OK, this is something I’ve been using for a while and wanted to share with you, as I’ve been asked for it a couple of times now.
I’ve got a pair of Cisco ASA’s at the perimeter of our network, and I needed a way some time ago to edit it’s configuration in a scripted manner, so, I started looking at PowerShell and SSH connections, and this didn’t get me anywhere, so I started to look at PLINK.exe. PLINK is almost a spin-off from PuTTY, a free remote connection tool that supports SSH. PLINK is scriptable, in that you can pass it a text file, and it’ll run each line of that file as seperate commands. Simply enough, the powershell script below will echo out to a file any commands you need, then start PLINK and run the code. If it’s a system that you’ve not connected to before, and don’t have the key saved in your registry, you’ll be prompted to accept it.
$ASApw = "MyPassword" $ASAIP = "MyASAIPAddress" $ASAUser = "MySSHUserName" $ASAEnablepw = $ASApw #Modifies the ASA firewall #Starts by writing a "commands" file# echo en >>unicode.txt echo $ASAEnablepw >>unicode.txt echo "conf t" >>unicode.txt echo "show run access-group" echo exit >>unicode.txt echo exit >>unicode.txt #Converts the file to ASCII format (separate file)# $lines = gc "unicode.txt" $lines | out-file -encoding Ascii -filepath commands.txt #Using the command file and plink.exe connects and runs the commands # ./plink.exe -ssh -l $ASAUser -pw $ASApw $ASAIP -m commands.txt #removes the files it created earlier# del unicode.txt del commands.txt
In the above example, the ASA will be asked to show it’s running config’s access-group configuration. You’ll need to modify the echo lines to get this to perform other actions (I use this script to modify static mapping entries and access-lists for example). You’ll also need to modify “$ASAIP”,”$ASAUSer” and “$ASApw” with your IP address, SSH Username and SSH password. The script assumes that the enable password matches this, but if not, edit the “$ASAEnablepw”, and add your enable password there. If you don’t like storing password this way (I don’t particularly) then you can always change these to “read-host” to request the entry from the Powershell command line.