10-17-2008 01:07 PM - edited 03-11-2019 06:59 AM
I have PIX 535, using 6.3(5)125 code.
is there show command for seeing what a IPSec VPN peer's pre-share key?
thanks, Kevin
Solved! Go to Solution.
10-17-2008 03:06 PM
10-17-2008 03:10 PM
Kevin,
If you don't have a "tftp-server" command configured on the Pix, the Pix by default uses the inside interface. Please refer the below URL for details.
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/tz.html#wp1026054
So, configure this command and then run the write net....
Regards,
Arul
** Please rate all helpful posts **
10-17-2008 01:29 PM
Kevin,
The below method should work.
write net tftp_server_ip:filename
and then open the filename from the tftp server. It should be in a non-encrypted format. The encryption is caused by the PIX software.
And I believe you can also use PDM to look at the keys in clear text but haven't tried this personally.
Regards,
Arul
** Please rate all helpful posts **
10-17-2008 02:02 PM
I'm not able identify which file to copy over to my tftp server:
houfp3# sh flash
flash file system: version:3 magic:0x12345679
file 0: origin: 0 length:2048056
file 1: origin: 2097152 length:119478
file 2: origin: 2359296 length:1936
file 3: origin: 2490368 length:3152452
file 4: origin: 0 length:0
file 5: origin: 8257536 length:308
houfp3#
thanks,
10-17-2008 02:24 PM
Kevin,
The below explanation should help.
file 0: PIX Firewall binary image, where the .bin file is stored.
file 1: PIX Firewall configuration data that you can view with the show config command.
file 2: PIX Firewall datafile that stores IPSec key and certificate information.
file 3: PIX Firewall PDM image.
file 4: crashdump
file 5: filesystem record
So, File 1 is what I would use to copy to your TFTP Server.
Let me know if it works.
Regards,
Arul
** Please rate all helpful posts **
10-17-2008 02:31 PM
no luck:
houfp3# write net 14x.x.x.x 1
Building configuration...
[FAILED]
Usage: write erase|floppy|mem|terminal|standby
write net [
houfp3# write net 14x.x.x.x :file 1
Building configuration...
[FAILED]
Usage: write erase|floppy|mem|terminal|standby
write net [
hou150fp3#
thanks,
10-17-2008 02:38 PM
try
write net 14x.x.x.x:fw_backup
Jon
10-17-2008 02:39 PM
Kevin,
Please refer the below command reference for details on using write net.
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/tz.html#wp1027782
You dont need to specific the File 1. I should have been more clear when I replied to your query. File 1 is where the Pix stores the configuration on the flash.
Regards,
Arul
** Please rate all helpful posts **
10-17-2008 03:01 PM
well,almost there, there are several legs (internetwork interfaces) on this 535, and it appears that that pix is trying to go out the "inside" (security level 100), but the tftp server is on the next highest secure leg - named: core (interface 1, security level 90)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 core security90
houfp3# write net 14x.x.x.x:backup
Building configuration...
TFTP write 'backup' at 14x.x.x.x on interface 1
Timed out attempting to connect
[FAILED]
houfp3#
houfp3# ping inside 14x.x.x.x
14x.x.x.x NO response received -- 1000ms
14x.x.x.x NO response received -- 1000ms
14x.x.x.x NO response received -- 1000ms
houfp3# ping core 14x.x.x.x
14x.x.x.x response received -- 0ms
14x.x.x.x response received -- 0ms
14x.x.x.x response received -- 0ms
houfp3#
10-17-2008 03:06 PM
tftp-server core /backup
write net
Jon
10-17-2008 03:19 PM
that was it Jon, thanks!
10-17-2008 03:10 PM
Kevin,
If you don't have a "tftp-server" command configured on the Pix, the Pix by default uses the inside interface. Please refer the below URL for details.
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/tz.html#wp1026054
So, configure this command and then run the write net....
Regards,
Arul
** Please rate all helpful posts **
10-17-2008 03:20 PM
Arul, thank you, very much!
10-17-2008 02:24 PM
You don't need to. The filename in the command "write net tftp_server_ip:filename" is a filename you create. So just pick a name that makes sense eg.
write net
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: