 |
FirewallBuilder |
|
Search Users Guide
Firewall Builder 4.0 introduces the ability to install generated configuration using scp.
Built-in installer in Firewall Builder v4.0 can use command scp to copy IOS configuration to the router using ssh and then command "copy file running-config" to activate it. This method is much faster than running configuration line by line. The router should be configured with ssh v2 and scp server.
To enable scp transfer open the Firewall Settings for the firewall, select the Installer tab, and enable the checkbox for "Copy generated configuration file to the router using scp". Since this option is configured separately for each firewall object, you can have a mix of installation methods if some routers do not support scp.
For instructions how to configure scp on IOS see Secure Copy. You need to do the following:
Create RSA keys using the following commands:
-
enable ssh v2 using command "ip ssh version 2"
If you get an error message "Please create RSA keys (of atleast 768 bits size) to enable SSH v2" after this command, you probably need to configure ssh server to read the key you have generated by name using command ip ssh rsa keypair-name key_name as shown in the example below.
enable scp server using command "ip scp server enable".
User account used to copy the policy should have privilege 15: "username vadim privilege 15 password 7 XXXXXXXXXXX".
Set up authentication using "aaa new-model" command.
The whole sequence should look like this:
router(config)#hostname router_host_name
router(config)#ip domain-name domain.com
router(config)#crypto key generate rsa
The name for the keys will be: router_host_name.domain.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
router(config)#ip ssh version 2
Please create RSA keys (of atleast 768 bits size) to enable SSH v2.
router(config)#ip ssh rsa keypair-name router_host_name.domain.com
*May 2 12:09:20.155: %SSH-5-ENABLED: SSH 2.0 has been enabled
router(config)#ip scp server enable
router(config)#
router(config)#aaa new-model
router(config)#aaa authentication login default local
router(config)#aaa authorization exec default local
router(config)#username tiger privilege 15 password 0 enter_password_here
To generate the key and store it on specific device, use command:
crypto key generate rsa general-keys modulus 1024 storage nvram:
To troubleshoot when scp is not working:
Test using command line scp tool rather than fwbuilder installer. Use "scp" on Linux and Mac OS X and "pscp.exe" on Windows like this: "scp file.fw router:nvram:file.fw"
check that ssh and scp are enabled on the router (see commands above)
check that user account has privilege 15
Use command "debug ip ssh" on the router to turn debugging on. Diagnostic messages that it prints to the console and to log may help you identify the problem
Note
Installer does not use command "config replace" because configuration created by fwbuilder is incomplete and should be merged with running config rather than replace it.
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.