cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
743
Views
10
Helpful
12
Replies

show pre-share key on 6.3(5)125

ksvy_ksvy
Level 1
Level 1

I have PIX 535, using 6.3(5)125 code.

is there show command for seeing what a IPSec VPN peer's pre-share key?

thanks, Kevin

2 Accepted Solutions

Accepted Solutions

tftp-server core /backup

write net

Jon

View solution in original post

Kevin,

If you don't have a "tftp-server" command configured on the Pix, the Pix by default uses the inside interface. Please refer the below URL for details.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/tz.html#wp1026054

So, configure this command and then run the write net....

Regards,

Arul

** Please rate all helpful posts **

View solution in original post

12 Replies 12

ajagadee
Cisco Employee
Cisco Employee

Kevin,

The below method should work.

write net tftp_server_ip:filename

and then open the filename from the tftp server. It should be in a non-encrypted format. The encryption is caused by the PIX software.

And I believe you can also use PDM to look at the keys in clear text but haven't tried this personally.

Regards,

Arul

** Please rate all helpful posts **

I'm not able identify which file to copy over to my tftp server:

houfp3# sh flash

flash file system: version:3 magic:0x12345679

file 0: origin: 0 length:2048056

file 1: origin: 2097152 length:119478

file 2: origin: 2359296 length:1936

file 3: origin: 2490368 length:3152452

file 4: origin: 0 length:0

file 5: origin: 8257536 length:308

houfp3#

thanks,

Kevin,

The below explanation should help.

file 0: PIX Firewall binary image, where the .bin file is stored.

file 1: PIX Firewall configuration data that you can view with the show config command.

file 2: PIX Firewall datafile that stores IPSec key and certificate information.

file 3: PIX Firewall PDM image.

file 4: crashdump

file 5: filesystem record

So, File 1 is what I would use to copy to your TFTP Server.

Let me know if it works.

Regards,

Arul

** Please rate all helpful posts **

no luck:

houfp3# write net 14x.x.x.x 1

Building configuration...

[FAILED]

Usage: write erase|floppy|mem|terminal|standby

write net []:

houfp3# write net 14x.x.x.x :file 1

Building configuration...

[FAILED]

Usage: write erase|floppy|mem|terminal|standby

write net []:

hou150fp3#

thanks,

try

write net 14x.x.x.x:fw_backup

Jon

Kevin,

Please refer the below command reference for details on using write net.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/tz.html#wp1027782

You dont need to specific the File 1. I should have been more clear when I replied to your query. File 1 is where the Pix stores the configuration on the flash.

Regards,

Arul

** Please rate all helpful posts **

well,almost there, there are several legs (internetwork interfaces) on this 535, and it appears that that pix is trying to go out the "inside" (security level 100), but the tftp server is on the next highest secure leg - named: core (interface 1, security level 90)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 core security90

houfp3# write net 14x.x.x.x:backup

Building configuration...

TFTP write 'backup' at 14x.x.x.x on interface 1

Timed out attempting to connect

[FAILED]

houfp3#

houfp3# ping inside 14x.x.x.x

14x.x.x.x NO response received -- 1000ms

14x.x.x.x NO response received -- 1000ms

14x.x.x.x NO response received -- 1000ms

houfp3# ping core 14x.x.x.x

14x.x.x.x response received -- 0ms

14x.x.x.x response received -- 0ms

14x.x.x.x response received -- 0ms

houfp3#

tftp-server core /backup

write net

Jon

that was it Jon, thanks!

Kevin,

If you don't have a "tftp-server" command configured on the Pix, the Pix by default uses the inside interface. Please refer the below URL for details.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/tz.html#wp1026054

So, configure this command and then run the write net....

Regards,

Arul

** Please rate all helpful posts **

Arul, thank you, very much!

You don't need to. The filename in the command "write net tftp_server_ip:filename" is a filename you create. So just pick a name that makes sense eg.

write net :fw_backup

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: