I'd like to be able to apply a pre-written config to a Cisco ASA 5505, but presently I only have access to it via the serial console and not over the network.
Various sources suggest pasting the config into the terminal when in Global Configuration mode. The difficulty with this is that it merges the pasted config with the current running config, as opposed to replacing it, leaving some remnants of the original config, and sometimes causing odd errors. I can run a configure factory-default first to put the ASA back to a simple factory default configuration, but even then there's enough in the running config to mean the resultant merged config isn't quite right.
I appreciate that I could do the following:
- Paste in chunks and address errors as they arise
- Compare the resultant running config against my pre-written one
- Remove any elements that are remnants from the base config
…but that's error prone and time consuming. If there's a way to do a straight overwrite/replace, it would be useful for the future.
I don't necessarily need to replace the running config; replacing the startup config and reloading would be preferable really.
So, is there a way to be able to reliably overwrite the config on an ASA rather than merging it with the current config using only console access, or can it only be done via TFTP/ASDM/etc?
Best Answer
Updated Answer to Address Updated Question
New key information:
There is no possibility of temporarily configuring an ethernet port on the ASA to provide IP communications. As a result any answer cannot require the use of ASDM (HTTP/HTTPS), TFTP, SSH, or Telnet.
Answer
The answer is that if your only way to connect to the ASA is via the console cable and you have a premade configuration you want to have on the ASA then you must make the configuration changes manually. This might mean writing out the negative forms of existing commands and inserting it at the beginning of your config but will require either typing the commands or copy and pasting the commands.
Why
More important the the answer to this question is understanding what the different ways to load a configuration onto an ASA are what each one does and doesn't do.
According to Cisco there are a number of ways you can restore an ASA configuration. As the OP identified not all of these solutions give you the desired result without some manual work but if your only option is using a serial cable you are going to have to do some manual work no matter what.
You will notice I am going to start with TFTP and it is first because this continues to be the preferred method to upload configuration files and firmware to ASA and IOS devices.
TFTP
Trivial File Transfer Protocol or TFTP is a UDP based IP communication protocol. In order to use TFTP you will need to setup a TFTP server and the Cisco ASA will need to have network access to the same network the TFTP server is running on. Because TFTP is an IP communication protocol you cannot use TFTP to transfer a configuration file to an ASA if your computer is only connected to the ASA with a console cable.
TFTP requires the use of IP to connect the ASA to your computer.
The commands below can be used to upload a configuration file to from a TFTP server to an ASA.
FTP
File Transfer Protocol or FTP is a UDP based IP communication protocol. In order to use FTP you will need to setup a FTP server and the Cisco ASA will need to have network access to the same network the FTP server is running on. Because FTP is an IP communication protocol you cannot use FTP to transfer a configuration file to an ASA if your computer is only connected to the ASA with a console cable.
FTP requires the use of IP to connect the ASA to your computer.
The commands below can be used to upload a configuration file to from a FTP server to an ASA.
HTTP/HTTPS
Hypertext Transfer Protocol or HTTP and Hypertext Transfer Protocol Secure or HTTPS are TCP based IP communication protocols. In order to use HTTP or HTTPS you will need to setup a HTTP or HTTPS server and the Cisco ASA will need to have network access to the same network the HTTP or HTTPS server is running on. Because HTTP and HTTPS are IP communication protocols you cannot use HTTP or HTTPS to transfer a configuration file to an ASA if your computer is only connected to the ASA with a console cable.
HTTP and HTTPS require the use of IP to connect the ASA to your computer.
The commands below can be used to upload a configuration file to from a HTTP or HTTPS server to an ASA.
Terminal Emulation Program
So, if you use a terminal emulation program (like Putty) to "transfer" the configuration to an ASA that is fine as long as you don't mind transferring the config by text instead of uploading the file.
As the you know if you copy paste the premade config into Putty then it will merge the premade config with the existing config on the ASA. You have two choices now. You can copy paste the premade config into Putty and use
noat the beginning of each line in the new config that needs to be removed. After you remove the lines you don't need in the config then you can use the commandwr memandreloadto save the changes from running-config to startup-config and restart the ASA. The other method is similiar but allows you do do all of the configuration changes at once. You will need to download the running-config from the ASA (you can enter the commandsh runin Putty and if you have Putty's logging turned on it will create a text file on your computer with thesh runoutput). Now that you have the running-config addnoto the beginning of each line that needs to come out of the running-config. Copy the lines you edited in the running-config. Open your premade config and at the end of the text file paste the edited lines from the running-config. Copy and paste your complete config into Putty. After the config is entered on the ASA you will have your proper config uploaded to the running-config. Now runwr memto save the startup-config to running-config. After the config is saved restart the ASA with the commandreload.GUI
Of course if you want to overwrite the ASA running-config with your premade config from a GUI you can use ASDM. ASDM requires the HTTP server to be enabled on the ASA. That means for ASDM to be an option you must have an ethernet port on the ASA configured and the ASA needs to be connected to the same network the computer you are starting ASDM from is connected to.
Based on the requirements you have your only option is using the Terminal Emulation Program method. If you need more information please read the articles below.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/admin_swconfig.html
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-122-mainline/46741-backup-config.html#em-prog