Solved

Cisco Pix 501 access question

Posted on 2006-07-18
8
306 Views
Last Modified: 2010-08-05
I know enough about Cisco routers to login and make changes, I just do not know enough to understand where the changes need to be made or how.

This PIX had a password that nobody knew so I used the password delete utility to reset the terminal and enable passwords. Now I can telnet into the PIX.

Problems:

1. I am now trying to get into the device manager and it's asking for a user name and password. I do not know enough about the pix to find out what the username is and the password. I have tried the default user name and passwords for device manager with no luck. Can I find out the user and pass from the terminal? If yes, How?

2. How do I check if VPN is enabled?
2.1 How do I check what accounts are enabled for VPN if it is enabled?

3. How can I enable telneting into PIX from internet? I can only telnet from the internal network.

Thank you in advance.
0
Comment
Question by:rockethobbit
  • 4
  • 2
  • 2
8 Comments
 
LVL 10

Assisted Solution

by:naveedb
naveedb earned 125 total points
ID: 17133736
telnet into the PIX and type write mem.

Post your output and we should be able to help you furhter. Remote the username/passwords and the ip addresses from your configuration.
0
 
LVL 2

Accepted Solution

by:
ch0wn earned 125 total points
ID: 17134057
1 - You cant directly see the password for PDM in the terminal.  You can remove AAA authentication in the terminal and then login the PDM with the telnet password though.  

2 - Go into the terminal - configure - show vpdngroup.  That will list the VPNs that are setup.

2.1 - You will probably see something say vpngroup "vpngroupname" password ******* .  That will be the account name.

3 - To enable telneting from the internet in configure mode in the terminal type telnet 0.0.0.0 0.0.0.0 outside .
I would not suggest using telnet to connect to your pix from the internet though.  Using ssh is a better idea because its a more secure connection.  You can google for a free program called Putty that is very small and fast that will do SSH and Telnet.  To enable telnet you would type in ssh 0.0.0.0 0.0.0.0 outside in configure mode in the terminal.  

Let me know if there is anything else.

Ch0wn
0
 

Author Comment

by:rockethobbit
ID: 17134195
pixFW(config)# write mem
Building configuration...
Cryptochecksum: xxx
[OK]
pixFW(config)# show config
: Saved
: Written by enable_15 at 12:53:00.274 UTC Tue Jul 18 2006
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx encrypted
passwd xxxx encrypted
hostname pixFW
domain-name happypix.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 10.1.1.16 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 123.123.123.123 255.255.255.192
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool happypixVPN 10.1.1.20-10.1.1.30
pdm location 10.1.1.0 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.16 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 123.123.123.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local happypixVPN
vpdn group PPTP-VPDN-GROUP client configuration dns 10.1.1.10
vpdn group PPTP-VPDN-GROUP client configuration wins 10.1.1.10
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username monitor password ********
vpdn enable outside
dhcpd address 10.1.1.100-10.1.1.131 inside
dhcpd dns 10.1.1.10 123.123.123.123
dhcpd lease 43600
dhcpd ping_timeout 750
dhcpd enable inside
username ipsec password xxxx encrypted privilege 15
username james password xxxx encrypted privilege 15
terminal width 80
Cryptochecksum:xxxx
pixFW(config)#
0
 

Author Comment

by:rockethobbit
ID: 17134248
I messed up that ssh command and wrote it to memory. How to I remove the mistake line from the config?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Assisted Solution

by:ch0wn
ch0wn earned 125 total points
ID: 17134351
Clear SSH will remove it.  When you retype it you want it to be all zeros so that any ip can connect.  

Also I forgot to mention that you will need to generate a rsa key for SSH to work.  

So you would type:

hostname pixFW
domain-name happypix.org
ca gen rsa key 1024
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
passwd happypixpassword
ca save all
0
 

Author Comment

by:rockethobbit
ID: 17134963
Tried, but key already generated. Is that a problem?

happypix(config)# ca gen rsa key 1024
For <key_modulus_size> >= 1024, key generation could
  take up to several minutes. Please wait.
% You already have RSA keys defined for pixFW.happypix.org.
% Please remove the keys by issuing ca zeroize rsa command
%   before generating RSA keys again.
0
 

Author Comment

by:rockethobbit
ID: 17135083
I have tried to putty into the pix from the internal side and it's asking for a login and password.

There was an existing account called ipsec that I do not know the password for, but I also created another account called: james

I know the password for james, but when I try to login using putty with that account I get a accessed denied message.

You can see the account name in the config posting I made, Is there something wrong with the account or do I need to add it to a group or something? If it needs to be added to a group I am not sure how to do that.
0
 
LVL 10

Expert Comment

by:naveedb
ID: 17135639
1. I am now trying to get into the device manager and it's asking for a user name and password. I do not know enough about the pix to find out what the username is and the password. I have tried the default user name and passwords for device manager with no luck. Can I find out the user and pass from the terminal? If yes, How?

Try username pix, and the password you used to login.

2. How do I check if VPN is enabled?

It looks it is enabled, or configured. Did you try to connec to it?

2.1 How do I check what accounts are enabled for VPN if it is enabled?

vpdn group PPTP-VPDN-GROUP client authentication local
 
tells to user local username/password. From your config, only one user is setup.
vpdn username monitor password ********

3. How can I enable telneting into PIX from internet? I can only telnet from the internal network.
Add the following command;
telnet 0.0.0.0 0.0.0.0 outside

****************************
Also, check the following article for troubleshooting PDM
http://www.cisco.com/warp/public/110/pdm_http404.shtml

********************************

To regenerate RSA keys, issue the following command
ca zeroize rsa

0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now