cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4039
Views
6
Helpful
10
Replies

remove isakmp psk in PIX?

olhcc
Level 1
Level 1

I have a pre-shared key that was set up in our PIX 6.3.5 by an external vendor (AT&T.) How can remove the line from the config if I don't know the key? We have several other VPNs up and running, so I can just disable isakmp overall. I have tried changing the key, but that is not possible. In order to use the "no" command, I must know the key. Any suggestions?

Sample of config line:

isakmp key ******** address 1.2.3.4 netmask 255.255.255.255 no-xauth no-config-mode

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

From the CLI you can just type

no crypto isakmp * address 1.2.3.4

and it should remove it.

Jon

View solution in original post

10 Replies 10

jwalker
Level 3
Level 3

Perhaps the easiest way with 6.3X to see the key is by using PDM.

1. Change your preferences to preview commands before sending

2. Add a * to the end of the current PSK in PDM

3. When you hit send, it should show you what you are sending (DO NOT APPLY THE CHANGE)

4. Close out of PDM without saving any changes to

Done.

In later versions, you can use a command more system:running-config

Jay

Jon Marshall
Hall of Fame
Hall of Fame

From the CLI you can just type

no crypto isakmp * address 1.2.3.4

and it should remove it.

Jon

Thanks! Your solution worked, although it was missing the word "key."

no crypto isakmp key * address 1.2.3.4

chickman
Level 1
Level 1

Not that it assists you here, but, people should be aware that you can recover the pre-shared-key (PSK) easily in 7.X and later. Simply issue the following command: more system:running-config - This will show your key in clear text.

Just FYI for those running newer code capable of this command.

Did you copy that straight out of my post from the other day?

Just kidding...

haha :( I didn't see that last comment you made. Good eye ;)

I think Jay means his original post in this thread :)

Yeah, I saw that after I pulled my head out.. haha

Guys I'm flattered that my question sparked all this "discussion." :-)

Seriously though, we have stayed on v6.3.5 simply because it works, and because I cut my teeth on that version of the PIX CLI. Lots of commands change with the later versions. However, do you feel that the new versions offer enough benefits/new features to merit an upgrade?

I guess it's kind of the old "stick with what works" vs. "the newest is the best" argument.

6.3(5) is a stable version of pix code. We still have a fair few of our firewalls running this code and we have no real problems with it.

If you don't need any of the new features in later versions of the code then i would leave well alone. Hardly seems worth upgrading just to run the same features.

We do run 7.x within our environment (no 8 as yet) but i've never felt the need to upgrade all the 6.3 pix firewalls. Plus most of our pix firewalls are 515's and they would require a memory upgrade as well.

Bear in mind pix 501/506E are not supported on version 7.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: