:1.0in;background:white;border-collapse:collapse"
cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td style="padding:0in 0in 0in 0in" valign="top">
<table class="MsoNormalTable"
style="border-collapse:collapse" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<td style="padding:0in 0in 0in 0in"
valign="top">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#26446E">Chris Gauthier</span></b><o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in"
valign="top">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#26446E"> </span><o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in"
valign="top">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#26446E">Senior Network Engineer</span><o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in"
valign="top">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#26446E"> | </span><o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in"
valign="top">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#26446E">comScore, Inc.</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in" valign="top">
<table class="MsoNormalTable"
style="border-collapse:collapse" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<td style="padding:0in 0in 0in 0in"
valign="top">
<table class="MsoNormalTable"
style="border-collapse:collapse"
cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td style="padding:0in 0in 0in 0in"
valign="top">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#26446E">o +1 </span><o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in"
valign="top">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#26446E"><a
href="tel:503-331-2704"
target="_blank"
id="LPlnk689713"
moz-do-not-send="true"><strong><span
style="font-family:"Arial",sans-serif;color:#26446E;font-weight:normal;text-decoration:none">503-331-2704</span></strong></a></span><o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in"
valign="top">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#26446E"> </span><o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in"
valign="top">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#26446E"><a
href="mailto:cgauthier@comscore.com" target="_blank" id="LPlnk689713"
moz-do-not-send="true"><strong><span
style="font-family:"Arial",sans-serif;color:#26446E;font-weight:normal;text-decoration:none">cgauthier@comscore.com</span></strong></a></span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in"
valign="top">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#26446E">317 SW Alder St, Suite 500 | Portland | OR 97204</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in" valign="top">
<table class="MsoNormalTable"
style="width:100.0%;border-collapse:collapse"
cellspacing="0" cellpadding="0" width="100%"
border="0">
<tbody>
<tr>
<td style="padding:0in 0in 0in 0in"
valign="top">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#000001">............................................................................................................................................................................................................................</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="padding:7.5pt 0in 0in 0in" valign="top">
<table class="MsoNormalTable"
style="border-collapse:collapse" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<td style="padding:0in 0in 0in 0in"
valign="top"><br>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-left:1.0in"> <o:p></o:p></p>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:1.0in">On
9/12/17, 1:42 PM, "Rancid-discuss on behalf of Ryan West"
<a class="moz-txt-link-rfc2396E" href="mailto:rancid-discuss-bounces@shrubbery.netonbehalfofrwest@zyedge.com"><rancid-discuss-bounces@shrubbery.net on behalf of
rwest@zyedge.com></a> wrote:<br>
<br>
On Tue, Sep 12, 2017 at 15:40:52, Piegorsch, Weylin William
wrote:<br>
> <br>
> Thanks Ryan. We used to do exactly that, but it got to
the point that ASAs<br>
> were doing far more than merely firewall – to name a
few:<br>
> <br>
> VPN<br>
> ... well ok these are just ASAs<br>
> <br>
> Firewall<br>
> PIX, ASA, PaloAlto 3k, PaloAlto 7k, PaloAlto 500, and I
think there’s a<br>
> CheckPoint somewhere we haven’t yet replaced<br>
> <br>
> NAT<br>
> ASA, ASR1k, Catalyst6k, 7301, 3825<br>
> <br>
> Routing<br>
> Oh let me count the ways....<br>
> <br>
> BGP Service Advertisement<br>
> Nexus7k, ASR9k, ASR1k, 7301, ASA<br>
> <br>
> Since the devices performing a function are so varied,
the naming standard<br>
> cannot take model into account, merely function. It got
to the point where I<br>
> was essentially starting to list every ASA by specific
name; after a few of<br>
> these it became clear this approach wouldn’t scale.<br>
> <br>
> And to answer the other question – somewhere around
20,000 devices;<br>
> 11,000+ VoIP handsets, 6,000–7,000 access points, and
3,000+ of everything<br>
> else (though largely only that last are needed in
rancid).<br>
> <br>
<br>
Sounds like a fun problem to have. There are some open
source NMS products out there that integrate with RANCID and
can probably write out the file for you, otherwise you would
need to modify how RANCID works and have it switch to the
type of device after login with a show ver command or
something similar. Let us know if you come up with anything
though, I like the idea of having the device login decide
the type, or at least a discovery mechanism for RANCID that
would write out the proper lines to .cloginrc.<br>
<br>
-ryan<br>
<br>
_______________________________________________<br>
Rancid-discuss mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</a><br>
<a class="moz-txt-link-freetext" href="http://www.shrubbery.net/mailman/listinfo/rancid-discuss">http://www.shrubbery.net/mailman/listinfo/rancid-discuss</a><o:p></o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Rancid-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</a>
<a class="moz-txt-link-freetext" href="http://www.shrubbery.net/mailman/listinfo/rancid-discuss">http://www.shrubbery.net/mailman/listinfo/rancid-discuss</a></pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<table>
<tbody>
<tr>
<td style="padding-left: 20px" width="90%">Doug Hughes<br>
Keystone NAP<br>
Fairless Hills, PA<br>
1.844.KEYBLOCK (539.2562)</td>
<td style="align: right;padding-right: 20px"><img
src="cid:part4.D5413695.96698053@keystonenap.com">
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>