This is one of few ways you can get configuration backups from CISCO devices in a scheduled way.
At least I know 2 ways using archive or kron feature. I will explain both ways, though personally I use kron. Of course both ways doesn't apply to ASA devices (as It rarely does :)) but I will show how you can schedule those backups also. Except admin access to the devices of course you need ftp or tftp server accessible from those devices.
This is the easier way. It can be done on switches and routers. In config mode put:
sw1(config)#archive sw1(config-archive)#path tftp://192.168.100.31/config/cisco/$h- sw1(config-archive)#time-period 10080 sw1(config-archive)#write-memory
What this does is saving configuration file to your tftp server with filename sw1 ($h gets replaced with your hostname) every 7 days. It is also backed up when you manually do write memory command. File on server looks like this:
-rw-r--r-- 1 tftp tftp 6993 Sep 28 19:56 sw1-Sep-28-19-56-07-0
What is added to file name is date, time and backup number that increments by one every time. You can't control this part of filename and you also can't control number of backups on tftp server using
maximum under archive configuration (at least not on IOS 12.2(44) and IOS-XE 03.06.05E versions that I'm using). It only works if archive is done on local flash for example. So old files on tftp or ftp server you have to delete manually.
That is the main reason why I personally use kron feature for backups.
Kron is not feature rich as cron on linux but it can get the job done. First we need to write alias command for remote backup to tftp/ftp server. Although it's not mandatory It's a lot easier when you wanna do an off schedule configuration backup.
sw1(config)#alias exec wrinet sh run | redirect tftp://192.168.100.31/config/cisco/sw1
redirect is used cause this way there are no confirmation prompts for source and destination. Now when you need to make a backup just write
Next we need to create kron job:
sw1(config)#kron policy-list backup sw1(config-kron-policy)#cli write sw1(config-kron-policy)#cli wrinet sw1(config-kron-policy)#exit sw1(config)#kron occurrence backupSchedule at 5:00 Sun recurring sw1(config-kron-occurrence)#policy-list backup sw1(config-kron-occurrence)#exit
First we create policy-list named backup with 2 commands that are run: write and writenet. First one is to remedy the situations when accidentally I or someone else forgot to write changes made in running configuration so this will take care of that.
After that we create schedule that will run this policy-list every Sunday at 5:00AM. Instead of
reccuring you can put
oneshot so it runs only once.
If you need to check if its working just create new schedule and set it to run in next few minutes.
sw1(config)#kron occurrence test in 5 oneshot sw1(config-kron-occurrence)#policy-list backup
As with many thing ASA is a little bit different. For this setup it means no archive and no kron feature. I'm using 8.4(6) version. Maybe there are some changes in >9 versions.
First we create alias command. It's a little bit different...of course. And no redirect so we need to use old one with prompts but it will not get in the way.
asa(config)#command-alias exec wrinet copy running-config tftp://192.168.100.31/config/cisco/asa1
Since there is no kron we need to use script that will automate the rest for us. In short we ssh to asa and run wrinet command. It is possible to put ssh key for user that will be connecting but there is no skipping enable password prompt (It is still a security device).
asa(config)#username user1 attributes asa(config-username)#service-type admin asa(config-username)#ssh authentication publickey 0c:e5:46:bf:65:a2:d6:2a:73:57:08:65:4d:53:dd:0b:01:71:f1:87:a4:62:5a:11:02:50:d9:65:d0:8d:12:84
Script I use is written in bash. It needs packet called expect so we can automate ssh connection and commands:
sudo apt-get install expect
#!/bin/bash username="username" password="password" host="192.168.100.2" /usr/bin/expect <<EOD > asa-backup.log spawn ssh -o ConnectTimeout=4 $username@$host expect ">" send "en\r" expect "Password:" send "$password\r" expect "#" send "write memory\r" expect "#" send "wrinet\r" expect "Source*" send "\r\r\r" expect "#" EOD
Start script manually to see if it works. Then if everything is ok put it in cron schedule and adjust time same as kron on router and switches.
After all these you will have all the backup files uploaded on schedule to your remote server. Directory output will look similar to this:
-rw-r--r-- 1 tftp tftp 29640 Sep 24 10:00 asa1 -rw-r--r-- 1 tftp tftp 6082 Sep 24 10:00 router1 -rw-r--r-- 1 tftp tftp 9144 Sep 24 10:00 sw1 -rw-r--r-- 1 tftp tftp 6886 Sep 24 00:01 sw2 -rw-r--r-- 1 tftp tftp 6993 Sep 24 19:56 sw3 -rw-r--r-- 1 tftp tftp 62 Sep 24 10:00 sw4
Now with git you can do version tracking. Just init his folder to your local git and put that in script and similar schedule as backups. Since file names never changes git will only upload and commit files that differ from last backup/git check. Just don't forget to include removing first line in cisco config for this to work properly. First line contains that date when configuration was written so git will see it as change every time. Removing this line you're good to go.