| KB | 0000076 | |
| Dated | 09/11/09 | |
| Revision | 0.02 | |
Using TFTP to Backup and Restore a Cisco Firewall. |
||
| Problem | ||
There are many ways in many different versions of PIX and ASA Firewall's to get a copy of the configuration and save it elsewhere - then in the event of a failure (or more likely someone tinkering and breaking the firewall) being able to recall and Restore that configuration. But by far the easiest is to use a TFTP server - and it works on ALL versions, so learn it once and use it many times. OK for starters you need to get a TFTP server - while this sounds very grand, its a little piece of software that will run on just about any windows PC, I use an application called 3CDeamon and I've put information on how to get it and how to set it up (about 5 min's work) HERE. So I'll assume you have the TFTP server installed and running and you know what IP address the machine that's running it is using. NOTE: TFTP uses TCP Port 69 if you have firewall's in between the one you are working on and the TFTP server then this port needs to be open. |
||
| Solution | ||
Backup |
| 1. Login to the firewall via Telnet, Console Cable or SSH, then go to enable mode, type in the enable password. |
ciscoasa> en |
2. To back up the firewall you need to specify the IP address of where you want to send it, what you want to call the backup, and you tie them together with a "Write Net" command. The syntax is, write net {ip address}:{filename} |
ciscoasa# write net 172.254.1.2:firewall_backup |
| 3. On your TFTP server you will see that a file has been received. |
 |
| 4. If you look in the TFTP server root directory you will find the file, though it has no file extension you can open it and view it using a text editor like notepad or wordpad, just remember NOT to save it with a txt or rtf extension when you close it again. Keep it safe you will need it if you ever want to restore. |
Restore |
| 1. To restore you must have already backed up the firewall earlier and have that backup in the TFTP servers root directory. |
| 2. Login to the firewall via Telnet, Console Cable or SSH, then go to enable mode, type in the enable password. |
| ciscoasa> en Password:********* ciscoasa# |
| 3. Enter configuration mode using the "conf t" command. |
| ciscoasa# conf t ciscoasa(config)# |
| 4. Unlike when you backed up the firewall to restore the configuration you use the copy tftp start command. |
| ciscoasa(config)# copy tftp start |
| 5. Supply it with the IP address of your TFTP Server. |
| Address or name of remote host []? 172.254.1.2 |
| 6. Supply it with the name of the file you backed up earlier. |
| Source filename []? firewall_backup |
| 7. The file will get copied over. |
| Accessing tftp://172.254.1.2/firewall_backup...! Writing system file... ! 2974 bytes copied in 0.90 secs ciscoasa(config)# |
| 8. On your TFTP server you will see the file being "copied out" |
 |
| 9. Not finished yet, the file now lives in the "Startup" configuration so its not been loaded from emory yet, the best way to do this is to reboot the firewall. To do this issue the reload command, and confirm by pressing enter. |
ciscoasa(config)# reload ***
*** |
| 10. After the reboot, you will be running on the restored configuration. |
Note: With a Version 6 Firewall - restoring a config from TFTP simply "Merges" the new one with the config on the firewall, in most cases this is NOT what you want, to get round this place the following command at the top of the config you are restoring clear config all
|
