How do I collect from Cisco ASA

Nanitor supports Cisco ASA devices (8 and 9) through the Nanitor Collector.


  1. You need to have a Nanitor Collector up and running. A single collector can collect from multiple network devices, servers and databases.
  2. You need to have the IP address of the Cisco ASA devices and the collector needs to have network access to connect to the device via SSH or telnet (discouraged).
  3. You need to have a user with sufficient privileges
Credentials for Cisco can be SSH or telnet. You can add   --enable_password if it needs to use enable. A good practice is to create a  nanitor user and a password to use for this with  privilege 15 or use enable so it can execute the commands on Cisco ASA. This is similar to what is required when using the  rancid tool. For granular authorization we recommend looking into  TACACS+ to control exactly what commands this user can execute. Good practice is to only allow "show" commands.

Adding the device to Nanitor

Run this command to avoid putting the passwords in .bash_history:

Now we add the credentials (the passwords are stored locally in an encrypted format).

The credentials are created as follows:
sudo /usr/lib/nanitor-collector/bin/nanitor-collector-ctl credential_add --title default-ssh --access_method ssh --username nanitor --password testpass --enable_password testpass --auto_enable
The collector will use SSH to access the device with the provided username and password and then run enable with the enable password.
Now we create a device to use these credentials. In this case the IP of the Cisco device is 
sudo /usr/lib/nanitor-collector/bin/nanitor-collector-ctl device_add --title asa01 --device_type cisco-asa --address --credential_title default-ssh
Once this command completes the device should have been added into the UI.

Still need help? Contact Us Contact Us