remove isakmp psk in PIX?

Answered Question
Apr 29th, 2008

I have a pre-shared key that was set up in our PIX 6.3.5 by an external vendor (AT&T.) How can remove the line from the config if I don't know the key? We have several other VPNs up and running, so I can just disable isakmp overall. I have tried changing the key, but that is not possible. In order to use the "no" command, I must know the key. Any suggestions?

Sample of config line:

isakmp key ******** address 1.2.3.4 netmask 255.255.255.255 no-xauth no-config-mode

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 7 months ago

From the CLI you can just type

no crypto isakmp * address 1.2.3.4

and it should remove it.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Loading.

Perhaps the easiest way with 6.3X to see the key is by using PDM.

1. Change your preferences to preview commands before sending

2. Add a * to the end of the current PSK in PDM

3. When you hit send, it should show you what you are sending (DO NOT APPLY THE CHANGE)

4. Close out of PDM without saving any changes to

Done.

In later versions, you can use a command more system:running-config

Jay

Correct Answer
Jon Marshall Tue, 04/29/2008 - 14:30

From the CLI you can just type

no crypto isakmp * address 1.2.3.4

and it should remove it.

Jon

olhcc Wed, 04/30/2008 - 07:10

Thanks! Your solution worked, although it was missing the word "key."

no crypto isakmp key * address 1.2.3.4

olhcc Fri, 05/02/2008 - 09:45

Guys I'm flattered that my question sparked all this "discussion." :-)

Seriously though, we have stayed on v6.3.5 simply because it works, and because I cut my teeth on that version of the PIX CLI. Lots of commands change with the later versions. However, do you feel that the new versions offer enough benefits/new features to merit an upgrade?

I guess it's kind of the old "stick with what works" vs. "the newest is the best" argument.

Jon Marshall Fri, 05/02/2008 - 09:50

6.3(5) is a stable version of pix code. We still have a fair few of our firewalls running this code and we have no real problems with it.

If you don't need any of the new features in later versions of the code then i would leave well alone. Hardly seems worth upgrading just to run the same features.

We do run 7.x within our environment (no 8 as yet) but i've never felt the need to upgrade all the 6.3 pix firewalls. Plus most of our pix firewalls are 515's and they would require a memory upgrade as well.

Bear in mind pix 501/506E are not supported on version 7.

Jon

Actions

This Discussion