I have a pre-shared key that was set up in our PIX 6.3.5 by an external vendor (AT&T.) How can remove the line from the config if I don't know the key? We have several other VPNs up and running, so I can just disable isakmp overall. I have tried changing the key, but that is not possible. In order to use the "no" command, I must know the key. Any suggestions?
Sample of config line:
isakmp key ******** address 220.127.116.11 netmask 255.255.255.255 no-xauth no-config-mode
Solved! Go to Solution.
Perhaps the easiest way with 6.3X to see the key is by using PDM.
1. Change your preferences to preview commands before sending
2. Add a * to the end of the current PSK in PDM
3. When you hit send, it should show you what you are sending (DO NOT APPLY THE CHANGE)
4. Close out of PDM without saving any changes to
In later versions, you can use a command more system:running-config
Not that it assists you here, but, people should be aware that you can recover the pre-shared-key (PSK) easily in 7.X and later. Simply issue the following command: more system:running-config - This will show your key in clear text.
Just FYI for those running newer code capable of this command.
Guys I'm flattered that my question sparked all this "discussion." :-)
Seriously though, we have stayed on v6.3.5 simply because it works, and because I cut my teeth on that version of the PIX CLI. Lots of commands change with the later versions. However, do you feel that the new versions offer enough benefits/new features to merit an upgrade?
I guess it's kind of the old "stick with what works" vs. "the newest is the best" argument.
6.3(5) is a stable version of pix code. We still have a fair few of our firewalls running this code and we have no real problems with it.
If you don't need any of the new features in later versions of the code then i would leave well alone. Hardly seems worth upgrading just to run the same features.
We do run 7.x within our environment (no 8 as yet) but i've never felt the need to upgrade all the 6.3 pix firewalls. Plus most of our pix firewalls are 515's and they would require a memory upgrade as well.
Bear in mind pix 501/506E are not supported on version 7.