Setting up Etherchannel between Cisco ASA and Cisco Switch

I’ve recently had the need to re-architect my network in order to gain more functionality, scalability and security. I’ve written in past blogs on how important it is to have network security built into your network, and how important it is to have a properly segmented network. Here I’m going to show you how easy that is to do, and show you why every business should be doing this to some extent.

So let’s get going here. First off, if you have an ASA that is already being used in a production environment, you’re going to have to schedule some downtime. In order to setup Etherchannel on the ASA, your ports need to have no configuration on them. In my case, I’m setting up a quad port Etherchannel, so I need all my ports wiped clean.

erdmanor-5510# sh run int
!
interface Ethernet0/0
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 192.168.1.2 255.255.255.0
erdmanor-5510#
erdmanor-5510#
erdmanor-5510# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/1                unassigned      YES unset  up                    up  
Ethernet0/2                unassigned      YES unset  up                    up  
Ethernet0/3                unassigned      YES unset  up                    up  
Management0/0              192.168.1.2     YES manual up                    up  
erdmanor-5510#


Now that we have a clean configuration, let’s setup the port-channel.

erdmanor-5510(config)# int port-channel 1
erdmanor-5510(config-if)#
erdmanor-5510(config-if)# no nameif
erdmanor-5510(config-if)# no security-level
erdmanor-5510(config-if)# no ip address
erdmanor-5510(config-if)#


Now that we have a port-channel created, we need to assign what interfaces are going to take part in that port channel.

erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int Ethernet0/0
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/0.
erdmanor-5510(config-if)# exit
erdmanor-5510(config)# int Ethernet0/1        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/1.
erdmanor-5510(config-if)# exit
erdmanor-5510(config)# int Ethernet0/2        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/2.
erdmanor-5510(config-if)# exit                  
erdmanor-5510(config)# int Ethernet0/3        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/3.
erdmanor-5510(config-if)# exit                  
erdmanor-5510(config)#


Now we need to get our switch configured. We’ll basically be doing the same thing on the switch that we just got done doing on our ASA. You’ll notice the syntax on the ASA is just a bit different than the switch, but Cisco came close on the two.

Let’s start with creating our port channel.

Erdmanor3750G(config)#
Erdmanor3750G(config)#int port-channel 1
Erdmanor3750G(config-if)#    
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switch mode trunk
Erdmanor3750G(config-if)#


Now we can get our Ethernet ports into the port channel.

Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/1
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/2              
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA                
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/3        
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA    
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/4      
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA      
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#


Now that the port-channel is up and running, we need to establish what VLANs are going to traverse this link. The way that Cisco ASAs interpret VLANs is a bit different than the way Catalyst Switches interpret VLANs, at least for the configuration of them. In a Cisco ASA, for every VLAN that you want, you create a sub-interface. For The Catalyst Switch,

erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.10
erdmanor-5510(config-subif)# vlan 10
erdmanor-5510(config-subif)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
erdmanor-5510(config-subif)# ip address 172.98.17.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.20                
erdmanor-5510(config-subif)# vlan 20                            
erdmanor-5510(config-subif)# nameif Inside                      
INFO: Security level for "Inside" set to 100 by default.
erdmanor-5510(config-subif)# ip address 192.168.100.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.30                
erdmanor-5510(config-subif)# vlan 30                              
erdmanor-5510(config-subif)# nameif FrontDMZ                      
INFO: Security level for "FrontDMZ" set to 0 by default.
erdmanor-5510(config-subif)# ip address 10.121.23.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.40                
erdmanor-5510(config-subif)# vlan 40                              
erdmanor-5510(config-subif)# nameif BackDMZ                      
INFO: Security level for "BackDMZ" set to 0 by default.
erdmanor-5510(config-subif)# ip address 10.156.183.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.50                
erdmanor-5510(config-subif)# vlan 50                              
erdmanor-5510(config-subif)# nameif Wireless                      
INFO: Security level for "Wireless" set to 0 by default.
erdmanor-5510(config-subif)# security-level 50
erdmanor-5510(config-subif)# ip address 172.21.49.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#



From here we just need to create some VLANs on the switch and then we can finalize the configuration on the ASA.

Erdmanor3750G#
Erdmanor3750G#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Erdmanor3750G(config)#vlan 10
Erdmanor3750G(config-vlan)#no shut
%VLAN 10 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 20
Erdmanor3750G(config-vlan)#no shut
%VLAN 20 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 30
Erdmanor3750G(config-vlan)#no shut
%VLAN 30 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 40
Erdmanor3750G(config-vlan)#no shut
%VLAN 20 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 50
Erdmanor3750G(config-vlan)#no shut
%VLAN 40 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#interface vlan 10
Erdmanor3750G(config-if)#description Outside zone between pfSense and ASA
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 20                              
Erdmanor3750G(config-if)#description Inside network                      
Erdmanor3750G(config-if)#no shut                  
Erdmanor3750G(config-if)#exit                      
Erdmanor3750G(config)#interface vlan 30        
Erdmanor3750G(config-if)#description Front DMZ for direct connections from the Internet
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 40                                            
Erdmanor3750G(config-if)#description Back DMZ -- Teired DMZ for server systems
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 50                                    
Erdmanor3750G(config-if)#description Wireless network                
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#



So this is what my interface list looks like in the running config now:

interface Ethernet0/0
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 channel-group 1 mode on
 no nameif    
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 192.168.1.2 255.255.255.0
!
interface Port-channel1
 no nameif
 no security-level
 no ip address
!
interface Port-channel1.10
 vlan 10
 nameif Outside
 security-level 0
 ip address 172.98.17.1 255.255.255.0
!
interface Port-channel1.20
 vlan 20
 nameif Inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Port-channel1.30
 vlan 30
 nameif FrontDMZ
 security-level 0
 ip address 10.121.23.1 255.255.255.0
!
interface Port-channel1.40
 vlan 40
 nameif BackDMZ
 security-level 0
 ip address 10.156.183.1 255.255.255.0
!
interface Port-channel1.50
 vlan 50      
 nameif Wireless
 security-level 50
 ip address 172.21.49.1 255.255.255.0
!



And now a look at my switch port configuration:

!
!
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet4/0/1
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/2
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/3
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/4
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface Vlan1
 ip address 192.168.1.3 255.255.255.0
!
interface Vlan10
 description Outside zone between pfSense and ASA
 no ip address
!
interface Vlan20
 description Inside network
 no ip address
!
interface Vlan30
 description Front DMZ for direct connections from the Internet
 no ip address
!
interface Vlan40
 description Back DMZ -- Teired DMZ for server systems
 no ip address
!
interface Vlan50
 description Wireless network
 no ip address


Erdmanor3750G#
Erdmanor3750G#sh ip int bri
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  192.168.1.3     YES manual up                    up      
Vlan10                 unassigned      YES unset  up                    up      
Vlan20                 unassigned      YES unset  up                    up      
Vlan30                 unassigned      YES unset  up                    up      
Vlan40                 unassigned      YES unset  up                    up  
GigabitEthernet4/0/1   unassigned      YES unset  up                    up      
GigabitEthernet4/0/2   unassigned      YES unset  up                    up      
GigabitEthernet4/0/3   unassigned      YES unset  up                    up      
GigabitEthernet4/0/4   unassigned      YES unset  up                    up      
...  
Port-channel1          unassigned      YES unset  up                    up



Fantastic. Let’s check to see that the ASA is showing the port-channel working.

erdmanor-5510# sh port-channel detail
        Channel-group listing:
        -----------------------

Group: 1
----------
Span-cluster port-channel: No
Ports: 4   Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: ON
Minimum Links: 1
Load balance: src-dst-ip
        Ports in the group:
        -------------------
Port: Et0/0
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/1
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/2
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/3
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

erdmanor-5510# sh port-channel sum    
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        U - in use      N - not in use, no aggregation/nameif
        M - not in use, no aggregation due to minimum links not met
        w - waiting to be aggregated
Number of channel-groups in use: 1
Group  Port-channel  Protocol  Span-cluster  Ports
------+-------------+---------+------------+------------------------------------
1      Po1(U)             -            No     Et0/0(P)   Et0/1(P)   Et0/2(P)   Et0/3(P)  
erdmanor-5510#
erdmanor-5510# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/1                unassigned      YES unset  up                    up  
Ethernet0/2                unassigned      YES unset  up                    up  
Ethernet0/3                unassigned      YES unset  up                    up  
Management0/0              192.168.86.2    YES manual up                    up  
Port-channel1              unassigned      YES unset  up                    up  
Port-channel1.10           172.98.17.1     YES manual up                    up  
Port-channel1.20           192.168.100.1   YES manual up                    up  
Port-channel1.30           10.121.23.1     YES manual up                    up  
Port-channel1.40           10.156.183.1    YES manual up                    up  
Port-channel1.50           172.21.49.1     YES manual up                    up  
erdmanor-5510#



And now to check the port channel on the Catalyst switch:

Erdmanor3750G#sh etherchannel detail
        Channel-group listing:
        ----------------------

Group: 1
----------
Group state = L2
Ports: 4   Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol:    -
        Ports in the group:
        -------------------
Port: Gi4/0/1
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:45s

Port: Gi4/0/2
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:16s

Port: Gi4/0/3
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:04s

Port: Gi4/0/4
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:23m:53s

        Port-channels in the group:
        ---------------------------

Port-channel: Po1
------------

Age of the Port-channel   = 0d:00h:33m:13s
Logical slot/port   = 10/1          Number of ports = 4
GC                  = 0x00000000      HotStandBy port = null
Port state          = Port-channel Ag-Inuse
Protocol            =    -

Ports in the Port-channel:

Index   Load   Port     EC state        No of bits
------+------+------+------------------+-----------
  0     00     Gi4/0/1  On                 0
  0     00     Gi4/0/2  On                 0
  0     00     Gi4/0/3  On                 0
  0     00     Gi4/0/4  On                 0

Time since last port bundled:    0d:00h:23m:53s    Gi4/0/4

Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#sh etherchannel sum  
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port


Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)          -        Gi4/0/1(P)  Gi4/0/2(P)  Gi4/0/3(P)  
                                 Gi4/0/4(P)  

Erdmanor3750G#



Now, moving forward, please remember that you MUST specify the VLAN each switch port will be in, otherwise you’re going to have communications issues. The Catalyst switches do NOT auto-sense what VLAN your port is in. So to do this, you need to specify the VLAN, on both the Cisco ASA and the Switch, like this:

Erdmanor3750G#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Erdmanor3750G(config)#
Erdmanor3750G(config)#vlan 60
Erdmanor3750G(config-vlan)#no shut
%VLAN 60 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#interface Vlan60
Erdmanor3750G(config-if)#description ATT Outside Public 108.227.33.120/28 Network
Erdmanor3750G(config-if)#no ip address
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#int GigabitEthernet4/0/19
Erdmanor3750G(config-if)#switchport access vlan 60
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#


Now create the VLAN (sub-interface) on the ASA, like this:

erdmanor-5510# conf t
erdmanor-5510(config)# interface Port-channel1.60
erdmanor-5510(config-subif)# vlan 60
erdmanor-5510(config-subif)# nameif ATTOutside
INFO: Security level for "ATTOutside" set to 0 by default.
erdmanor-5510(config-subif)# ip address 108.227.33.121 255.255.255.248
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)# exit
erdmanor-5510#


Now that we have the VLANs and port-channel created, we need to ensure that our firewall rulebase is setup properly.

NOTE: I am just showing you how to set this up. It is up to YOU to be a smart network admin and lock down these VLANs with the proper rules!!!

From here, create your basic ACLs and lock them down tightly. Make sure that you tie your access-list to an interface too! I personally like to write all my ACLs from the point of view of the requester or client machine on a network. So what I do is write the ACL like you’re going into a garden hose. The garden hose is like the interface that traffic will be going to. Basically, you’re writing the rules that will be implemented as close to the end point as possible.

erdmanor-5510(config)# access-list backdmz-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list frontdmz-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list inside-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list outside-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list wireless-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)#
erdmanor-5510(config)# access-group outside-traffic-in in interface Outside
erdmanor-5510(config)# access-group inside-traffic-in in interface Inside
erdmanor-5510(config)# access-group frontdmz-traffic-in in interface FrontDMZ
erdmanor-5510(config)# access-group backdmz-traffic-in in interface BackDMZ
erdmanor-5510(config)# access-group wireless-traffic-in in interface Wireless


Now we’re all done! Please contact me with any questions or concerns (or if you found that I screwed this up at all!). Thanks for reading!





http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/interface_start.html#wp1709086
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/interface_start.html#18497
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-5-0E/15-21E/configuration/guide/config/channel.html#pgfId-1040179
http://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12033-89.html
http://www.amirmontazeri.com/?p=18
http://www.ciscozine.com/configuring-link-aggregation-with-etherchannel/
https://networkingtipz.wordpress.com/2013/12/09/etherchannel-on-asa-2/
http://www.gomjabbar.com/2012/05/08/cisco-asa-5520-creating-subinterfaces/
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/interface-vlan.pdf
https://supportforums.cisco.com/discussion/11378981/portchannel-cisco-asa-subinterface-vlan
https://www.fir3net.com/Firewalls/Cisco/configuring-etherchannel-on-an-asa-firewall.html
http://www.danpol.net/index.php/cisco/firewalls/asa-port-channels/
http://www.petenetlive.com/KB/Article/0001085.htm
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-1_19_ea1/configuration/guide/3750scg/swethchl.pdf

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Backing up Cisco Configurations for Routers, Switches and Firewalls

I will add more about this when I have time. Until then, you should be able to just install python, paramiko and pexpect and run this script as-is (obviously changing the variables).

This should give you all the software you need:

sudo apt-get update
sudo apt-get install python python-pexpect python-paramiko

I plan on GREATLY increasing the ability of this script, adding additional functionality, as well as setting up a bash script that will be able to parse the configs, and perform much deeper backup abilities for ASAs.

I have not tested this on Routers and Switches. I can tell you that the production 5520 HA Pair that I ran this script against was running “Cisco Adaptive Security Appliance Software Version 8.4(2)160”. Theoretically, I would believe that this would work with all 8.4 code and up, including the 9.x versions that are out as of the writing of this blog.

Here you go! Full Scripted interrogation of Cisco ASA 5520 that can be setup to run on a CRON job.

#!/usr/bin/python
import paramiko, pexpect, hashlib, StringIO, re, getpass, os, time, ConfigParser, sys, datetime, cmd, argparse



### DEFINE VARIABLES

currentdate="10-16-2014"
hostnamesfile='vpnhosts'
asahost="192.168.222.1"
tacacsuser='testuser'
userpass='Password1'
enpass='Password2'
currentipaddress="192.168.222.1"
currenthostname="TESTASA"


#dummy=sys.argv[0]
#currentdate=sys.argv[1]
#currentipaddress=sys.argv[2]
#tacacsuser=sys.argv[3]
#userpass=sys.argv[4]
#enpass=sys.argv[5]
#currenthostname=sys.argv[6]

parser = argparse.ArgumentParser(description='Get "show version" from a Cisco ASA.')
parser.add_argument('-u', '--user',     default='cisco', help='user name to login with (default=cisco)')
parser.add_argument('-p', '--password', default='cisco', help='password to login with (default=cisco)')
parser.add_argument('-e', '--enable',   default='cisco', help='password for enable (default=cisco)')
parser.add_argument('-d', '--device',   default=asahost, help='device to login to (default=192.168.120.160)')
args = parser.parse_args()

   


#python vpnbackup.py $currentdate $currentipaddress $tacacsuser $userpass $enpass $currenthostname



def asaLogin():
   
    #start ssh")
    child = pexpect.spawn ('ssh '+tacacsuser+'@'+asahost)
   
    #testing to see if I can increase the buffer
    child.maxread=9999999
   
    #expect password prompt")
    child.expect ('.*assword:.*')
    #send password")
    child.sendline (userpass)
    #expect user mode prompt")
    child.expect ('.*>.*')
    #send enable command")
    child.sendline ('enable')
    #expect password prompt")
    child.expect ('.*assword:.*')
    #send enable password")
    child.sendline (enpass)
    #expect enable mode prompt = timeout 5")
    child.expect ('#.*', timeout=10)
    #set term pager to 0")
    child.sendline ('terminal pager 0')
    #expect enable mode prompt = timeout 5")
    child.expect ('#.*', timeout=10)
    #run create dir function")
    createDir()
    #run create show version")
    showVersion(child)
    #run create show run")
    showRun(child)
    # run showCryptoIsakmp(child)
    showCryptoIsakmp(child)
    # run dirDisk0(child)
    dirDisk0(child)
    # run showInterfaces(child)
    showInterfaces(child)
    #run  showRoute")
    showRoute(child)
    #run showVpnSessionDetail")
    showVpnSessionDetail(child)
    # run showVpnActiveSessions(child)
    showWebVpnSessions(child)
    # run showVpnActiveSessions(child)
    showAnyConnectSessions(child)
    #send exit")
    child.sendline('exit')
    #close the ssh session")
    child.close()
   
   
def createDir():
    if not os.path.exists(currentdate):
        os.makedirs(currentdate)
    if not os.path.exists(currentdate+"/"+currenthostname):
        os.makedirs(currentdate+"/"+currenthostname)
   
   
   
def showVersion(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"sh-ver.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show version")
    child.sendline('show version')
    #expect enable mode prompt = timeout 400")
    child.expect(".*# ", timeout=50)
    #closing the log file")
    fout.close()
   
   
def showRun(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"sh-run.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending more system running-config")
    child.sendline('more system:running-config')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=999)
    #closing the log file
    fout.close()   
   

def showCryptoIsakmp(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"cryptoisakmp.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show crypto isakmp sa")
    child.sendline('show crypto isakmp sa')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=50)
    #closing the log file
    fout.close()   


def dirDisk0(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"dirdisk0.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending dir disk0:")
    child.sendline('dir disk0:')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=75)
    #closing the log file
    fout.close()


def showInterfaces(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"interfaces.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show interface")
    child.sendline('show interface')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=100)
    #closing the log file
    fout.close()


def showRoute(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"show-route.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show route")
    child.sendline('show route')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=300)
    #closing the log file
    fout.close()


def showVpnSessionDetail(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"vpnsession.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show vpn-sessiondb detail")
    child.sendline('show vpn-sessiondb detail')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=50)
    #closing the log file
    fout.close()


def showWebVpnSessions(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"webvpns.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show vpn-sessiondb webvpn")
    child.sendline('show vpn-sessiondb webvpn')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=200)
    #closing the log file
    fout.close()


def showAnyConnectSessions(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"anyconnectvpns.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show vpn-sessiondb anyconnect")
    child.sendline('show vpn-sessiondb anyconnect')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=999)
    #closing the log file
    fout.close()




def main():
    #Nothing has been executed yet
    #executing asaLogin function
    asaLogin()
    #Finished running parTest\n\n Now exiting
   

main()

Here are all the websites that have provided help to me writing these scripts:
http://www.802101.com/2014/06/automated-asa-ios-and-nx-os-backups.html
http://yourlinuxguy.com/?p=300
http://content.hccfl.edu/pollock/Unix/FindCmd.htm
http://paulgporter.net/2012/12/08/30/
http://paklids.blogspot.com/2012/01/securely-backup-cisco-firewall-asa-fwsm.html
http://ubuntuforums.org/archive/index.php/t-106287.html
http://stackoverflow.com/questions/12604468/find-and-delete-txt-files-in-bash
http://stackoverflow.com/questions/9806944/grep-only-text-files
http://unix.stackexchange.com/questions/132417/prompt-user-to-login-as-root-when-running-a-shell-script
http://stackoverflow.com/questions/6961389/exception-handling-in-shell-scripting
http://stackoverflow.com/questions/7140817/python-ssh-into-cisco-device-and-run-show-commands
http://pastebin.com/qGRdQwpa
http://blog.pythonicneteng.com/2012/11/pexpect-module.html
https://pynet.twb-tech.com/blog/python/paramiko-ssh-part1.html
http://twistedmatrix.com/pipermail/twisted-python/2007-July/015793.html
http://www.lag.net/paramiko/
http://www.lag.net/paramiko/docs/
http://stackoverflow.com/questions/25127406/paramiko-2-tier-cisco-ssh
http://rtomaszewski.blogspot.com/2012/08/problem-runing-ssh-or-scp-from-python.html
http://www.copyandwaste.com/posts/view/pexpect-python-and-managing-devices-tratto/
http://askubuntu.com/questions/344407/how-to-read-complete-line-in-for-loop-with-spaces
http://stackoverflow.com/questions/10463216/python-pexpect-timeout-falls-into-traceback-and-exists
http://stackoverflow.com/questions/21055943/pxssh-connecting-to-an-ssh-proxy-timeout-exceeded-in-read-nonblocking
http://www.pennington.net/tutorial/pexpect_001/pexpect_tutorial.pdf
https://github.com/npug/asa-capture/blob/master/asa-capture.py
http://stackoverflow.com/questions/26227791/ssh-with-subprocess-popen

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)