Dated

09/11/09

Revision

0.02

Backup and Restore a Cisco Firewall.

Problem

There are many different versions of PIX and ASA Firewall's, if you want to get a backup of the configuration and save it elsewhere - so in the event of a failure, (or more likely someone tinkering and breaking the firewall). you will be able to recall and restore that configuration. By far the easiest is to use a TFTP server - and it works on ALL versions, so learn it once and use it many times.

Note: Some people flatly refuse to use command line, if that's you, you can also backup and restore from the ASDM click here.

OK for starters you need to get a TFTP server - while this sounds very grand, its a little piece of software that will run on just about any windows PC, I use an application called 3CDeamon and I've put information on how to get it and how to set it up (about 5 min's work) HERE.

So I'll assume you have the TFTP server installed and running and you know what IP address the machine that's running it, is using.

NOTE: TFTP uses TCP Port 69 if you have firewall's in between the one you are working on, and the TFTP server then this port needs to be open.

Solution

Backup

1. Connect to the firewall via Telnet, Console Cable or SSH, then go to enable mode, type in the enable password.

ciscoasa> en
Password:*********
ciscoasa#

2. To back up the firewall you need to specify the IP address of where you want to send it(i.e. the TFTP server), what you want to call the backup, and you tie them together with a "Write Net" command. The syntax is,

write net {ip address}:{filename}

ciscoasa# write net 172.254.1.2:firewall_backup
Building configuration...
INFO: Default tftp-server not set, using highest security interface
Cryptochecksum: 85c211cb 3099b392 9e7206e6 e1548bcd
!
[OK]
ciscoasa#

3. On your TFTP server you will see that a file has been received.

4. If you look in the TFTP server root directory you will find the file, though it has no file extension you can open it and view it using a text editor like notepad or wordpad, just remember NOT to save it with a txt or rtf extension when you close it again. Keep it safe you will need it if you ever want to restore.

Restore

1. To restore you must have already backed up the firewall earlier and have that backup in the TFTP servers root directory.

2. Connect to the firewall via Telnet, Console Cable or SSH, then go to enable mode, type in the enable password.

ciscoasa> en
Password:*********
ciscoasa#

3. Enter configuration mode using the "conf t" command.

ciscoasa# conf t
ciscoasa(config)#

4. Unlike when you backed up the firewall to restore the configuration you use the copy tftp start command.

ciscoasa(config)# copy tftp start

5. Supply it with the IP address of your TFTP Server.

Address or name of remote host []? 172.254.1.2

6. Supply it with the name of the file you backed up earlier.

Source filename []? firewall_backup

7. The file will get copied over.

Accessing tftp://172.254.1.2/firewall_backup...!
Writing system file...
!
2974 bytes copied in 0.90 secs
ciscoasa(config)#

8. On your TFTP server you will see the file being "copied out"

9. Not finished yet, the file now lives in the "Startup" configuration so its not been loaded from memory yet, the best way to do this is to reboot the firewall. To do this issue the reload command, and confirm by pressing enter.

ciscoasa(config)# reload
Proceed with reload? [confirm]
ciscoasa(config)#

***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down File system

***
*** --- SHUTDOWN NOW ---

10. After the reboot, you will be running on the restored configuration.

Note: With a Version 6 Firewall - restoring a config from TFTP simply "Merges" the new one with the config on the firewall, in most cases this is NOT what you want, to get round this place the following command at the top of the config you are restoring

clear config all

Backup a Cisco 5500 firewall from the ASDM

1. Connect to the firewall via ASDM, then Tools > Backup Configuration.

2. Browse Local.

3. Find somewhere to put the backup that you will be able to locate.

4. In this instance Ill "Backup All" > Backup.

5. Let it do its own thing > Close.

6. Take a quick look at the report > OK.

Restore a Cisco 5500 firewall from the ASDM

1. Connect to the firewall via ASDM, then Tools > Restore Configuration.

8. Browse Local.

9. Locate your backup and select it.

10. Next.

11. In this instance I'm just going to restore the Start-up-configuration (Note: that means I will need to reboot the firewall when restored, before the restored config takes effect) > Restore.

12. You will be asked if you want to merge or replace the config. (Note: merge is handy if there's been a couple of config changes) > I'm going to replace it.

13. Let it restore the files, then restart ASDM.

If this post helped you, PLEASE take the time to +1 it.

Please be aware, all information is provided free, but it does cost me to have this site hosted, if I've helped you in any way, or saved you some time/cost please take time to make a donation.

If you have anything to add to an article, or have an article you would like us to publish please feel free to contact PeteNetLive. (Please be aware I get a LOT of email, I cannot assist and fix everyone's problems, please do not be offended if you do not get a response).

References - Credits - Or External Links

Backup and Restore a Cisco Router with TFTP

Install and Use a TFTP Server