Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

remove isakmp psk in PIX?

I have a pre-shared key that was set up in our PIX 6.3.5 by an external vendor (AT&T.) How can remove the line from the config if I don't know the key? We have several other VPNs up and running, so I can just disable isakmp overall. I have tried changing the key, but that is not possible. In order to use the "no" command, I must know the key. Any suggestions?

Sample of config line:

isakmp key ******** address 1.2.3.4 netmask 255.255.255.255 no-xauth no-config-mode

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: remove isakmp psk in PIX?

From the CLI you can just type

no crypto isakmp * address 1.2.3.4

and it should remove it.

Jon

10 REPLIES
Silver

Re: remove isakmp psk in PIX?

Perhaps the easiest way with 6.3X to see the key is by using PDM.

1. Change your preferences to preview commands before sending

2. Add a * to the end of the current PSK in PDM

3. When you hit send, it should show you what you are sending (DO NOT APPLY THE CHANGE)

4. Close out of PDM without saving any changes to

Done.

In later versions, you can use a command more system:running-config

Jay

Hall of Fame Super Blue

Re: remove isakmp psk in PIX?

From the CLI you can just type

no crypto isakmp * address 1.2.3.4

and it should remove it.

Jon

New Member

Re: remove isakmp psk in PIX?

Thanks! Your solution worked, although it was missing the word "key."

no crypto isakmp key * address 1.2.3.4

New Member

Re: remove isakmp psk in PIX?

Not that it assists you here, but, people should be aware that you can recover the pre-shared-key (PSK) easily in 7.X and later. Simply issue the following command: more system:running-config - This will show your key in clear text.

Just FYI for those running newer code capable of this command.

Silver

Re: remove isakmp psk in PIX?

Did you copy that straight out of my post from the other day?

Just kidding...

New Member

Re: remove isakmp psk in PIX?

haha :( I didn't see that last comment you made. Good eye ;)

Hall of Fame Super Blue

Re: remove isakmp psk in PIX?

I think Jay means his original post in this thread :)

New Member

Re: remove isakmp psk in PIX?

Yeah, I saw that after I pulled my head out.. haha

New Member

Re: remove isakmp psk in PIX?

Guys I'm flattered that my question sparked all this "discussion." :-)

Seriously though, we have stayed on v6.3.5 simply because it works, and because I cut my teeth on that version of the PIX CLI. Lots of commands change with the later versions. However, do you feel that the new versions offer enough benefits/new features to merit an upgrade?

I guess it's kind of the old "stick with what works" vs. "the newest is the best" argument.

Hall of Fame Super Blue

Re: remove isakmp psk in PIX?

6.3(5) is a stable version of pix code. We still have a fair few of our firewalls running this code and we have no real problems with it.

If you don't need any of the new features in later versions of the code then i would leave well alone. Hardly seems worth upgrading just to run the same features.

We do run 7.x within our environment (no 8 as yet) but i've never felt the need to upgrade all the 6.3 pix firewalls. Plus most of our pix firewalls are 515's and they would require a memory upgrade as well.

Bear in mind pix 501/506E are not supported on version 7.

Jon

2556
Views
6
Helpful
10
Replies