Guest

Cisco PIX 500 Series Security Appliances

PIX/ASA: Backup and Restore the Security Appliance Configuration Files Using TFTP Server

Cisco - PIX/ASA: Backup and Restore the Security Appliance Configuration Files Using TFTP Server

Document ID: 70771

Updated: Sep 26, 2008

   Print

Introduction

This document describes how to backup and restore the configuration and image files of Security Appliance versions 6.x and 7.x. This document provides the basic steps you use in order to copy these files between a TFTP server and a PIX/ASA.

Note: Refer to TFTP Server Selection and Use in order to select the TFTP server.

Prerequisites

Requirements

Before you use the information in this document, make sure that you have a TFTP server on the network to which you have IP connectivity. Use the ping command to verify connectivity.

Components Used

This document is not restricted to specific software and hardware versions.

Related Products

The Cisco PIX 500 Series Security Appliance Software version 7.x configuration can also be used with Cisco ASA Series Security Appliance Software version 7.x.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Backup and Restore the Configuration

This section provides information about these procedures used for the backup and restoration of PIX 6.x and 7.x configurations:

Use the tftp-server, config net, and write net Commands to Backup and Restore a Configuration in PIX 6.x or 7.x

The write net, config net, and tftp-server commands enable you to backup and restore the PIX configuration for versions 6.x and 7.x.

Note: These commands and this procedure are supported in both PIX 6.x and 7.x versions. In both cases, the commands must be issued in global configuration mode.

  1. Issue the tftp-server command in order to simplify entering the configure net and write net commands.

    When you issue these commands, you can either inherit the TFTP server specified by the tftp-server command, or provide your own value. You can also inherit the path in the tftp-server command as is, add a path and filename to the end of the tftp-server command value, or override the tftp-server command value. The PIX Security Appliance supports only one tftp-server command.

    tftp-server [if_name] {ip_address|hostname} path
    
  2. Specify the default TFTP server, path and filename to use with the configure net or write net commands.

    These commands are used in global configuration mode. Issue the no form of these commands in order to remove the server configuration. This command supports IPv4 and IPv6 addresses.

    Note: The command syntax slightly varies for PIX 6.x and 7.x. In PIX 6.x, [if_name] is an optional parameter that represents the interface name on which the TFTP server resides. If not specified, an internal interface is assumed. If you specify the outside interface, a warning message informs you that the outside interface is not secure. However, in PIX 7.x , [if_name] is a mandatory parameter which specifies the gateway interface name. If you specify an interface other than the highest security interface, a warning message informs you that the interface is not secure.

    The path name you specify in the tftp-server command is added to the end of the IP address you specify in the configure net and write net commands. The more you specify of a file and path name with the tftp-server command, the less you need to specify with the configure net and write net commands. If you specify the full path and filename in the tftp-server command, the IP address in the configure net and write net commands can be represented with a colon.

    This example specifies a TFTP server, then reads the configuration from /pixfirewall/config/test_config:

    tftp-server inside 10.1.1.42 /pixfirewall/config/test_config
    
    configure net :
  3. Issue the configure net command in order to merge the current running configuration with a TFTP configuration stored at the IP address you specify, and from the file you name.

    If you specify both the IP address and path name in the tftp-server command, you can specify server_ip :filename with a colon.

    configure net :

    This example sets the server and filename in the tftp-server command, and then overrides the server with the configure net command. The same filename is used.

    hostname(config)#tftp-server inside 10.1.1.1 configs/config1
    
    hostname(config)#configure net 10.2.2.2:
    

    This example sets the server only in the tftp-server command. The configure net command specifies only the filename.

    hostname(config)#tftp-server inside 10.1.1.1
    
    hostname(config)#configure net :configs/config1
    

    A merge adds all commands from the new configuration to the running configuration, and overwrites any commands that conflict with the new versions. For example, if a command allows multiple instances, the new commands are added to the commands that exist in the running configuration. If a command allows only one instance, the new command overwrites the command in the running configuration. A merge never removes commands that exist in the running configuration, but are not set in the new configuration.

    This command is the same as the copy tftp running-config command. For multiple context mode in PIX 7.x, this command is only available in the system execution space. Therefore, the configure net command is an alternative to use within a context.

  4. Issue the write net command in order to store the running configuration in the TFTP server.

    The write net command is equivalent to the copy running-config tftp command.

    write net :

    The running configuration is the configuration that currently runs in memory. This includes any changes you made at the command line. In multiple context mode, this command saves only the current configuration. You cannot save all contexts with a single command. This command must be entered separately for the system and for each context.

    The write net command uses the context interfaces to write a configuration to a TFTP server. However, the write memory command uses the admin context interfaces in order to save to the startup configuration because the system uses the admin context interfaces to access context startup configurations.

    This example sets the TFTP server and filename in the tftp-server command.

    hostname#tftp-server inside 10.1.1.1 /configs/contextbackup.cfg
    
    hostname#write net
    

    This example sets the server and filename in the write net command. The tftp-server command is not populated.

    hostname#write net 10.1.1.1:/configs/contextbackup.cfg
    

    Note: If you have a PIX Firewall configuration that exists on a TFTP server and store a shorter version of that configuration with the same filename on the TFTP server, you might notice extra text after the first :end mark.. Some TFTP servers begin to write at the start of the file and thus leave some of the original configuration after the first :end mark. This does not affect the PIX Firewall. However, because the configure net command stops reading when it reaches the first :end mark, such a situation might cause confusion if you view the configuration and see extra text at the end.

Use the copy Command to Backup and Restore a PIX 6.x Image

The copy tftp flash command enables you to download a software image into the Flash memory of the firewall via TFTP. You can use the copy tftp flash command with any PIX Firewall model that runs version 5.1 or later. The image you download is made available to the PIX Firewall on the next reload (reboot).

This is the output from the copy tftp flash command:

copy tftp[:[[//location] [/tftp_pathname]]] flash[:[image | pdm]]

If the command is used without the location or pathname optional parameters, then the location and filename are obtained from the user interactively via a series of questions similar to those presented by Cisco IOS® software. If you only enter a colon, parameters are taken from the tftp-server command settings. If other optional parameters are supplied, then these values are used in place of the corresponding tftp-server command setting. If any of the optional parameters, such as a colon and anything after it are supplied, the command runs without a prompt for user input.

The location is either an IP address or a name that resolves to an IP address via the PIX Firewall naming resolution mechanism, which is currently static mappings via the name and names commands. The PIX Firewall must know how to reach this location via its routing table information. This information is determined by the ip address, the route, or the RIP commands. This depends on your configuration.

The pathname can include any directory names besides the actual last component of the path to the file on the server. The pathname cannot contain spaces. If a directory name has spaces set to the directory in the TFTP server instead of in the copy tftp flash command, and if your TFTP server is configured to point to a directory on the system from which you download the image, you only need to use the IP address of the system and the image filename. The TFTP server receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the PIX Firewall.

This is the procedure to copy an image file from a TFTP server to a PIX, and back to a TFTP server.

  1. Issue the copy tftp flash command in order to copy the PIX image from the TFTP server to PIX Flash.

    This example causes the PIX Firewall to prompt you for the filename and location before you start the TFTP download.

    pix#copy tftp flash
    Address or name of remote host [127.0.0.1]? 10.1.1.5
    Source file name [cdisk]? pix512.bin
    copying tftp://10.1.1.5/pix512.bin to flash
    
    
    !!
    1030 bytes copied in 2.489 secs (395 bytes/sec)
    pix#
  2. Issue the copy flash tftp command in order to copy the PIX image from Flash to the TFTP server:

    pix#copy flash tftp
    Address or name of remote host []? 10.0.0.1
    Source filename []? pix512.bin
    Destination filename [pix512.bin]?
    Accessing tftp://10.66.64.10/backup_cfg_for_pix...
    !!!!
    
    1030 bytes copied in 9.612 secs (107 bytes/sec)
    pix#
  3. Issue the tftp-server command in order to set the filename and location.

    This saves memory, and then downloads the image to Flash memory.

    This example takes the information from the tftp-server command. In this case, the TFTP server is in an intranet and resides on the outside interface.

    pixfirewall(config)#tftp-server outside 10.1.1.5 pix512.bin
    
    Warning: 'outside' interface has a low security level (0).

    This example shows the usage of tftp: in the copy command. The PIX directly copies the image from TFTP to Flash without intervention.

    pixfirewall(config)#copy tftp: flash 
    
    copying tftp://10.1.1.5/pix512.bin to flash
    
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...
  4. Issue the tftp-host command name in the copy commands.

    This example maps an IP address to the TFTP host name with the name command.

    name 10.1.1.6 tftp-host
    
    copy tftp://tftp-host/pix512.bin flash
    
    copy tftp://tftp-host/tftpboot/pix512.bin flash

Use the copy Command to Backup and Restore a Configuration on PIX/ASA 7.x /8.x

Use one of these methods in order to backup and restore your configuration on a PIX/ASA 7.x/8.x:

Use the copy Command to Backup and Restore the PIX Configuration and Image

The copy command enables you to copy a file from one location to another.

copy [/noconfirm | /pcap] {url | running-config | startup-config}
 {running-config | startup-config | url}

Note: Use the copy command procedure mentioned in steps 1 and 2 of the Use the copy Command to Backup and Restore a PIX 6.x Image section in order to take the backup and restore the PIX image to the TFTP server. The use of the copy command is slightly different with versions 6.x and 7.x/8.x. In version 6.x, if you issue tftp: with the copy command, such as copy tftp: flash, the PIX uses the stored TFTP server information, such as the path and filename. But, in version 7.x/8.x, the PIX interacts the user with a set of questions, even if you specify the tftp: with the copy command and the TFTP server information. .

This is the procedure to copy a configuration from a PIX to a TFTP server, and back to PIX.

  1. Select and copy the PIX running configuration file to the TFTP server:

    pix#copy running-config tftp
    Address or name of remote host []? 10.0.0.1
    Destination filename [pix-confg]? backup_cfg_for_pix
    !!
    1030 bytes copied in 2.489 secs (395 bytes/sec)
    pix#
  2. Select and copy the configuration file from the TFTP server to a same PIX in privileged (enable) mode, which has a basic configuration.

    pix#copy tftp running-config
    Address or name of remote host []? 10.0.0.1
    Source filename []? backup_cfg_for_pix
    Destination filename [running-config]?
    Accessing tftp://10.66.64.10/backup_cfg_for_pix...
    Loading backup_cfg_for_pix from 10.0.0.1 (via Ethernet0): !
    [OK - 1030 bytes]
    
    1030 bytes copied in 9.612 secs (107 bytes/sec)
    pix#

Backup and Restore the Single Mode Configuration or Multiple Mode System Configuration

In single context mode, or from the system configuration in multiple mode, you can copy the startup configuration or running configuration to an external server or to the local Flash memory:

Note: When you copy a configuration to the running configuration, you merge the two configurations. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results.

  1. Select and copy the startup configuration or running configuration to an external server or to the local Flash memory:

    hostname#copy {startup-config | running-config}
    tftp://server[/path]/filename
    
  2. Issue this copy tftp command in order to restore the file back to PIX:

    hostname#copy tftp://server[/path]/filename {startup-config | running-config}
    
  3. Issue this copy command in order to copy to a FTP server:

    hostname#copy {startup-config | running-config} 
    ftp://[user[:password]@]server[/path]/filename
    
  4. Issue this copy command in order to restore the file back to PIX:

    hostname#copy ftp://[user[:password]@]server[/path]/filename {startup-config | running-config}
    
  5. Issue this copy command in order to copy to local Flash memory:

    hostname#copy {startup-config | running-config} {flash:/ | disk0:/ | 
    disk1:/}[path/]filename
    
  6. Issue this copy command in order to restore the backup file:

    hostname#copy {flash:/ | disk0:/ | 
    disk1:/}[path/]filename {startup-config | running-config}
    

    Make sure the destination directory exists. If it does not exist, issue the mkdir command in order to create the directory.

Backup and Restore a Context Configuration in Flash Memory

In multiple context mode, issue one of these commands in the system execution space in order to copy context configurations that are on the local Flash memory.

  1. Isssue this copy command in order to copy to a TFTP server:

    hostname#copy disk:[path/]filename tftp://server[/path]/filename
    
  2. Issue this copy command in order to restore the file back to PIX:

    hostname#copy tftp://server[/path]/filename disk:[path/]filename
    
  3. Issue this copy command in order to copy to an FTP server:

    hostname#copy disk:[path/]filename ftp://[user[:password]@]server 
    [/path]/filename
    
  4. Issue this copy command in order to restore the file back to PIX:

    hostname#copy ftp://[user[:password]@]server 
    [/path]/filename disk:[path/]filename
    
  5. Issue this copy command in order to copy to local Flash memory:

    hostname#copy {flash:/ | disk0:/ | disk1:/}[path/]filename {flash:/ | disk0:/ | 
    disk1:/}[path/]newfilename
    
  6. Issue this copy command in order to restore the file back to PIX:

    hostname#copy {flash:/ | disk0:/ | 
    disk1:/}[path/]newfilename {flash:/ | disk0:/ | disk1:/}[path/]filename
    

Backup a Context Configuration within a Context

In multiple context mode, from within a context, you can perform these backups:

  1. Issue this copy command in order to copy the running configuration to the startup configuration server (connected to the admin context):

    hostname/contexta#copy running-config startup-config
    
  2. Issue this copy command in order to copy the running configuration to a TFTP server connected to the context network:

    hostname/contexta#copy running-config tftp:/server[/path]/filename
    

Back Up Additional Files Using the Export and Import Commands

Additional files essential to your configuration can include these:

  • Files you import using the import webvpn command. Currently these files include customizations, URL lists, web contents, plug-ins, and language translations.

  • DAP policies (dap.xml)

  • CSD configurations (data.xml)

  • Digital keys and certificates

  • Local CA user database and certificate status files

The CLI lets you back up and restore individual elements of your configuration using the export and import commands. In order to back up these files, for example, those imported through the import webvpn command or certificates, complete these steps:

  1. Issue the appropriate show command(s). For example.

    hostname #show import webvpn plug-in
    ica
    rdp
    ssh,telnet
    vnc
    hostname#
  2. Issue the export command for the file you want to back up, in this example, the rdp file.

    hostname #export webvpn plug-in protocol rdp tftp://tftpserver/backupfilename
    
    hostname #

Use a Script to Back Up and Restore Files

You can use a script to back up and restore the configuration files on your security appliance, which includes all of the extensions you import through the import webvpn CLI, the CSD configuration XML files, and the DAP configuration XML file. For security reasons, Cisco does not recommend that you perform automated backups of digital keys and certificates or the Local CA key.

This section provides instructions for doing so, and includes a sample script that you can use as is or modify as your environment requires. The sample script is specific to a Linux system. In order to use it for a Microsoft Windows system, you need to modify it with the logic of the sample.

Note: The existing CLI lets you back up and restore individual files with the use of the copy, export, and import commands. It does not, however, have a facility that lets you back up all ASA configuration files in one operation. If you run the script, this facilitates the use of multiple CLIs.

Prerequisites:

In order to use a script to back up and restore an ASA configuration, complete these tasks:

  • Install Perl with an Expect module.

  • Install an SSH client that can reach the ASA.

  • Install a TFTP server to send files from the ASA to the backup site.

Another option is to use a commercially available tool. You can put the logic of this script into such a tool.

Running the Script

Complete these steps in order to run a backup and restore script:

  1. Download or cut and paste the script file to any location on your system..

  2. At the command line, enter Perl scriptname, where scriptname is the name of the script file.

  3. Press Enter.

  4. The system prompts you for values for each of the options. Alternatively, you can enter values for the options when you enter the Perl scriptname command before you press Enter. Either way, the script requires that you enter a value for each option..

  5. The script starts to run and prints out the commands that it issues, which provides you with a record of the CLIs. You can use these CLIs for a later restore, particularly useful if you want to restore only one or two files.

Use a Terminal Emulation Program to Backup and Restore a Configuration

A terminal emulation program can be used in order to backup and restore a configuration. This is a description of the procedure that uses Microsoft HyperTerminal Terminal Emulation software and either PIX 6.x or 7.x/8.x.

  1. At the pix> prompt, issue the enable command and enter the required password when prompted.

    The prompt changes to pix#. This indicates that the PIX is in privileged mode.

  2. Issue the terminal pager 0 command in order to force the PIX to return the entire response at once, rather than one screen at a time.

    This allows you to capture the configuration without extraneous --more-- prompts generated when the PIX responds one window at a time.

  3. On the HyperTerminal menu, choose Transfer > Capture Text.

    The Capture Text window appears.

  4. Name this file config.txt..

  5. Click Start in order to dismiss the Capture Text window and begin the capture.

  6. Issue the show running-config command, and allow time for the router to complete its response.

    You see this:

    Building configuration...

    The configuration comes after Building configuration.

  7. On the HyperTerminal menu, choose Transfer > Capture Text > Stop in order to end the screen capture.

  8. Open the config.txt file you created in any text editor, such as Notepad or Wordpad, and save the file.

  9. Connect to the PIX that needs the configuration to restore.

  10. Open the config.txt file.

  11. Highlight the entire contents of the config.txt file.

    Drag the cursor from before the first character to after the last character in the file while you hold down the left mouse button in order to highlight. Alternatively, if you use Notepad, choose Edit > Select All from the menu.

  12. Choose Edit > Copy from the text editor menu, or hold down the CTRL key and simultaneously press the C key in order to copy the selected text from the Windows clipboard.

  13. Switch to the HyperTerminal window, and issue the configure terminal command at the pix# prompt.

  14. Press Enter.

  15. Choose Edit > Paste to Host on the HyperTerminal menu in order to paste the configuration file into the PIX.

  16. After the configuration is pasted and the PIX brings you back to the configuration prompt, issue the copy running-config startup-config command in order to write the configuration into memory.

  17. Issue the exit command in order to return to the pix# prompt.

Backup and Restore Certificates

Complete these steps in order to restore the certificate information from one ASA to another ASA:

  1. Export the certificate from the original ASA in a PKCS12 format.

    crypto ca export [trustpoint name] pkcs12 [export password]

    This imports all the certificates in the chain and also the key that is used with this certificate. When you move the entire certificate to another ASA, you need to also move the key with it.

  2. Import the certificate with the key on to the second firewall.

    crypto ca import [trust point name] pkcs12 [password used to export]

    You do not need to define any trust-points before you enter this command. It creates the trust-points automatically. So if there is any trust point with the same name then remove it before you apply it.

Verify

Issue the show running-config command in order to confirm that the configuration file has been copied to the destination PIX.

Related Information

Updated: Sep 26, 2008
Document ID: 70771