Automated backups of a standalone Cisco ASA

In 2019, i’m still staggered that an archive feature available in Cisco IOS isn’t available in Cisco ASA code.

That being said, it’s possible to craft some code to take the edge off Cisco ASA devices which may not normally receive frequent administrative attention.

Embedded Event Manager is your friend in this case. A generic use case for EEM can be found here.

In this case though, I want a backup that’s written to an SFTP server infrequently. I would prefer a weekly backup, but in the case of the EEM absolute timer parameters, the only choice is the hh:mm:ss format, so daily it is.

 
PBUKFW01(config)# event manager applet daily-backup-sftp01

PBUKFW01(config-applet)# event timer absolute time 23:50:00

PBUKFW01(config-applet)# action 0 cli command "copy /noconfirm running-config scp://username:password@1.1.1.1/PBUKFW01/PBUKFW01_Daily.cfg;int=inside"

PBUKFW01(config-applet)# output none

The file on the remote server will be overwritten each time by the process, but you’ll have a config file with the most recent running configuration off the ASA in the case that that ASA goes bad.

Hope this helps.
Take care.
Paul

3 thoughts on “Automated backups of a standalone Cisco ASA”

  1. Hi I am trying your script on a SFTP server but it keep failing, I have gone through endless forums to find an answer so would appreciate help on this. I believe its ASA related, the SFTP server I can connect fine using WINSCP but using scp from the ASA to backup running-config always fails. As far as I can tell nothing is being blocked.

    I just get something similar to :

    copy running-config scp://user:pass@xx.xxx.xx.xx/upload/Monthly.cfg;int=management
    Source filename [running-config]?
    Address or name of remote host [xx.145.125.xx]?
    Destination username [user]?
    Destination filename [upload/Monthly.cfg;int=management]?
    Cryptochecksum: xxab55a4 241ae265 05d0668e 8a4c89xx

    1. Hello,

      I’d be happy to help.
      Just humour me and check you can ping and double check which interface the traffic egresses,
      The output you’ve shared looks like interactive output, is that right?
      The destination filename looks troublesome if you are interactive. Try simplifying it to asa.cfg

      Either way I’m happy to help some more.
      Let me know.
      Paul

      1. Thanks for quick reply, so I can use a TFTP server fine no problems, the issue seems to be each time I use a SFTP server. I am not a Cisco/ASA expert very new.

        So if I use below all works fine (problem I dont want to use a windows VM with TFTP server on it due to security)
        copy /noconfirm running-config tftp://xxx.xx.xx.xx/asa.cfg.txt

        Same thing using below on a SFTP just fails the same as before
        copy /noconfirm running-config scp://user:pass@xx.xxx.xx.xx/upload/Monthly.cfg;int=management

        best link I could fine was possibly something to do with access I did manually scp and it asked to confirm the finerprint and added the server to the excpetion list ok, but I just cant copy a file to it. (If I use a windows machine with winscp all fine)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s