Backup ASA config with PowerShell

During my years in the networking business one of my frustrations is that it is very hard to backup the configuration of an ASA. There are some commercial products like Solarwinds that can accomplish this goal, but it costs money. An open source alternative like Rancid is also available but is pretty hard to configure.
Determined to find a solution I started searching the internet and came across some PowerShell scripts.  I’m not a PowerShell specialist, but I do know how to put together the separate scripts. So to be clear, I did not invent the scipts I just put them together.

So let’s take a look at the script:

Read-Host  “Enter Password” -AsSecureString | ConvertFrom-SecureString | Out-File c:\<map>\cred01.txt
–I don’t want to sent the password of the ASA user plain over the network. So with the above line I make sure the password is encrypted. It is possible to convert the password back to plain text, but then you’ll need access to the server. So it is not rocksollid save, but safer then sending the password in plain text over the internet. If you make sure that the useraccount only has minimal rights on the ASA, there is minimal change of getting unwanted guests on your ASA. The line converts the plain password to an encrypted password and writes it to a .txt file.

$ASApw = Get-Content “c:\<map>\cred01.txt” | ConvertTo-SecureString #-AsPlainText #-Force
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($ASApw)
$ASApw = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
–The above three lines are needed to convert the encrypted password from the credentials file. This is needed because the ASA is unable to read an encrypted password.

$ASAIP = “<ip address>”
$ASAUser = “<username>”
$ASAEnablepw = $ASApw

#Modifies the ASA firewall
#Starts by writing a “commands” file#
echo en >>unicode.txt
echo $ASAEnablepw >>unicode.txt
echo “conf t” >>unicode.txt
echo “no pager” >>unicode.txt
echo “show run” >>unicode.txt
echo “pager 24” >>unicode.txt
echo “copy running-config startup-config” >>unicode.txt
echo “running-config” >>unicode.txt
echo exit >>unicode.txt
echo exit >>unicode.txt

#Converts the file to ASCII format (separate file)#
$lines = gc “unicode.txt”
$lines | out-file -encoding Ascii -filepath commands.txt
–The above lines writes the actual ASA commands to the commands.txt file.

#Using the command file and plink.exe connects and runs the commands#
c:/Windows/System32/plink.exe -ssh -l $ASAUser -pw $ASApw $ASAIP -m commands.txt > “c:\<map>\ASA.txt”
–To make things work you need to download the Plink tool. It is the command line version of Putty. It can be downloaded for free. I put the tool in de c:\windows\system32 folder, but you can place it everywhere you want. This line writes the configuration of the ASA to an .txt file.

#removes the files it created earlier#
del unicode.txt
del commands.txt

As you can see it’s actually a pretty easy script an above all it’s free.
To make a daily backup, create a task through “Task scheduler”.

Advertisements

Howto Install Cacti on Ubuntu

Recently I wrote a blogpost about Smokeping. Although Smokeping is good in what it does, I needed some more features than available in Smokeping.
The customer for who I am setting up this monitoring needs more information like cpu usage history or memory history. After some research I got to Cacti. Cacti is an open source solution that has many possibilities like latency polling, cpu usage, memory usage and bandwidth usage. Cacti can do a lot more, but for this customer the above things are the key features.
Cacti is available for Windows and Linux. For this kind of tools I always use Linux, beacause 9 out of 10 times the tools work on Linux “out-of-the-box” and the windows versions need a lot of tweaking and tuning.
Installing Cacti on Ubuntu:
  • First update your machine –> sudo apt-get update (If you are behind a proxy server use the following command: http_proxy=http://ip-adres:port-nr apt-get update )
  • Install Cacti –> sudo apt-get install cacti
  • During the install you have to give in some password e.d., just follow the installation and everthing will be fine
  • After installing give the following cli commando: rrdtool create datafile.rrd DS:mysource:ABSOLUTE:900:0:10000000 RRA:AVERAGE:0.5:1:9600 RRA:AVERAGE:0.5:4:9600 RRA:AVERAGE:0.5:24:6000
  • Now open a browser with: http://ip-adres/cacti, follow the instructions and the installation is done
  • To actually monitor a device follow the next steps:
  • Click Console–>Devices–>Add, make sure it looks like the picture below
  • Capture
  • Click Create
  • When the screen reloads some new options are available, “Associated Graph Template” and “Associated Data Queries”, this are options to monitor several different types of devices.
  • To monitor the CPU load and Latency add “Cisco – CPU Usage” and “Unix – Ping Latency” to “Associated Graph Templates”
  • To monitor interface bandwidth add “SNMP – Interface Statistics” to “Associated Data Queries”
  • Click Save
  • Click Devices again and check the box and choose “Place on a tree” and click Go
To create the actual graph follow the next steps
  • Click new Graphs
  • Check the checkboxes of the interfaces/processes you want to monitor and click Create
  • Wait for five minutes and click graphs

 

Now you can see the graphs, but they are not filled….. Damn!
This can be resolved by following the next steps:

 

  • Open the ping.pl script: sudo nano /usr/share/cacti/site/scripts/ping.pl, the output will look like this:

 

#!/usr/bin/perl
# take care for tcp:hostname or TCP:ip@
$host = $ARGV[0];
$host =~ s/tcp:/$1/gis;
open(PROCESS, “ping -c 1 $host | grep icmp_seq | grep time |”);
$ping = <PROCESS>;
close(PROCESS);
$ping =~ m/(.*time=)(.*) (ms|usec)/;
if ($2 == “”) {
print “U”;  # avoid cacti errors, but do not fake rrdtool stats
}elsif ($3 eq “usec”) {
print $2/1000; # re-calculate in units of “ms”
}else{
print $2;
}

 

  • Change “icmp_seq” into “icmp_req” save the file and restart the server

Wait for a couple of minutes and you’ll see that the graphs are getting filled!

Good old Kron

Nowadays there are several ways to backup a Cisco router or switch configuration. Solarwinds is one of these tools, very often used by myself.
Still there are customers who don’t own one of these program’s or don’t want to invest in such a solution.
But even when a customer won’t invest in such a solution it is possible to backup your router and switch configurations. Cisco uses good old “Kron”.
Kron functions in the same way as cron on a Linux distribution. With Kron it is possible to make a (or more) scheduled event(s).
Beneath a how to:

First of all you want the startup-config to be the same as the running-config, so first create a job that writes the running-config to the startup-config

!
kron occurrence ; at ; recurring
policy-list ;
!
kron policy-list ;
cli write
!

Now that the startup and running-config are the same you can backup the startup-config to a tftp server

!
kron occurrence ; at ; recurring
policy-list ;
!
kron policy-list ;
cli show startup-config | redirect tftp:///;/;
!

With Kron it is possible to automatically write several different commando’s to a tftp server.

Install and configure Tacacs.net

A customer asked me for a central management point for switch and router logins. Also they want the option of accounting these logins.

The first option that comes in mind is Cisco ACS, but that should have been to easy. The customer told me it had to be a cost efficient solution.
After searching the internet I came across Tacacs.net, after reading the configuration guide I came to the conclusion that this piece of software had all the features the customer was asking for. Tacacs.net is able to perform authentication, authorization and accounting. Tacacs.net has also the ability to use a Microsoft active directory for credential authorization.
Tacas.net is fully build in xml, so configuring is not that difficult. Although there is a configuration guide available, there are some tricky parts.
So below a walktrough for configuring tacacs.net
  • First download the tacas.net zip file from http://www.tacacs.net
  • Tacas.net can be installed on all windows platforms starting at windows 2000 server, for this customer I chose Windows 2008 R2.
  • Follow the instructions and for most customers the standard installation is sufficient. While installing tacacs.net asks for a tacacs key. Choose a random string of numbers and/or letters and write it down somewhere. This key is needed when configuring the network equipment
  • After installaling check if the tacacs.net service is running, it can be checked by start–>run–>services.msc
  • After checking this the real configuration can start
  • First check the tacplus.xml file. Change the ip address from 127.0.0.1 to the local ip address. This is not really necessary if there is only one network interface. But it is always recommended to configure it manually.
  • Now open the authentication.xml. The customer want to connect tacacs.net to their active directory. Make sure the section under “Active Directory configuration” looks like the configuration below:

<UserGroup>

<Name>Network Operations</Name>

<AuthenticationType>Windows_Domain</AuthenticationType>

<LDAPServer>{ip address of DC:389</LDAPServer>

​  <LDAPUserDirectorySubtree>OU=<group>,OU=<group>,OU=<group>,OU=<group>,DC=<domain>,DC=<domain></LDAPUserDirectorySubtree>

​  <LDAPGroupName>{AD group name with tacacs users}</LDAPGroupName>

​  <LDAPAccessUserName>{user with domain admin rights}</LDAPAccessUserName>

​  <LDAPAccessUserPassword ClearText=”{password in clear text}” DES=”{password in DES format”></LDAPAccessUserPassword>

​ </UserGroup>

  • To make this configuration to work you need to configure a DES format password. This is just the clear text password in encrypted format. The DES password can created by starting TACDES. This program is in de default tacacs.net installation. Start it by clicking start–>program files–>tacacs.net–>tacdes.
  • Type at the command prompt “tacdes <cleartext password>, copy the outcome in the above configuration at the DES section.
  • Now click save and close the authentication.xml file.
Open up the clients.xml and make sure the configuration looks like below

<ClientGroup Name=”INTERNAL”>

<Secret ClearText=”{tacacs password in cleartext}” DES=”{tacacs password in DES format}”> </Secret>

<Clients>

<Client>{ip address or subnet}</Client>

</Clients>

</ClientGroup>

Now the basic configuration of the tacacs server is done and is fully functional after restarting the tacacs.net service and configuring the switches or routers.
The tacacs.net service can be stopped and started again with the following commands:
start–>run–>cmd–>net stop tacacs.net and net start tacacs.net
On the switch, router or firewall the following lines have to be configured. Before you configure this, make sure you configure a local user and password in case the tacacs server fails. If the tacacs server fails the switch can still be reached with the local credentials.
!
aaa new-model
aaa authentication login default group tacacs local
aaa authentication enable default group tacacs+ enable
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 5 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
tacacs-server host <ip address tacacs server>
tacacs-server key 0 <tacacs password>
!
!
To check the accounting, login to the tacacs.net server and go to C:\ProgramData\TACACS.net\Logs and open up accounting.txt.
The output will look something like below:

<102> 2012-12-05 14:36:02 [<ip address>:28691] 12/05/2012 14:36:02 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=36 timezone=CET service=shell priv-lvl=15 cmd=show running-config <cr>
<102> 2012-12-05 14:36:14 [<ip address>:22679] 12/05/2012 14:36:14 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=37 timezone=CET service=shell priv-lvl=15 cmd=show running-config <cr>
<102> 2012-12-05 14:36:17 [<ip address>:64422] 12/05/2012 14:36:17 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=38 timezone=CET service=shell priv-lvl=15 cmd=configure terminal <cr>
<102> 2012-12-05 14:36:36 [<ip address>:58260] 12/05/2012 14:36:36 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=39 timezone=CET service=shell priv-lvl=15 cmd=aaa accounting commands 0 default start-stop group tacacs+ <cr>
<102> 2012-12-05 14:36:41 [<ip address>:33050] 12/05/2012 14:36:41 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=40 timezone=CET service=shell priv-lvl=15 cmd=aaa accounting commands 3 default start-stop group tacacs+ <cr>
<102> 2012-12-05 14:36:42 [<ip address>:38303] 12/05/2012 14:36:42 NAS_IP=<ip address> Port=tty1 rem_addr=<ip address> User=<user> Flags=TAC_PLUS_ACCT_FLAG_STOP task_id=41 timezone=CET service=shell priv-lvl=0 cmd=end <cr>

Repair sudoers file on Ubuntu 12.04 LTS

Not really a network blogpost, but during the installation of Smokeping I somehow managed to damage my sudoers file. As a result I was not able to login to my Ubuntu machine. Because of the lack of a snapshot, the ubuntu machine is a virtualmachine, I could not just jump back in time and start over. I almost started installing the machine all over again, but then I found the solution by using google.

Here the steps to repair the sudoers file on Ubuntu Linux.
  • Restart your machine and start your machine in “recovery mode”
  • Choose to login as “root”
  • The file-system is mounted as read-only, to mount it in read-write mode use the following command: “mount -o rw, remount /”
  • Now copy the sudoers file to a backup file “sudo cp /etc/sudoers /etc/sudoers.backup/”
  • Create a new sudoers file: “sudo nano /etc/sudoers” and copy the following in to the file:

#
# This file MUST be edited with the ‘visudo’ command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults secure_path=”/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin”
# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on “#include” directives:

#includedir /etc/sudoers.d

  • Now close and save the file by using “ctrl + X” and restart the machine by “sudo shutdown -r now”

Install and configure Smokeping on Ubuntu 12.04 LTS

Currently I’m designing a network for a customer. To ground my design I also need some network statistics like bandwidth usage and latency in the current network.

Despite some big payed network monitoring packets, I had to install some free opensource monitoring packets to get the statistics I needed.
For latency monitoring I chose “Smokeping” based on the RRD tool and written by Tobi Oetiker & Niko Tyni.
The installation and configuration was pretty straight forward on Linux. I also tried installing it on Windows (the customer is primarily focused on Windows), but after several hours of troubleshooting I gave up and switched to Ubuntu linux.
Even though the installation was easy, I wrote a blogpost about it for my own future reference and maybe it is useful for others too.
  • First install a Linux distribution, I used Ubuntu
  • For the ease of installation, use the “sudo su” commando
  • Install the following packets: “aptitude install smokeping curl libauthen-radius-perl libnet-ldap-perl libnet-dns-perl libio-socket-ssl-perl libnet-telnet-perl libsocket6-perl libio-socket-inet6-perl apache2”
  • The smokeping configuration files can be found in “etc/smokeping/config.d”
  • Before use u need make some configuration changes:

“nano /etc/smokeping/config.d/General”

*** General ***

@include /etc/smokeping/config.d/pathnames

# Please edit this to suit your installation
owner = <name>
contact =” email@email.com”
cgiurl =” http://<your ip or dns name>/cgi-bin/smokeping.cgi”
mailhost =” smtp.email.com”
syslogfacility =” local0″
concurrentprobes =” no ”

Make sure that mailhost contains the primary MX for your email domain

“nano /etc/smokeping/config.d/Alerts”

*** Alerts ***
to = me@email.com
from = smokeping@email.com
“nano /etc/smokeping/config.d/Targets”

remark = Welcome to the SmokePing website of ‘Example Company’

<output omitted>

+ Local

menu = Local
title = Local Network

++ LocalMachine

menu = Local Machine
title = This host
host = localhost

Save your changes by using “ctrl + X”

now restart the smokeping service:

“/etc/init.d/smokeping restart”
You can reach smokeping byhttp://<ip or dns>/cgi-bin/smokeping.cgi” and the output will look like this: