Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RANCID>
  3. Users
Does RANCID handle Cisco PIX devices?
faron.hopper at capgemini
Dec 28, 2004, 9:19 AM
Post #1 of 6 (1406 views)
Permalink
Hello all, I am still exploring RANCID's capabilities. Does it have
the ablility
to back up Cisco PIX configs? I have added the one of our PIX's names
to
the router.db file and set the type to

pixhq:cat5:up
pixhq2:cat5:up

thinking that it would be closer to
the catOS command line. This is not successful. I am using TACACS+ on
the PIX, and here is an example of what I get if I manually ssh into it.

$ ssh -l net\-cfg\-bak 10.1.1.1
net-cfg-bak at 10.1.1.1's password:
Type help or '?' for a list of available commands.
PIXHQ>
PIXHQ> en
Password: ********
PIXHQ#

in my dead.letter file this is the message I get for the 2 PIXes
configured

From: Network Config Backup <net-cfg-bak>
Message-Id: <200412282250.iBSMoOnX027862 at netdisco.capgemini.com>
To: rancid-fi
Subject: config fetcher problems - fi
Precedence: bulk

The following routers have not been successfully contacted for
more than 4 hours.
-rw-r----- 1 net-cfg-bak wheel 0 Dec 13 16:23 pixhq
-rw-r----- 1 net-cfg-bak wheel 0 Dec 13 16:23 pixhq2

If I use the clogin program, I can get the level 1 login prompt, but it
is not executing my show version.
This makes me think that it is waiting on some type of prompt character
that is not defined (just guessing).

$ /usr/local/libexec/rancid/clogin -c "show version" -f
/home/net-cfg-bak/.cloginrc 10.1.1.1
10.1.1.1
spawn telnet 10.1.1.1
Trying 10.1.1.1...
telnet: connect to address 10.1.1.1: Connection refused
telnet: Unable to connect to remote host
spawn ssh -c 3des -x -l net-cfg-bak 10.1.1.1
net-cfg-bak at 10.1.1.1's password:
Type help or '?' for a list of available commands.
PIXHQ>
PIXHQ>
Error: TIMEOUT reached

my .cloginrc file is as follows

add method *
{telnet} {ssh}
add autoenable * {1}
add enauser *
{net\-cfg\-bak}
add user *
{net-cfg-bak}
add password *
{pass}

# set ssh encryption type, dflt: 3des
add cyphertype * {3des}



My goal is to back up my PIX configs, does anyone have any ideas? Can
RANCID do it?

Thanks,
Faron Hopper
Capgemini
Network Engineering
3315 North Oak Trafficway
Kansas City, MO 64116
816.459.5139
Capgemini
Logo<outbind://13-00000000212980A687AEC2418AC5574910D993F107000D9EF3454D
8EFC4B8BFFD2B86294168100000028BA9200000D9EF3454D8EFC4B8BFFD2B86294168100
00005BA5D30000/cid:image002.jpg at 01C4D90E.F40D7A30>
Does RANCID handle Cisco PIX devices? [ In reply to ]
jejs+rancid at sahala
Dec 28, 2004, 9:34 AM
Post #2 of 6 (1379 views)
Permalink
On (28/12/04 12:19), Hopper, Faron W. wrote:
>
> Hello all, I am still exploring RANCID's capabilities. Does it have
> the ablility to back up Cisco PIX configs? I have added the one of our
> PIX's names to the router.db file and set the type to
>
> pixhq:cat5:up
> pixhq2:cat5:up
>

use cisco...pix runs ios not catos

i've used rancid with varios models of pix and they all work fine, with or
without tac+ for aaa.

/joshua
--
What difference does it make to the dead, the orphans, and the homeless,
whether the mad destruction is wrought under the name of totalitarianism
or the holy name of liberty and democracy?
- Mohandas Karamchand (Mahatma) Gandhi -
Does RANCID handle Cisco PIX devices? [ In reply to ]
faron.hopper at capgemini
Dec 28, 2004, 12:13 PM
Post #3 of 6 (1379 views)
Permalink
I have tried setting these devices to cisco from cat5. There is no
change.
Rancid is not able to log into my PIXes. The PIX's don't have telnet
enabled,
but this shouldn't be a big deal for RANCID. Could the problem be in
how
I have setup the .cloginrc file?

my .cloginrc file is as follows

add method * {telnet} {ssh}
add autoenable * {1}
add enauser * {net\-cfg\-bak}
add user * {net-cfg-bak}
add password * {pass}

# set ssh encryption type, dflt: 3des
add cyphertype * {3des}

The other thought that I had is that something might be configured
differently (misconfigured?) on TACACAS.

My TACACS+ username is net-cfg-bak

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host 10.2.1.61 key timeout 15
aaa-server TACACS+ (outside) host 10.2.1.62 key timeout 15
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
aaa-server local protocol tacacs+
aaa authentication ssh console TACACS+
aaa authentication telnet console TACACS+
aaa authentication enable console TACACS+

Any thoughts?

Thanks,
Faron
-----Original Message-----
From: joshua sahala [mailto:jejs+rancid@sahala.org]
Sent: Tuesday, December 28, 2004 11:35 AM
To: Hopper, Faron W.
Cc: rancid-discuss at shrubbery.net
Subject: Re: Does RANCID handle Cisco PIX devices?

On (28/12/04 12:19), Hopper, Faron W. wrote:
>
> Hello all, I am still exploring RANCID's capabilities. Does it have
> the ablility to back up Cisco PIX configs? I have added the one of
> our PIX's names to the router.db file and set the type to
>
> pixhq:cat5:up
> pixhq2:cat5:up
>

use cisco...pix runs ios not catos

i've used rancid with varios models of pix and they all work fine, with
or without tac+ for aaa.

/joshua
--
What difference does it make to the dead, the orphans, and the homeless,
whether the mad destruction is wrought under the name of totalitarianism
or the holy name of liberty and democracy?
- Mohandas Karamchand (Mahatma) Gandhi -
Does RANCID handle Cisco PIX devices? [ In reply to ]
faron.hopper at capgemini
Dec 29, 2004, 1:25 PM
Post #4 of 6 (1402 views)
Permalink
Aaron,
If I remove the autoenable line, I can use clogin to log into the
PIX (see below).
However, my rancid-run process now takes forever to complete (it is
taking
hours instead of minutes; it used to run about 20 minutes....) This,
is probably due to my lack of understanding in how to setup the
.cloginrc file
.....anyway, when that rancid-run process finishes, I do not have any
updates
in the cvs database. (cvsweb.cgi lists the rev as 1.1) I have run the
rancid-run process 2-3 times since removing the autoenable and the
dead.letter
file now has many devices that it can't contact....more stuff to work
on.
Anyway, is there any reason why it would not update the pixhq device?
(it is
not listed in the dead.letter file....)?

Thanks,
Faron


$ /usr/local/libexec/rancid/clogin -c "show version" -f .cloginrc pixhq
pixhq
spawn telnet pixhq
Trying 10.1.1.1...
telnet: connect to address 10.1.1.1: Connection refused
telnet: Unable to connect to remote host
spawn ssh -c 3des -x -l net-cfg-bak pixhq
net-cfg-bak at pixhq's password:
Type help or '?' for a list of available commands.
Another session is writing configuration to memory,
please wait a moment for it to finish...
Password: ********
PIXHQ#
PIXHQ# term length 0
Type help or '?' for a list of available commands.
PIXHQ# show version

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 2.1(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

KCSCAFW1 up 87 days 2 hours

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0005.9bca.350f, irq 10
1: ethernet1: address is 0005.9bca.3511, irq 11
2: ethernet2: address is 00e0.b604.fb6b, irq 11
3: ethernet3: address is 00e0.b604.fb6a, irq 10
4: ethernet4: address is 00e0.b604.fb69, irq 9
5: ethernet5: address is 00e0.b604.fb68, irq 5
6: gb-ethernet0: address is 0003.4725.3a71, irq 5
7: gb-ethernet1: address is 0003.4725.38e5, irq 11
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 8
Maximum Interfaces: 12
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: 405200333 (0x1826ddcd)
Running Activation Key: 0xa94bffde 0x802610c9 0x25221732 0x585f4871
Configuration last modified by net-cfg-bak at 14:44:44.067 UTC Wed Dec
29 2004
PIXHQ#exit

Logoff

Connection to pixhq closed.

-----Original Message-----
From: Gee-clough, Aaron (NIH/CIT) [mailto:geecla@mail.nih.gov]
Sent: Tuesday, December 28, 2004 3:40 PM
To: Hopper, Faron W.
Subject: RE: Does RANCID handle Cisco PIX devices?

Try it without the autoenable line...you still have to enter enable on
the PIX. (I'm running rancid w/PIXs right now, so it should work.)

Can you clogin to any of the PIXs directly? That's the common test I
use to see if rancid will be okay (and often tells me what error
actually occurs).

Aaron
---------------------
Aaron Gee-Clough
NIH/CIT/DNST/NEB/NSS
Contractor, geek, etc
Never try to teach a pig to sing.
It wastes your time and annoys the pig.

> -----Original Message-----
> From: Hopper, Faron W. [mailto:faron.hopper at capgemini.com]
> Sent: Tuesday, December 28, 2004 3:14 PM
> To: joshua sahala
> Cc: rancid-discuss at shrubbery.net
> Subject: RE: Does RANCID handle Cisco PIX devices?
>
>
>
>
>
> I have tried setting these devices to cisco from cat5. There is no
> change.
> Rancid is not able to log into my PIXes. The PIX's don't have telnet
> enabled,
>
> but this shouldn't be a big deal for RANCID. Could the problem be in
> how
>
> I have setup the .cloginrc file?
>
> my .cloginrc file is as follows
>
> add method * {telnet} {ssh}
> add autoenable * {1}
> add enauser * {net\-cfg\-bak}
> add user * {net-cfg-bak}
> add password * {pass}
>
>
> # set ssh encryption type, dflt: 3des
> add cyphertype * {3des}
>
> The other thought that I had is that something might be configured
>
> differently (misconfigured?) on TACACAS.
>
>
> My TACACS+ username is net-cfg-bak
>
>
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ (outside) host 10.2.1.61 key timeout 15
> aaa-server TACACS+ (outside) host 10.2.1.62 key timeout 15
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol tacacs+
> aaa-server local protocol tacacs+
> aaa authentication ssh console TACACS+
> aaa authentication telnet console TACACS+
> aaa authentication enable console TACACS+
>
> Any thoughts?
>
> Thanks,
> Faron
> -----Original Message-----
> From: joshua sahala [mailto:jejs+rancid at sahala.org]
>
> Sent: Tuesday, December 28, 2004 11:35 AM
> To: Hopper, Faron W.
> Cc: rancid-discuss at shrubbery.net
> Subject: Re: Does RANCID handle Cisco PIX devices?
>
> On (28/12/04 12:19), Hopper, Faron W. wrote:
> >
>
> > Hello all, I am still exploring RANCID's capabilities.
> Does it have
>
> > the ablility to back up Cisco PIX configs? I have added the one of
>
> > our PIX's names to the router.db file and set the type to
> >
>
> > pixhq:cat5:up
> > pixhq2:cat5:up
> >
>
>
> use cisco...pix runs ios not catos
>
> i've used rancid with varios models of pix and they all work fine,
> with or without tac+ for aaa.
>
> /joshua
> --
> What difference does it make to the dead, the orphans, and the
> homeless, whether the mad destruction is wrought under the name of
> totalitarianism or the holy name of liberty and democracy?
> - Mohandas Karamchand (Mahatma) Gandhi -
>
>
Does RANCID handle Cisco PIX devices? [ In reply to ]
geecla at mail
Dec 29, 2004, 1:28 PM
Post #5 of 6 (1390 views)
Permalink
Does the account you're logging in as have the rights to run all the
commands rancid wants to do on the PIX? I supsect that the rancid run is
taking forever because it's trying to run a whole list of things, and one of
them (write term, perhaps?) is being refused....rancid then hangs, and the
connection only dies when it times out.

Aaron
---------------------
Aaron Gee-Clough
NIH/CIT/DNST/NEB/NSS
Contractor, geek, etc
Never try to teach a pig to sing. It wastes your time and annoys the pig.

> -----Original Message-----
> From: Hopper, Faron W. [mailto:faron.hopper at capgemini.com]
> Sent: Wednesday, December 29, 2004 4:25 PM
> To: Gee-clough, Aaron (NIH/CIT)
> Cc: rancid-discuss at shrubbery.net
> Subject: RE: Does RANCID handle Cisco PIX devices?
>
>
>
> Aaron,
>
> If I remove the autoenable line, I can use clogin to log into the
> PIX (see below).
> However, my rancid-run process now takes forever to complete (it is
> taking
> hours instead of minutes; it used to run about 20 minutes....) This,
>
> is probably due to my lack of understanding in how to setup the
> .cloginrc file
> .....anyway, when that rancid-run process finishes, I do not have any
> updates
> in the cvs database. (cvsweb.cgi lists the rev as 1.1) I
> have run the
> rancid-run process 2-3 times since removing the autoenable and the
> dead.letter
> file now has many devices that it can't contact....more stuff to work
> on.
> Anyway, is there any reason why it would not update the pixhq device?
> (it is
>
> not listed in the dead.letter file....)?
>
> Thanks,
> Faron
>
>
> $ /usr/local/libexec/rancid/clogin -c "show version" -f
> .cloginrc pixhq
> pixhq
>
> spawn telnet pixhq
> Trying 10.1.1.1...
> telnet: connect to address 10.1.1.1: Connection refused
> telnet: Unable to connect to remote host
> spawn ssh -c 3des -x -l net-cfg-bak pixhq
> net-cfg-bak at pixhq's password:
> Type help or '?' for a list of available commands.
> PIXHQ>
> PIXHQ> enable
> Another session is writing configuration to memory,
> please wait a moment for it to finish...
> Password: ********
> PIXHQ#
> PIXHQ# term length 0
> Type help or '?' for a list of available commands.
> PIXHQ# show version
>
> Cisco PIX Firewall Version 6.3(3)
> Cisco PIX Device Manager Version 2.1(1)
>
> Compiled on Wed 13-Aug-03 13:55 by morlee
>
> KCSCAFW1 up 87 days 2 hours
>
> Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
> Flash E28F128J3 @ 0x300, 16MB
> BIOS Flash AM29F400B @ 0xfffd8000, 32KB
>
> 0: ethernet0: address is 0005.9bca.350f, irq 10
> 1: ethernet1: address is 0005.9bca.3511, irq 11
> 2: ethernet2: address is 00e0.b604.fb6b, irq 11
> 3: ethernet3: address is 00e0.b604.fb6a, irq 10
> 4: ethernet4: address is 00e0.b604.fb69, irq 9
> 5: ethernet5: address is 00e0.b604.fb68, irq 5
> 6: gb-ethernet0: address is 0003.4725.3a71, irq 5
> 7: gb-ethernet1: address is 0003.4725.38e5, irq 11
> Licensed Features:
> Failover: Enabled
> VPN-DES: Enabled
> VPN-3DES-AES: Enabled
> Maximum Physical Interfaces: 8
> Maximum Interfaces: 12
> Cut-through Proxy: Enabled
> Guards: Enabled
> URL-filtering: Enabled
> Inside Hosts: Unlimited
> Throughput: Unlimited
> IKE peers: Unlimited
>
> This PIX has an Unrestricted (UR) license.
>
> Serial Number: 405200333 (0x1826ddcd)
> Running Activation Key: 0xa94bffde 0x802610c9 0x25221732 0x585f4871
> Configuration last modified by net-cfg-bak at 14:44:44.067 UTC Wed Dec
> 29 2004
> PIXHQ#exit
>
> Logoff
>
> Connection to pixhq closed.
>
>
> -----Original Message-----
> From: Gee-clough, Aaron (NIH/CIT) [mailto:geecla at mail.nih.gov]
>
> Sent: Tuesday, December 28, 2004 3:40 PM
> To: Hopper, Faron W.
> Subject: RE: Does RANCID handle Cisco PIX devices?
>
> Try it without the autoenable line...you still have to enter enable on
> the PIX. (I'm running rancid w/PIXs right now, so it should work.)
>
> Can you clogin to any of the PIXs directly? That's the common test I
> use to see if rancid will be okay (and often tells me what error
> actually occurs).
>
> Aaron
> ---------------------
> Aaron Gee-Clough
> NIH/CIT/DNST/NEB/NSS
> Contractor, geek, etc
> Never try to teach a pig to sing.
>
> It wastes your time and annoys the pig.
>
> > -----Original Message-----
> > From: Hopper, Faron W. [mailto:faron.hopper at capgemini.com]
> > Sent: Tuesday, December 28, 2004 3:14 PM
> > To: joshua sahala
> > Cc: rancid-discuss at shrubbery.net
> > Subject: RE: Does RANCID handle Cisco PIX devices?
> >
>
> >
>
> >
>
> >
>
> >
>
> > I have tried setting these devices to cisco from cat5. There is no
>
> > change.
> > Rancid is not able to log into my PIXes. The PIX's don't
> have telnet
>
> > enabled,
> >
>
> > but this shouldn't be a big deal for RANCID. Could the
> problem be in
>
> > how
> >
>
> > I have setup the .cloginrc file?
> >
>
> > my .cloginrc file is as follows
> >
>
> > add method * {telnet} {ssh}
> > add autoenable * {1}
> > add enauser * {net\-cfg\-bak}
> > add user * {net-cfg-bak}
> > add password * {pass}
> >
>
> >
>
> > # set ssh encryption type, dflt: 3des
> > add cyphertype * {3des}
> >
>
> > The other thought that I had is that something might be configured
> >
>
> > differently (misconfigured?) on TACACAS.
>
> >
>
> >
>
> > My TACACS+ username is net-cfg-bak
> >
>
> >
>
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server TACACS+ (outside) host 10.2.1.61 key timeout 15
> > aaa-server TACACS+ (outside) host 10.2.1.62 key timeout 15
> > aaa-server RADIUS protocol radius
> > aaa-server LOCAL protocol tacacs+
> > aaa-server local protocol tacacs+
> > aaa authentication ssh console TACACS+
> > aaa authentication telnet console TACACS+
> > aaa authentication enable console TACACS+
> >
>
> > Any thoughts?
> >
>
> > Thanks,
> > Faron
> > -----Original Message-----
> > From: joshua sahala [mailto:jejs+rancid at sahala.org]
> >
>
> > Sent: Tuesday, December 28, 2004 11:35 AM
> > To: Hopper, Faron W.
> > Cc: rancid-discuss at shrubbery.net
> > Subject: Re: Does RANCID handle Cisco PIX devices?
> >
>
> > On (28/12/04 12:19), Hopper, Faron W. wrote:
> > >
> >
>
> > > Hello all, I am still exploring RANCID's capabilities.
>
> > Does it have
> >
>
> > > the ablility to back up Cisco PIX configs? I have added
> the one of
> >
>
> > > our PIX's names to the router.db file and set the type to
> > >
> >
>
> > > pixhq:cat5:up
> > > pixhq2:cat5:up
> > >
> >
>
> >
>
> > use cisco...pix runs ios not catos
> >
>
> > i've used rancid with varios models of pix and they all work fine,
>
> > with or without tac+ for aaa.
> >
>
> > /joshua
> > --
> > What difference does it make to the dead, the orphans, and the
>
> > homeless, whether the mad destruction is wrought under the name of
>
> > totalitarianism or the holy name of liberty and democracy?
> > - Mohandas Karamchand (Mahatma) Gandhi -
> >
Does RANCID handle Cisco PIX devices? [ In reply to ]
faron.hopper at capgemini
Dec 29, 2004, 1:37 PM
Post #6 of 6 (1404 views)
Permalink
That is a good idea, I will check into it. I thought that the account
had level 15, but I will verify it.

-----Original Message-----
From: Gee-clough, Aaron (NIH/CIT) [mailto:geecla@mail.nih.gov]
Sent: Wednesday, December 29, 2004 3:29 PM
To: Hopper, Faron W.
Cc: rancid-discuss at shrubbery.net
Subject: RE: Does RANCID handle Cisco PIX devices?

Does the account you're logging in as have the rights to run all the
commands rancid wants to do on the PIX? I supsect that the rancid run
is taking forever because it's trying to run a whole list of things, and
one of them (write term, perhaps?) is being refused....rancid then
hangs, and the connection only dies when it times out.

Aaron
---------------------
Aaron Gee-Clough
NIH/CIT/DNST/NEB/NSS
Contractor, geek, etc
Never try to teach a pig to sing. It wastes your time and annoys the
pig.

> -----Original Message-----
> From: Hopper, Faron W. [mailto:faron.hopper at capgemini.com]
> Sent: Wednesday, December 29, 2004 4:25 PM
> To: Gee-clough, Aaron (NIH/CIT)
> Cc: rancid-discuss at shrubbery.net
> Subject: RE: Does RANCID handle Cisco PIX devices?
>
>
>
> Aaron,
>
> If I remove the autoenable line, I can use clogin to log into the
> PIX (see below).
> However, my rancid-run process now takes forever to complete (it is
> taking hours instead of minutes; it used to run about 20 minutes....)

> This,
>
> is probably due to my lack of understanding in how to setup the
> .cloginrc file .....anyway, when that rancid-run process finishes, I
> do not have any updates in the cvs database. (cvsweb.cgi lists the
> rev as 1.1) I have run the rancid-run process 2-3 times since
> removing the autoenable and the dead.letter file now has many devices
> that it can't contact....more stuff to work on.
> Anyway, is there any reason why it would not update the pixhq device?
> (it is
>
> not listed in the dead.letter file....)?
>
> Thanks,
> Faron
>
>
> $ /usr/local/libexec/rancid/clogin -c "show version" -f .cloginrc
> pixhq
> pixhq
>
> spawn telnet pixhq
> Trying 10.1.1.1...
> telnet: connect to address 10.1.1.1: Connection refused
> telnet: Unable to connect to remote host spawn ssh -c 3des -x -l
> net-cfg-bak pixhq net-cfg-bak at pixhq's password:
> Type help or '?' for a list of available commands.
> PIXHQ>
> PIXHQ> enable
> Another session is writing configuration to memory, please wait a
> moment for it to finish...
> Password: ********
> PIXHQ#
> PIXHQ# term length 0
> Type help or '?' for a list of available commands.
> PIXHQ# show version
>
> Cisco PIX Firewall Version 6.3(3)
> Cisco PIX Device Manager Version 2.1(1)
>
> Compiled on Wed 13-Aug-03 13:55 by morlee
>
> KCSCAFW1 up 87 days 2 hours
>
> Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
> Flash E28F128J3 @ 0x300, 16MB
> BIOS Flash AM29F400B @ 0xfffd8000, 32KB
>
> 0: ethernet0: address is 0005.9bca.350f, irq 10
> 1: ethernet1: address is 0005.9bca.3511, irq 11
> 2: ethernet2: address is 00e0.b604.fb6b, irq 11
> 3: ethernet3: address is 00e0.b604.fb6a, irq 10
> 4: ethernet4: address is 00e0.b604.fb69, irq 9
> 5: ethernet5: address is 00e0.b604.fb68, irq 5
> 6: gb-ethernet0: address is 0003.4725.3a71, irq 5
> 7: gb-ethernet1: address is 0003.4725.38e5, irq 11 Licensed Features:
> Failover: Enabled
> VPN-DES: Enabled
> VPN-3DES-AES: Enabled
> Maximum Physical Interfaces: 8
> Maximum Interfaces: 12
> Cut-through Proxy: Enabled
> Guards: Enabled
> URL-filtering: Enabled
> Inside Hosts: Unlimited
> Throughput: Unlimited
> IKE peers: Unlimited
>
> This PIX has an Unrestricted (UR) license.
>
> Serial Number: 405200333 (0x1826ddcd)
> Running Activation Key: 0xa94bffde 0x802610c9 0x25221732 0x585f4871
> Configuration last modified by net-cfg-bak at 14:44:44.067 UTC Wed Dec
> 29 2004
> PIXHQ#exit
>
> Logoff
>
> Connection to pixhq closed.
>
>
> -----Original Message-----
> From: Gee-clough, Aaron (NIH/CIT) [mailto:geecla at mail.nih.gov]
>
> Sent: Tuesday, December 28, 2004 3:40 PM
> To: Hopper, Faron W.
> Subject: RE: Does RANCID handle Cisco PIX devices?
>
> Try it without the autoenable line...you still have to enter enable on

> the PIX. (I'm running rancid w/PIXs right now, so it should work.)
>
> Can you clogin to any of the PIXs directly? That's the common test I
> use to see if rancid will be okay (and often tells me what error
> actually occurs).
>
> Aaron
> ---------------------
> Aaron Gee-Clough
> NIH/CIT/DNST/NEB/NSS
> Contractor, geek, etc
> Never try to teach a pig to sing.
>
> It wastes your time and annoys the pig.
>
> > -----Original Message-----
> > From: Hopper, Faron W. [mailto:faron.hopper at capgemini.com]
> > Sent: Tuesday, December 28, 2004 3:14 PM
> > To: joshua sahala
> > Cc: rancid-discuss at shrubbery.net
> > Subject: RE: Does RANCID handle Cisco PIX devices?
> >
>
> >
>
> >
>
> >
>
> >
>
> > I have tried setting these devices to cisco from cat5. There is no
>
> > change.
> > Rancid is not able to log into my PIXes. The PIX's don't
> have telnet
>
> > enabled,
> >
>
> > but this shouldn't be a big deal for RANCID. Could the
> problem be in
>
> > how
> >
>
> > I have setup the .cloginrc file?
> >
>
> > my .cloginrc file is as follows
> >
>
> > add method * {telnet} {ssh}
> > add autoenable * {1}
> > add enauser * {net\-cfg\-bak}
> > add user * {net-cfg-bak}
> > add password * {pass}
> >
>
> >
>
> > # set ssh encryption type, dflt: 3des
> > add cyphertype * {3des}
> >
>
> > The other thought that I had is that something might be configured
> >
>
> > differently (misconfigured?) on TACACAS.
>
> >
>
> >
>
> > My TACACS+ username is net-cfg-bak
> >
>
> >
>
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server TACACS+ (outside) host 10.2.1.61 key timeout 15
> > aaa-server TACACS+ (outside) host 10.2.1.62 key timeout 15
> > aaa-server RADIUS protocol radius
> > aaa-server LOCAL protocol tacacs+
> > aaa-server local protocol tacacs+
> > aaa authentication ssh console TACACS+
> > aaa authentication telnet console TACACS+
> > aaa authentication enable console TACACS+
> >
>
> > Any thoughts?
> >
>
> > Thanks,
> > Faron
> > -----Original Message-----
> > From: joshua sahala [mailto:jejs+rancid at sahala.org]
> >
>
> > Sent: Tuesday, December 28, 2004 11:35 AM
> > To: Hopper, Faron W.
> > Cc: rancid-discuss at shrubbery.net
> > Subject: Re: Does RANCID handle Cisco PIX devices?
> >
>
> > On (28/12/04 12:19), Hopper, Faron W. wrote:
> > >
> >
>
> > > Hello all, I am still exploring RANCID's capabilities.
>
> > Does it have
> >
>
> > > the ablility to back up Cisco PIX configs? I have added
> the one of
> >
>
> > > our PIX's names to the router.db file and set the type to
> > >
> >
>
> > > pixhq:cat5:up
> > > pixhq2:cat5:up
> > >
> >
>
> >
>
> > use cisco...pix runs ios not catos
> >
>
> > i've used rancid with varios models of pix and they all work fine,
>
> > with or without tac+ for aaa.
> >
>
> > /joshua
> > --
> > What difference does it make to the dead, the orphans, and the
>
> > homeless, whether the mad destruction is wrought under the name of
>
> > totalitarianism or the holy name of liberty and democracy?
> > - Mohandas Karamchand (Mahatma) Gandhi -

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal