Cisco – Oxidized Unable to Pull Cisco ASA Config

ciscocisco-asa

I am trying to configure an ASA with Oxidized but the log file keeps telling me "status no_connection" and goes through it's attempts. I have tried many different configurations with no success. I have put my current configuration below. Can someone help me figure out why I cannot pull this config?

config group:

groups:
  asadev:
    username: myusername
    password: mypw
    enable:          <-----(Currently nothing here. I have tried 'blank' here)

router.db

10.12.1.1:ios:asadev

Best Answer

A few ideas to get you moving forward:

Make sure SSH is working on the ASA. Can you SSH to it from your computer?
Then, make sure that the ASA allows SSH from the Oxidize server. Do a show run ssh on the ASA to see the sources from which the ASA will accept connections.
Once you're SSH'd to the ASA, you are put into user mode (where the prompt is firewall>. User mode gives you almost no privileges, so you have to escalate to 'enable' mode, where the prompt is firewall#. Enable mode will allow you to view the config by doing a show run. Whatever the Enable password is, it needs to be put into the Oxidize config. If the ASA does not have an Enable password, then set one by using the command enable password s0meth1ng-s3cret command in configuration mode on the ASA.

If all that doesn't work, then update your post with the output of a show ssh from your firewall, as well as the IP address of the Oxidize server, and we'll try to provide some other advice.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Further reading: ISR static routing

I cannot get an ip address right now from the DHCP server (Windows). Any insight into why?

Ensure you have end-to-end IP reachability between the client(s) sending DHCP discover messages and the DHCP server.

From what I can gather from your topology and configuration, the subnets 172.19.3.0/24, 172.19.12.0/28 and 172.20.100.0/27 should have no issues connecting to each other (assuming they are configured to use their respective default gateways) from a networking perspective.

You can remove the ip helper-address syntax from the SVI 100 given that the DHCP server is on the same segment and that command is used for a DHCP server(s) that is on a different segment.

interface Vlan100
ip address 172.20.100.1 255.255.255.224
ip helper-address 172.20.100.27

Best Answer

Related Solutions

Cisco – AAA/TACACS+ password on Cisco switch always fails at second password prompt

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Related Topic