Category Archives: Cisco

Aug 06

Configuring AnyConnect SSL VPN Client Connections

Posted on by

Overview

ASA: 8.3+ (Written/Tested on 9.0)

Authentication: Local (Local ASA User Database)

Type: Split-tunnel OR Non split-tunnel

The below configurations will work with 8.3+, but was written and tested with 9.0.  When setting up a Anyconnect VPN tunnel, you can push all traffic from the client over the VPN (Tunnel all) or you can use a split tunnel to only push traffic destined for selected subnets over the VPN tunnel.  In laymen terms, the clients internet traffic originates from their ISP in a split tunnel, and it originates from the ASA when using tunnel all.  The below configuration examples assume you have a basic setup equivalent to running factory-default and are setup to authenticate locally to the ASA.  I will give examples of each configuration below.

Network Diagram

Network Diagram Anyconnect VPN

The ASA has a command that gives an overview of how to configure an Anyconnect SSL VPN, which in global configuration mode is vpnsetup ssl-remote-access steps.  Here are the results of that command:

ciscoasa(config)# vpnsetup ssl-remote-access steps

Steps to configure a remote access SSL VPN remote access connection and AnyConnect with examples:

1. Configure and enable interface

        interface GigabitEthernet0/0
         ip address 10.10.4.200 255.255.255.0
         nameif outside
         no shutdown

        interface GigabitEthernet0/1
         ip address 192.168.0.20 255.255.255.0
         nameif inside
         no shutdown

2. Enable WebVPN on the interface

        webvpn
         enable outside

3. Configure default route

        route outside 0.0.0.0 0.0.0.0 10.10.4.200

4. Configure AAA authentication and tunnel group

        tunnel-group DefaultWEBVPNGroup type remote-access
        tunnel-group DefaultWEBVPNGroup general-attributes
         authentication-server-group LOCAL

5. If using LOCAL database, add users to the Database

        username test password t3stP@ssw0rd
        username test attributes
         service-type remote-access

Proceed to configure AnyConnect VPN client:

6. Point the ASA to an AnyConnect image

        webvpn
         svc image anyconnect-win-2.1.0148-k9.pkg

7. enable AnyConnect

        svc enable

8. Add an address pool to assign an ip address to the AnyConnect client

        ip local pool client-pool 192.168.1.1-192.168.1.254 mask 255.255.255.0

9. Configure group policy

        group-policy DfltGrpPolicy internal
        group-policy DfltGrpPolicy attributes
         vpn-tunnel-protocol svc webvpn

There are a few important things to note from Cisco’s directions:

  1. They are using the default names for configuring the group policy and tunnel groups, which will throw a warning that they already exist since they’re defaults
  2. The directions do not specify that you MUST attach the VPN Address pool to the tunnel group, which is necessary for it to work!
  3. They do not include how to create a split tunnel or a tunnel all to allow internet from the Anyconnect client.
  4. They are using outdated “svc” commands, which were replaced with “anyconnect”.

With that said, let’s move on to the configurations!

Anyconnect Configuration 1: Tunnel All

!Enable WebVPN, Set Anyconnect Image, and Enable Anyconnect
config t
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.05178-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-3.1.05178-k9.pkg 3
anyconnect enable
end
!Create DHCP Pool for Anyconnect Clients
config t
ip local pool pool-anyconnect 192.168.100.1-192.168.100.254 mask 255.255.255.0
end
!Create Group Policy for Anyconnect
config t
group-policy GroupPolicy_Anyconnect internal
group-policy GroupPolicy_Anyconnect attributes
vpn-tunnel-protocol ssl-client
end
!Create Tunnel Group for Anyconnect
config t
tunnel-group TunnelGroup_Anyconnect type remote-access
tunnel-group TunnelGroup_Anyconnect general-attributes
authentication-server-group LOCAL
default-group-policy GroupPolicy_Anyconnect
address-pool pool-anyconnect
tunnel-group TunnelGroup_Anyconnect webvpn-attributes
group-alias 1-Admin enable
end
!Create NAT Exemption and Enable Outside Traffic to Enter/Exit the Same Interface
config t
object-group network obj-anyconnect
network-object 192.168.100.0 255.255.255.0
exit
nat (outside,outside) after-auto source dynamic obj-anyconnect interface
same-security-traffic permit intra-interface
end
!Tunnel All Traffic Over Anyconnect VPN and Force Use of DNS Servers
config t
group-policy GroupPolicy_Anyconnect attributes
split-tunnel-policy tunnelall
split-tunnel-all-dns enable
end
!(OPTIONAL)Create Local User for Anyconnect
config t
username user1 password P@SSWORD
username user1 attributes
service-type remote-access
end
!(OPTIONAL) Add DNS Settings for Anyconnect Client
config t
group-policy GroupPolicy_Anyconnect attributes
dns-server value 10.1.1.10 10.1.1.11
default-domain value domain.local
end
!(OPTIONAL) Allow Anyconnect IP Pool to Manage ASA
config t
ssh 192.168.100.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
management-access inside
end
!(OPTIONAL)Auto launch anyconnect
config t
group-policy GroupPolicy_Anyconnect attributes
webvpn
anyconnect ask none default anyconnect
end

 Anyconnect Configuration 2: Split Tunnel

!Enable WebVPN, Set Anyconnect Image, and Enable Anyconnect
config t
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.05178-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-3.1.05178-k9.pkg 3
anyconnect enable
end
!Create DHCP Pool for Anyconnect Clients
config t
ip local pool pool-anyconnect 192.168.100.1-192.168.100.254 mask 255.255.255.0
end
!Create Group Policy for Anyconnect
config t
group-policy GroupPolicy_Anyconnect internal
group-policy GroupPolicy_Anyconnect attributes
vpn-tunnel-protocol ssl-client
end
!Create Tunnel Group for Anyconnect
config t
tunnel-group TunnelGroup_Anyconnect type remote-access
tunnel-group TunnelGroup_Anyconnect general-attributes
authentication-server-group LOCAL
default-group-policy GroupPolicy_Anyconnect
address-pool pool-anyconnect
tunnel-group TunnelGroup_Anyconnect webvpn-attributes
group-alias 1-Admin enable
end
!Create NAT Exemption
config t
object-group network obj-anyconnect
network-object 192.168.100.0 255.255.255.0
exit
nat (inside,outside) 2 source static any any destination static obj-anyconnect obj-anyconnect no-proxy-arp route-lookup
end
!Create Split Tunnel, Allow Access to VPN and Inside Subnets, and Apply to Group Policy
config t
access-list ACL_split-tunnel standard permit 192.168.100.0 255.255.255.0
access-list ACL_split-tunnel standard permit 10.1.1.0 255.255.255.0
group-policy GroupPolicy_Anyconnect attributes
split-tunnel-policy tunnelspecified
split-tunnel-network value ACL_split-tunnel
end
!(OPTIONAL)Create Local User for Anyconnect
config t
username user1 password P@SSWORD
username user1 attributes
service-type remote-access
end
!(OPTIONAL) Add DNS Settings for Anyconnect Client
config t
group-policy GroupPolicy_Anyconnect attributes
dns-server value 10.1.1.10 10.1.1.11
default-domain value domain.local
end
!(OPTIONAL) Allow Anyconnect IP Pool to Manage ASA
config t
ssh 192.168.100.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
management-access inside
end
!(OPTIONAL)Auto launch anyconnect
config t
group-policy GroupPolicy_Anyconnect attributes
webvpn
anyconnect ask none default anyconnect
end

 

Testing the Configuration

Open a web browser, connect to your ASA (https://vpn.domain.com OR https://172.31.100.1), and you’ll be prompted to login.  You can login with the user account you’ve created in the configuration above.  The Anyconnect client will automatically install, if it fails you may need to download and manually install it.  Once installed, you can connect to your ASA by the outside interface (vpn.domain.com OR 172.31.100.1) and authenticate with the user you’ve created.

Additional Notes

You may wish to use a 3rd party SSL certificates (ie: Verisign, Thawte, Godaddy, etc) so end users do not get prompted about certificate warnings.  Cisco ASA’s will regenerate it’s certificate upon reboot, and due to this you should create a self signed certificate whenever you cannot use a 3rd party.  You can create the self signed certificate as follows:

!Create Self Signed Certificate
config t
crypto ca trustpoint SELF
enroll
enrollment self
fqdn vpn.domain.com
subject cn=vpn.domain.com,dc=domain,dc=com
exit
crypto ca enroll SELF
!The following warnings will generate, answer accordingly as below:
!
!WARNING: The certificate enrollment is configured with an fqdn
!that differs from the system fqdn. If this certificate will be
!used for VPN authentication this may cause connection problems.
!
!Would you like to continue with this enrollment? [yes/no]: yes
!
!The fully-qualified domain name in the certificate will be: vpn.domain.com
!
!Include the device serial number in the subject name? [yes/no]: no
!
!Generate Self-Signed Certificate? [yes/no]: yes
!
!Attach the certificate to the outside interface
ssl trust-point SELF outside
end

 

Jul 28

How to Configure a Cisco ASA Site-to-Site IPSec VPN

Posted on by

This article will explain how to configure a Site-to-Site IPSec VPN using Cisco ASA 55XX’s using IKEV1.  My example below shows how to configure VPN’s between 3 sites but can be modified for the following scenarios without much explanation:

  • site-to-site VPN between 2 sites (Just remove SiteC… duh!)
  • site-to-site to 3+ sites (just follow the example and modify for a N+1 sites.  If You’re doing more than 3 sites, you may wish to look at a hub and spoke model to simply the network and backups, etc)
  • Hub and spoke VPN, where 2 remote offices only connect to a main office (If SiteA is the Hub, on SiteB remove the SiteC configuration, on SiteC remove the SiteB configuration, etc…)

Overview

Network Diagram

ASA_Multi_Site-to-site_IPSEC_VPN

Network Diagram

Phase 1 Settings

Attribute Value
Authentication Preshared Keys
Encryption 3DES
Hash MD5
DH Group Group 2
Lifetime 86400 seconds

Phase 2 Settings

Attribute Value
Mode Tunnel
Encryption 3DES
Hash SHA-1
PFS Enabled
Lifetime 86400 seconds

Configure SiteA

!-----------------
!CONFIGURE OBJECTS
!-----------------
!Create Object for Local LAN SiteA
config t
object-group network obj-local
network-object 10.0.1.0 255.255.255.0
end
!Create Object for Remote LAN SiteB
config t
object-group network obj-SiteB
network-object 10.0.2.0 255.255.255.0
end
!Create Object for Remote LAN SiteC
config t
object-group network obj-SiteC
network-object 10.0.3.0 255.255.255.0
end
!
!---------------
!CONFIGURE ACL's
!---------------
!Configure VPN ACL SiteB
config t
access-list ACL_SiteB extended permit ip object-group obj-local object-group obj-SiteB
end
!Configure VPN ACL SiteC
config t
access-list ACL_SiteC extended permit ip object-group obj-local object-group obj-SiteC
end
!
!------------------------
!CONFIGURE NAT EXEMPTIONS
!------------------------
!Configure NAT Exemption SiteB
config t
nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteB obj-SiteB no-proxy-arp route-lookup
end
!Configure NAT Exemption SiteC
config t
nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteC obj-SiteC no-proxy-arp route-lookup
end
!
!-----------------------------------------------------
!CONFIGURE PHASE1 PROPOSAL (pre-g2-3des-md5 SA:84600s)
!-----------------------------------------------------
config t
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 enable outside
end
!
!-------------------------------------------------------------------
!CONFIGURE PHASE 2 PROPOSALS 
!-------------------------------------------------------------------
!Configure Transform Set(g2-esp-3des-sha SA:84600s PFS:enabled)
config t
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
end
!Configure Transform Set (g2-esp-3des-md5 SA:84600s PFS:enabled)
config t
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
end
!Configure Tunnel Group Remote WAN IP SiteB(Replace VPNSHAREDKEYPW)
config t
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes 
pre-shared-key VPNSHAREDKEYPW
end
!Configure Tunnel Group Remote WAN IP SiteC(Replace VPNSHAREDKEYPW)
config t
tunnel-group 1.1.1.3 type ipsec-l2l
tunnel-group 1.1.1.3 ipsec-attributes 
pre-shared-key VPNSHAREDKEYPW
end
!Configure Crypto Maps (You can only have 1 crypto map nam and each VPN needs an unique Map # to differentiate from each other)
!MAP: SiteA=1, SiteB=2, SiteC=3
config t
crypto map crypto-map 2 match address ACL_SiteB
crypto map crypto-map 2 set peer 1.1.1.2
crypto map crypto-map 2 set transform-set ESP-3DES-SHA
end
config t
crypto map crypto-map 3 match address ACL_SiteC
crypto map crypto-map 3 set peer 1.1.1.3
crypto map crypto-map 3 set transform-set ESP-3DES-SHA
end
!Attach Crypto Map to Interface
config t
crypto map crypto-map interface outside
end

 

Configure SiteB

!-----------------
!CONFIGURE OBJECTS
!-----------------
!Create Object for Local LAN SiteB
config t
object-group network obj-local
network-object 10.0.2.0 255.255.255.0
end
!Create Object for Remote LAN SiteA
config t
object-group network obj-SiteA
network-object 10.0.1.0 255.255.255.0
end
!Create Object for Remote LAN SiteC
config t
object-group network obj-SiteC
network-object 10.0.3.0 255.255.255.0
end
!
!---------------
!CONFIGURE ACL's
!---------------
!Configure VPN ACL SiteA
config t
access-list ACL_SiteA extended permit ip object-group obj-local object-group obj-SiteA
end
!Configure VPN ACL SiteC
config t
access-list ACL_SiteC extended permit ip object-group obj-local object-group obj-SiteC
end
!
!------------------------
!CONFIGURE NAT EXEMPTIONS
!------------------------
!Configure NAT Exemption SiteA
config t
nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteA obj-SiteA no-proxy-arp route-lookup
end
!Configure NAT Exemption SiteC
config t
nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteC obj-SiteC no-proxy-arp route-lookup
end
!
!-----------------------------------------------------
!CONFIGURE PHASE1 PROPOSAL (pre-g2-3des-md5 SA:84600s)
!-----------------------------------------------------
config t
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 enable outside
end
!
!-------------------------------------------------------------------
!CONFIGURE PHASE 2 PROPOSALS 
!-------------------------------------------------------------------
!Configure Transform Set(g2-esp-3des-sha SA:84600s PFS:enabled)
config t
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
end
!Configure Transform Set (g2-esp-3des-md5 SA:84600s PFS:enabled)
config t
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
end
!Configure Tunnel Group Remote WAN IP SiteA(Replace VPNSHAREDKEYPW)
config t
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes 
pre-shared-key VPNSHAREDKEYPW
end
!Configure Tunnel Group Remote WAN IP SiteC(Replace VPNSHAREDKEYPW)
config t
tunnel-group 1.1.1.3 type ipsec-l2l
tunnel-group 1.1.1.3 ipsec-attributes 
pre-shared-key VPNSHAREDKEYPW
end
!Configure Crypto Maps (You can only have 1 crypto map nam and each VPN needs an unique Map # to differentiate from each other)
!MAP: SiteA=1, SiteB=2, SiteC=3
config t
crypto map crypto-map 1 match address ACL_SiteA
crypto map crypto-map 1 set peer 1.1.1.1
crypto map crypto-map 1 set transform-set ESP-3DES-SHA
end
config t
crypto map crypto-map 3 match address ACL_SiteC
crypto map crypto-map 3 set peer 1.1.1.3
crypto map crypto-map 3 set transform-set ESP-3DES-SHA
end
!Attach Crypto Map to Interface
config t
crypto map crypto-map interface outside
end

Configure SiteC

!-----------------
!CONFIGURE OBJECTS
!-----------------
!Create Object for Local LAN SiteC
config t
object-group network obj-local
network-object 10.0.3.0 255.255.255.0
end
!Create Object for Remote LAN SiteA
config t
object-group network obj-SiteA
network-object 10.0.1.0 255.255.255.0
end
!Create Object for Remote LAN SiteB
config t
object-group network obj-SiteB
network-object 10.0.2.0 255.255.255.0
end
!
!---------------
!CONFIGURE ACL's
!---------------
!Configure VPN ACL SiteA
config t
access-list ACL_SiteA extended permit ip object-group obj-local object-group obj-SiteA
end
!Configure VPN ACL SiteB
config t
access-list ACL_SiteB extended permit ip object-group obj-local object-group obj-SiteB
end
!
!------------------------
!CONFIGURE NAT EXEMPTIONS
!------------------------
!Configure NAT Exemption SiteA
config t
nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteA obj-SiteA no-proxy-arp route-lookup
end
!Configure NAT Exemption SiteB
config t
nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteB obj-SiteB no-proxy-arp route-lookup
end
!
!-----------------------------------------------------
!CONFIGURE PHASE1 PROPOSAL (pre-g2-3des-md5 SA:84600s)
!-----------------------------------------------------
config t
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 enable outside
end
!
!-------------------------------------------------------------------
!CONFIGURE PHASE 2 PROPOSALS 
!-------------------------------------------------------------------
!Configure Transform Set(g2-esp-3des-sha SA:84600s PFS:enabled)
config t
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
end
!Configure Transform Set (g2-esp-3des-md5 SA:84600s PFS:enabled)
config t
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
end
!Configure Tunnel Group Remote WAN IP SiteA(Replace VPNSHAREDKEYPW)
config t
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes 
pre-shared-key VPNSHAREDKEYPW
end
!Configure Tunnel Group Remote WAN IP SiteB(Replace VPNSHAREDKEYPW)
config t
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes 
pre-shared-key VPNSHAREDKEYPW
end
!Configure Crypto Maps (You can only have 1 crypto map nam and each VPN needs an unique Map # to differentiate from each other)
!MAP: SiteA=1, SiteB=2, SiteC=3
config t
crypto map crypto-map 1 match address ACL_SiteA
crypto map crypto-map 1 set peer 1.1.1.1
crypto map crypto-map 1 set transform-set ESP-3DES-SHA
end
config t
crypto map crypto-map 2 match address ACL_SiteB
crypto map crypto-map 2 set peer 1.1.1.2
crypto map crypto-map 2 set transform-set ESP-3DES-SHA
end
!Attach Crypto Map to Interface
config t
crypto map crypto-map interface outside
end

 

Further Info

I would suggest using IKEV2 for a Site-to-Site VPN, and I’ll outline the steps a in future article once I get time to write it up…. Stay tuned!

 

May 21

Convert a WLC LDPE Image to Non-LDPE

Posted on by

If you ever purchase a used Cisco Wireless LAN Controller or receive one on RMA, you may run into an issue when you attempt to upgrade the image and receive the following error:

ERROR: Incompatible SW image.ERROR: Please install the Data Payload Encryption licensed image

This issue occurs because the Controller has an LDPE image installed, which is only needed in Russia where Data DTLS Payload Encryption is regulated by the Government.  Cisco only recommends using this image if you reside in Russia.  To resolve this issue and put the standard image on, follow these steps:

Step 1 – Confirm you have an LDPE image installed

From the console, enter the show sysinfo command and confirm the build type is DATA + WPS + LDPE

Build Type Data + WPS + LDPE

Step 2 – Upgrade to LDPE Image version 7.0.230.0

LDPE Image version 7.0.230.0 (ex: AIR-CT5500-LDPE-K9-7-0-230-0.aes for a 5508) introduced the ability to move to a normal image once a DTLS license is installed (Resolved Caveat CSCtw78061).  If the product version is not already on that image, download it, and install it.

Step 3a – Confirm a DTLS License is Installed

From the console, enter the show license summary and ensure under the Feature: data encryption section it shows License State: Active, In Use.  If you see this, then continue to step 4, otherwise you must download a free DTLS license and install it.

Data Encryption License State

Step 3b – Download a DTLS License

  1. Go to https://tools.cisco.com/SWIFT/LicensingUI/Quickstart
  2. Click Get New->IPS, Crypto, Other Licenses
    Get New->IPS,Crypto,Other Licenses
  3. Click Wireless, then click Cisco Wireless Controllers (2500/5500/7500/WISM2) DTLS License
    Cisco Wireless Controllers (2500/5500/7500/WISM2) DTLS License
  4. Choose the Controller Platform, enter the Product ID, enter the Serial Number, and click Next
    1. You can retrieve the PID and SN by running show license UDI at the console

    Specify Target and Options

  5. Select I agree with the Terms of the License, confirm your email address, and click Get License

Step 3c – Install the DTLS License

  1. Copy the DTLS license to the root of your TFTP server
  2. At the console, run the following command to install your license
    1. license install tftp://<TFTP_IP>/XXXX.lic
    2. Replace <TFTP_IP> with the IP address of your TFTP servver
    3. Replace XXXX.lic with the name of your license
  3. Save your configuration and reboot the WLC
    1. save config
    2. reset system

Step 4 – Install the Non-LDPE Image

You can now install any Non-LDPE Image as needed!

Dec 29

BackupRouters-TelnetToLocal.pl

Posted on by 
#!/usr/bin/env perl
#=========================================================================
# BackupRouters-TelnetToLocal.pl
# VERSION: 1.0
# AUTHOR: Brian Steinmeyer
# EMAIL: sigkill@sigkillit.com
# WEB: http://sigkillit.com
# DATE: 12/29/2012
# COMMENTS: Uses the Telnet::Cisco module to copy a Cisco Router's running
# configuration to the local machine. This module uses telnet so passwords
# will be in clear text. Pass the Cisco Router's DNS name or IP, logfile name,
# username, and password to the Sub. The script will back up the running
# config to the scripts location.
#=========================================================================
use Net::Telnet::Cisco;
use File::Basename;
use DateTime;

#Backup Routers
BackupRouterRunningConfig('192.168.1.1', 'router-config', 'USERNAME', 'PASSWORD');

sub BackupRouterRunningConfig {

    #Set Variables
    $router = $_[0];
    $logfile = $_[1] . DateTime->now()->strftime('%m-%d-%y_%H%M%S') . '.txt';
    $username = $_[2];
    $password = $_[3];

    #Login to Router
    print "\n\n" . $router . "\n*************************\n";
    my $session = Net::Telnet::Cisco->new(Host => $router, Errmode => "return");
    if(! $session->login($username, $password)) {
        print "ERROR Logging Into $router\n";
    } else {
        print "SUCCESS Logging Into $router\n";

        #Ensure Router is in Enabled Mode
        if($session->is_enabled == 1) {
            print "SUCCESS Router in Enabled Mode\n";

            #Avoid Autopaging
            $session->cmd('terminal length 0'); # Avoid Autopaging         

            #Grab Router Running-Config
            my @arrOutput = $session->cmd("show running-config");
            my $arrSize = @arrOutput;
            if($arrSize > 0) {
                print "SUCCESS backing up configuration\n";
                open FILE, ">", $logfile or die $!;
                print FILE @arrOutput;
                close FILE;
            } else {
                print "ERROR backing up configuration\n";
            }          
            $session->close;
        } else {
            print "ERROR Router Not in Enabled Mode\n";
        }
    }  
}