1

I'd like to be able to apply a pre-written config to a Cisco ASA 5505, but presently I only have access to it via the serial console and not over the network.

Various sources suggest pasting the config into the terminal when in Global Configuration mode. The difficulty with this is that it merges the pasted config with the current running config, as opposed to replacing it, leaving some remnants of the original config, and sometimes causing odd errors. I can run a configure factory-default first to put the ASA back to a simple factory default configuration, but even then there's enough in the running config to mean the resultant merged config isn't quite right.

I appreciate that I could do the following:

  1. Paste in chunks and address errors as they arise
  2. Compare the resultant running config against my pre-written one
  3. Remove any elements that are remnants from the base config

...but that's error prone and time consuming. If there's a way to do a straight overwrite/replace, it would be useful for the future.

I don't necessarily need to replace the running config; replacing the startup config and reloading would be preferable really.

So, is there a way to be able to reliably overwrite the config on an ASA rather than merging it with the current config using only console access, or can it only be done via TFTP/ASDM/etc?

dbr
  • 1,852
  • 3
  • 23
  • 38
  • FWIW I think this is a legit question, though it sounds like the answer is that it cannot be done as the OP asks. Being able to Create a file from the console similar to UNIX's `cat > filename` or DOS's `COPY CON` seems reasonable to think might exist (perhaps `copy console: startup-config`?), given the you can Read (`more`) and Delete (`delete`) files on the filesystem with familiar shell-like commands. – 640KB Jul 01 '21 at 16:15

1 Answers1

0

Updated Answer to Address Updated Question

New key information:

There is no possibility of temporarily configuring an ethernet port on the ASA to provide IP communications. As a result any answer cannot require the use of ASDM (HTTP/HTTPS), TFTP, SSH, or Telnet.

Answer

The answer is that if your only way to connect to the ASA is via the console cable and you have a premade configuration you want to have on the ASA then you must make the configuration changes manually. This might mean writing out the negative forms of existing commands and inserting it at the beginning of your config but will require either typing the commands or copy and pasting the commands.

Why

More important the the answer to this question is understanding what the different ways to load a configuration onto an ASA are what each one does and doesn't do.

According to Cisco there are a number of ways you can restore an ASA configuration. As the OP identified not all of these solutions give you the desired result without some manual work but if your only option is using a serial cable you are going to have to do some manual work no matter what.

You will notice I am going to start with TFTP and it is first because this continues to be the preferred method to upload configuration files and firmware to ASA and IOS devices.

TFTP

Trivial File Transfer Protocol or TFTP is a UDP based IP communication protocol. In order to use TFTP you will need to setup a TFTP server and the Cisco ASA will need to have network access to the same network the TFTP server is running on. Because TFTP is an IP communication protocol you cannot use TFTP to transfer a configuration file to an ASA if your computer is only connected to the ASA with a console cable.

TFTP requires the use of IP to connect the ASA to your computer.

The commands below can be used to upload a configuration file to from a TFTP server to an ASA.

copy tftp://server[/path]/filename startup-config
wr mem
reload

FTP

File Transfer Protocol or FTP is a UDP based IP communication protocol. In order to use FTP you will need to setup a FTP server and the Cisco ASA will need to have network access to the same network the FTP server is running on. Because FTP is an IP communication protocol you cannot use FTP to transfer a configuration file to an ASA if your computer is only connected to the ASA with a console cable.

FTP requires the use of IP to connect the ASA to your computer.

The commands below can be used to upload a configuration file to from a FTP server to an ASA.

copy ftp://[user[:password]@]server[/path]/filename startup-config
wr mem
reload

HTTP/HTTPS

Hypertext Transfer Protocol or HTTP and Hypertext Transfer Protocol Secure or HTTPS are TCP based IP communication protocols. In order to use HTTP or HTTPS you will need to setup a HTTP or HTTPS server and the Cisco ASA will need to have network access to the same network the HTTP or HTTPS server is running on. Because HTTP and HTTPS are IP communication protocols you cannot use HTTP or HTTPS to transfer a configuration file to an ASA if your computer is only connected to the ASA with a console cable.

HTTP and HTTPS require the use of IP to connect the ASA to your computer.

The commands below can be used to upload a configuration file to from a HTTP or HTTPS server to an ASA.

copy http[s]://[user[:password]@]server[:port][/path]/filename startup-config
wr mem
reload

Terminal Emulation Program

So, if you use a terminal emulation program (like Putty) to "transfer" the configuration to an ASA that is fine as long as you don't mind transferring the config by text instead of uploading the file.

As the you know if you copy paste the premade config into Putty then it will merge the premade config with the existing config on the ASA. You have two choices now. You can copy paste the premade config into Putty and use no at the beginning of each line in the new config that needs to be removed. After you remove the lines you don't need in the config then you can use the command wr mem and reload to save the changes from running-config to startup-config and restart the ASA. The other method is similiar but allows you do do all of the configuration changes at once. You will need to download the running-config from the ASA (you can enter the command sh run in Putty and if you have Putty's logging turned on it will create a text file on your computer with the sh run output). Now that you have the running-config add no to the beginning of each line that needs to come out of the running-config. Copy the lines you edited in the running-config. Open your premade config and at the end of the text file paste the edited lines from the running-config. Copy and paste your complete config into Putty. After the config is entered on the ASA you will have your proper config uploaded to the running-config. Now run wr mem to save the startup-config to running-config. After the config is saved restart the ASA with the command reload.

GUI

Of course if you want to overwrite the ASA running-config with your premade config from a GUI you can use ASDM. ASDM requires the HTTP server to be enabled on the ASA. That means for ASDM to be an option you must have an ethernet port on the ASA configured and the ASA needs to be connected to the same network the computer you are starting ASDM from is connected to.

Based on the requirements you have your only option is using the Terminal Emulation Program method. If you need more information please read the articles below.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/admin_swconfig.html

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-122-mainline/46741-backup-config.html#em-prog

user5870571
  • 3,094
  • 2
  • 12
  • 35
  • I can't use TFTP because I only have console access (i.e serial console). The ASA has no network interfaces connected to anything at the moment so I can't communicate with it via TCP/IP – dbr Jun 10 '16 at 22:19
  • 1
    If it isn't too much trouble to temporarily configure an Ethernet port it might be faster. – user5870571 Jun 10 '16 at 22:25
  • I wouldn't be asking if that was an option right now :) – dbr Jun 10 '16 at 22:26
  • As you already pointed out copy pasting (all at once or a few lines at once) is the other option. – user5870571 Jun 10 '16 at 22:28
  • 1
    I'm not sure you're really reading my question. That results in a merge, which causes issues. I'd have to paste it in chunks and address any errors individually, on top of then comparing the two configs line-by-line afterwards to remove any lines that are remnants from the original config. That's why I'm asking if it's possible to overwrite/replace the config as that would be quicker and less error prone. Plus, I'll know for the future on the off chance the issue comes up again. – dbr Jun 10 '16 at 22:29
  • Please see the updated answer. – user5870571 Jun 10 '16 at 22:33
  • 1
    If your answer is that it's not possible, that's fine - just say that! That's why I'm asking! – dbr Jun 10 '16 at 22:38
  • 1
    I'm not sure how many other ways I could say it.... I'm sorry if what I wrote was confusing to you. You mentioned TFTP so I provided the commands to do it that way. If TFTP was never an option that should have been included in your question. – user5870571 Jun 10 '16 at 22:40
  • @ToddWilcox The question already includes the limitations and has done since the first revision. It's right there in the title for one! I appreciate it's unusual to not have any interfaces connected, but it's the question I'm asking. At the risk of sounding like a broken record, I wouldn't have been asking if I could have just hooked up the PC to one of the Ethernet ports and TFTP'd the file across – dbr Jun 13 '16 at 18:57
  • @ToddWilcox Could you elaborate on the method regarding wiping the config? The 'clear configure all' command looks like it might achieve what I want. I've now been able to hook up something to one of the interfaces and TFTP the config across, but if I have time I may give this a go out of interest just to see if it works – dbr Jun 13 '16 at 19:03
  • @ToddWilcox That's apparently what 'clear configure all' does... I think the mistake both you and user5870571 made is not just answering the question. The question is clear what the limitations are. For me to end it with "or can it only be done via Y" doesn't change the limitations, it's just saying "... or is my suspicion correct that it can only be achieved via [blah]?". Why I was in that situation really isn't relevant unless you don't trust me that it's the case. – dbr Jun 13 '16 at 19:22
  • @dbr saying "but presently I only have console access to it." is not the same as "it is not possible for me to setup IP access to it." I understand what you want, but that doesn't change how IP communication is different from Serial communication. The fact is your "limitation" was not a limitation as you stated that you know have one of the interfaces configured. It was simply a case of you not wanting to do it the proper way. It is what it is. My answer is correct. If you choose to do it by hand that is your decision. – user5870571 Jun 13 '16 at 19:34
  • This is painful... I would have absolutely loved to have been able to use TFTP. It would have saved much time and effort. Believe me, it had nothing to do with "not wanting to do it the proper way". On rare occasions, you just end up in situations like this (and through no fault of my own in this case). You should have just answered the question or not bothered. You say "but that doesn't change how IP communication is different from Serial communication" - that was precisely my question! You ever get the feeling you're talking past someone? – dbr Jun 13 '16 at 19:41
  • @dbr please go back and read my answer - and once you made it more clear what you needed the updated answer. I'm sorry you didn't understand what I was saying. – user5870571 Jun 13 '16 at 19:42
  • I've understood you perfectly all along. Bringing things back on topic... Although I've managed to get IP access this time round, curiosity has got me wondering whether doing a wipe of the running config using 'clear configure all' might help in this situation. I may try it out of curiosity. – dbr Jun 13 '16 at 19:48