Eric’s Story Book

So a week ago we started looking for a way to access all of our Cisco Firewalls (PIX and FWSMs) to run nightly configuration backups. I am not about to pay for it doesn’t seem like something that someone with half a brain shouldn’t be able to build a quick script. So I start looking around and 1st of all I find RANCID. I found that Rancid is great but it did way more than I wanted. The method for retrieving the configs wasn’t what I really wanted. It telnet’ed or ssh’ed to my PIX device and removed the pager lines. After that it would write term and just copy the output. I had unwanted lines in the config file once all was done. I could have kept messing with RANCID but figured I would try something else myself.

What I really wanted to do was have a script go out and do what I would do at the command line. Which was…

ssh user@device_ip

send password:xxxxxxxxx

enable

send password:xxxxxxxxx

write net

This should allow me to ssh to the PIX or FWSM and copy the configurations up to a predefined tftp server in the configuration of the firewall device. So to do this you are going to need to setup up a TFTP server on your backup device. I personally use Ubuntu 7.10 server and have gotten really good results.

So after messing with RANCID and figuring out that Expect is the scripting language behind it. This is from the site “Expect is a tool for automating interactive applications such as telnet, ftp, passwd, fsck, rlogin, tip, etc.” They aren’t lying about it either. So I start looking into expect script and everything I read about learning expect said try autoexpect first.

What was this autoexpect???  Well tell you the truth I have only been using it a couple of days now and its great.  Its inside the Ubuntu Repositories and can be loaded with apt without having to build it yourself.  Once its loaded you can pretty much run “autoexpect  ssh user@device.ip”  and it will copy all of the keyboard input at the prompts into an expect script.  So I was able to ssh to the device, enable in the device, and then write net on the device.  After I exited my ssh session I noticed there was an expect script in the directory I was running the command from.  Now it couldn’t be this easy I just typed “expect sriptname.exp” and it ssh’ed to the PIX device enabled and wrote net to my tftp server…… REALLY EASY.

In the last couple of days I have been playing with RANCID more and I like using CVS as my version control of the configs so I may put some extra work in on that this week.  I will let everyone know how it goes.