04-29-2008 10:36 AM - edited 03-11-2019 05:38 AM
I have a pre-shared key that was set up in our PIX 6.3.5 by an external vendor (AT&T.) How can remove the line from the config if I don't know the key? We have several other VPNs up and running, so I can just disable isakmp overall. I have tried changing the key, but that is not possible. In order to use the "no" command, I must know the key. Any suggestions?
Sample of config line:
isakmp key ******** address 1.2.3.4 netmask 255.255.255.255 no-xauth no-config-mode
Solved! Go to Solution.
04-29-2008 02:30 PM
From the CLI you can just type
no crypto isakmp * address 1.2.3.4
and it should remove it.
Jon
04-29-2008 01:22 PM
Perhaps the easiest way with 6.3X to see the key is by using PDM.
1. Change your preferences to preview commands before sending
2. Add a * to the end of the current PSK in PDM
3. When you hit send, it should show you what you are sending (DO NOT APPLY THE CHANGE)
4. Close out of PDM without saving any changes to
Done.
In later versions, you can use a command more system:running-config
Jay
04-29-2008 02:30 PM
From the CLI you can just type
no crypto isakmp * address 1.2.3.4
and it should remove it.
Jon
04-30-2008 07:10 AM
Thanks! Your solution worked, although it was missing the word "key."
no crypto isakmp key * address 1.2.3.4
05-02-2008 05:18 AM
Not that it assists you here, but, people should be aware that you can recover the pre-shared-key (PSK) easily in 7.X and later. Simply issue the following command: more system:running-config - This will show your key in clear text.
Just FYI for those running newer code capable of this command.
05-02-2008 07:07 AM
Did you copy that straight out of my post from the other day?
Just kidding...
05-02-2008 07:23 AM
haha :( I didn't see that last comment you made. Good eye ;)
05-02-2008 07:28 AM
I think Jay means his original post in this thread :)
05-02-2008 09:06 AM
Yeah, I saw that after I pulled my head out.. haha
05-02-2008 09:45 AM
Guys I'm flattered that my question sparked all this "discussion." :-)
Seriously though, we have stayed on v6.3.5 simply because it works, and because I cut my teeth on that version of the PIX CLI. Lots of commands change with the later versions. However, do you feel that the new versions offer enough benefits/new features to merit an upgrade?
I guess it's kind of the old "stick with what works" vs. "the newest is the best" argument.
05-02-2008 09:50 AM
6.3(5) is a stable version of pix code. We still have a fair few of our firewalls running this code and we have no real problems with it.
If you don't need any of the new features in later versions of the code then i would leave well alone. Hardly seems worth upgrading just to run the same features.
We do run 7.x within our environment (no 8 as yet) but i've never felt the need to upgrade all the 6.3 pix firewalls. Plus most of our pix firewalls are 515's and they would require a memory upgrade as well.
Bear in mind pix 501/506E are not supported on version 7.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide