Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

show pre-share key on 6.3(5)125

I have PIX 535, using 6.3(5)125 code.

is there show command for seeing what a IPSec VPN peer's pre-share key?

thanks, Kevin

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: show pre-share key on 6.3(5)125

tftp-server core /backup

write net

Jon

Cisco Employee

Re: show pre-share key on 6.3(5)125

Kevin,

If you don't have a "tftp-server" command configured on the Pix, the Pix by default uses the inside interface. Please refer the below URL for details.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/tz.html#wp1026054

So, configure this command and then run the write net....

Regards,

Arul

** Please rate all helpful posts **

12 REPLIES
Cisco Employee

Re: show pre-share key on 6.3(5)125

Kevin,

The below method should work.

write net tftp_server_ip:filename

and then open the filename from the tftp server. It should be in a non-encrypted format. The encryption is caused by the PIX software.

And I believe you can also use PDM to look at the keys in clear text but haven't tried this personally.

Regards,

Arul

** Please rate all helpful posts **

New Member

Re: show pre-share key on 6.3(5)125

I'm not able identify which file to copy over to my tftp server:

houfp3# sh flash

flash file system: version:3 magic:0x12345679

file 0: origin: 0 length:2048056

file 1: origin: 2097152 length:119478

file 2: origin: 2359296 length:1936

file 3: origin: 2490368 length:3152452

file 4: origin: 0 length:0

file 5: origin: 8257536 length:308

houfp3#

thanks,

Cisco Employee

Re: show pre-share key on 6.3(5)125

Kevin,

The below explanation should help.

file 0: PIX Firewall binary image, where the .bin file is stored.

file 1: PIX Firewall configuration data that you can view with the show config command.

file 2: PIX Firewall datafile that stores IPSec key and certificate information.

file 3: PIX Firewall PDM image.

file 4: crashdump

file 5: filesystem record

So, File 1 is what I would use to copy to your TFTP Server.

Let me know if it works.

Regards,

Arul

** Please rate all helpful posts **

New Member

Re: show pre-share key on 6.3(5)125

no luck:

houfp3# write net 14x.x.x.x 1

Building configuration...

[FAILED]

Usage: write erase|floppy|mem|terminal|standby

write net []:

houfp3# write net 14x.x.x.x :file 1

Building configuration...

[FAILED]

Usage: write erase|floppy|mem|terminal|standby

write net []:

hou150fp3#

thanks,

Hall of Fame Super Blue

Re: show pre-share key on 6.3(5)125

try

write net 14x.x.x.x:fw_backup

Jon

Cisco Employee

Re: show pre-share key on 6.3(5)125

Kevin,

Please refer the below command reference for details on using write net.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/tz.html#wp1027782

You dont need to specific the File 1. I should have been more clear when I replied to your query. File 1 is where the Pix stores the configuration on the flash.

Regards,

Arul

** Please rate all helpful posts **

New Member

Re: show pre-share key on 6.3(5)125

well,almost there, there are several legs (internetwork interfaces) on this 535, and it appears that that pix is trying to go out the "inside" (security level 100), but the tftp server is on the next highest secure leg - named: core (interface 1, security level 90)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 core security90

houfp3# write net 14x.x.x.x:backup

Building configuration...

TFTP write 'backup' at 14x.x.x.x on interface 1

Timed out attempting to connect

[FAILED]

houfp3#

houfp3# ping inside 14x.x.x.x

14x.x.x.x NO response received -- 1000ms

14x.x.x.x NO response received -- 1000ms

14x.x.x.x NO response received -- 1000ms

houfp3# ping core 14x.x.x.x

14x.x.x.x response received -- 0ms

14x.x.x.x response received -- 0ms

14x.x.x.x response received -- 0ms

houfp3#

Hall of Fame Super Blue

Re: show pre-share key on 6.3(5)125

tftp-server core /backup

write net

Jon

New Member

Re: show pre-share key on 6.3(5)125

that was it Jon, thanks!

Cisco Employee

Re: show pre-share key on 6.3(5)125

Kevin,

If you don't have a "tftp-server" command configured on the Pix, the Pix by default uses the inside interface. Please refer the below URL for details.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/tz.html#wp1026054

So, configure this command and then run the write net....

Regards,

Arul

** Please rate all helpful posts **

New Member

Re: show pre-share key on 6.3(5)125

Arul, thank you, very much!

Hall of Fame Super Blue

Re: show pre-share key on 6.3(5)125

You don't need to. The filename in the command "write net tftp_server_ip:filename" is a filename you create. So just pick a name that makes sense eg.

write net :fw_backup

Jon

235
Views
10
Helpful
12
Replies
CreatePlease to create content