Richard,
My advice for the multi-context ASA question is to start with
backing up each context, along with the Admin context individually.
Even Cisco doesn't really offer a "Back up entire device", which is
likely why you have to "changeto" each context. Unless Cisco offers a
unique command like "more system:running-config" for the whole device,
you're pretty limited there. But to be honest, to restore the entire
device config, the only way I know is to back up the FLASH to a CF
card local to the unit (disk1:). There's not a single config file that
you can deploy (that I know of) to "paste" or copy into flash that
will correctly re-create all of the contexts AND configure each one as
needed.

Hope this helps!

On Tue, Jul 24, 2012 at 11:59 AM, Richard Laxton

Sorry to reply to my own message, but I was on digest only and didn't get the individual replies. Newbie moment over.

I've got a 99% working solution in place now; once I have dealt with the last issue I will post the code for consideration and re-use.

I've done as follows:

site/router.db
===========
firewall1-context1:cisco:up
firewall1-context2:cisco:up
firewall1-admincontext:cisco:up
firewall1-system:cisco:up

In DNS
===========
firewall1-context1 A 10.10.10.10
firewall1-context2 A 10.10.20.20
firewall1-admincontext A 10.1.1.1
firewall1-system CNAME firewall1-admincontext

I've then patched CLOGIN to check for "-system" in the $router hostname variable. If its there, it'll issue a "changeto system" once, and then assume the prompt is now firewall1 instead of firewall1/admincontext.

The script proceeds through all the commands as normal, except for some reason it misses command show running-config, despite the fact that you can type that at the command line normally and more system:running-config works. I'll try and work out why, or have that skipped for "-system". This is the last issue I mentioned.

Is this a perfect automated solution? No. Does it get your configs backed up without any manual intervention? Yep, just set the DNS records and off you go. This method assumes of course that you need to be able to SSH to each context directly. All contexts are for my internal customer separation as part of a managed service so no direct user access - therefore its not an issue for me to allow this, however I see no reason why this method couldn't be expanded upon quite simply so you can do the following in router.db, based on some older posts from 2009 I saw suggesting a similar thing:

firewall1[context context1]:cisco:up
firewall1[context context2]:cisco:up
firewall1[system]:cisco:up

(or indeed to make a new var in .cloginrc)

Then instead of where I've put a static command to 'changeto system', you can issue 'changeto $some_var'.

If I ever get round to making this happen I'll post that code too.

-----Original Message-----
From: Richard Laxton
Sent: 24 July 2012 18:00
To: 'rancid-***@shrubbery.net'
Subject: Revisiting Cisco ASA 5500 / FWSM in multiple context mode

Hi everyone,

Forgive me if I'm breaching etiquette here, I've never posted to a mailling list before. I'm eager to get a resolution to the issue of how to grab the "system" context configuration when using ASA in multiple context mode.

I've accommodated the individual contexts by simply adding them to router.db as additional 'cisco' devices and ensuring that they are reachable on an interface from RANCID. I'm (personally) happy with that solution.

The issue I've got is then how to get into the system context reliably.

I've copied rancid to asarancid and added it to rancid-fe as "asa" - I've then added my firewall as firewall:asa:up in router.db.

Inside asarancid I've trimmed the commandtable down a bit for now, to get started:

@commandtable = (
{'changeto system' => 'DoNothing'},
{'show version' => 'ShowVersion'},
{'show boot' => 'ShowBoot'},
{'show flash' => 'ShowFlash'},
{'show running-config' => 'WriteTerm'},
);

In order to bypass the "prompt has changed" issue, I've simply commented out those lines, however it then rejects the 'changeto system' command as follows:

firewall: found unexpected command - "changeto system"

I'm unable to resolve how I define this as an expected command.

Can you please assist me in my endeavours? I'll post the script at the end for anyone who may find it useful, or alternatively if anyone has resolved this could you kindly provide me a copy of your own scripts? I've tried a web search and searching on the web interface but despite some comments about people looking at this before I can't see any (obvious) place where a user script has been published.

Thanks,

Rich.

This electronic message contains information from Applicable, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please notify the sender.
Activity and use of the Applicable Ltd e-mail system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored and may be recorded to secure effective operation and for other lawful business purposes.
Applicable Ltd. Registered office: 5-6 Northumberland Buildings, Queen Square, Bath, Somerset, BA1 2JE.  Registered in England no: 03426111