Solved

Cisco Pix 501 access question

Posted on 2006-07-18
8
332 Views
Last Modified: 2010-08-05
I know enough about Cisco routers to login and make changes, I just do not know enough to understand where the changes need to be made or how.

This PIX had a password that nobody knew so I used the password delete utility to reset the terminal and enable passwords. Now I can telnet into the PIX.

Problems:

1. I am now trying to get into the device manager and it's asking for a user name and password. I do not know enough about the pix to find out what the username is and the password. I have tried the default user name and passwords for device manager with no luck. Can I find out the user and pass from the terminal? If yes, How?

2. How do I check if VPN is enabled?
2.1 How do I check what accounts are enabled for VPN if it is enabled?

3. How can I enable telneting into PIX from internet? I can only telnet from the internal network.

Thank you in advance.
0
Comment
Question by:rockethobbit
  • 4
  • 2
  • 2
8 Comments
 
LVL 10

Assisted Solution

by:naveedb
naveedb earned 125 total points
ID: 17133736
telnet into the PIX and type write mem.

Post your output and we should be able to help you furhter. Remote the username/passwords and the ip addresses from your configuration.
0
 
LVL 2

Accepted Solution

by:
ch0wn earned 125 total points
ID: 17134057
1 - You cant directly see the password for PDM in the terminal.  You can remove AAA authentication in the terminal and then login the PDM with the telnet password though.  

2 - Go into the terminal - configure - show vpdngroup.  That will list the VPNs that are setup.

2.1 - You will probably see something say vpngroup "vpngroupname" password ******* .  That will be the account name.

3 - To enable telneting from the internet in configure mode in the terminal type telnet 0.0.0.0 0.0.0.0 outside .
I would not suggest using telnet to connect to your pix from the internet though.  Using ssh is a better idea because its a more secure connection.  You can google for a free program called Putty that is very small and fast that will do SSH and Telnet.  To enable telnet you would type in ssh 0.0.0.0 0.0.0.0 outside in configure mode in the terminal.  

Let me know if there is anything else.

Ch0wn
0
 

Author Comment

by:rockethobbit
ID: 17134195
pixFW(config)# write mem
Building configuration...
Cryptochecksum: xxx
[OK]
pixFW(config)# show config
: Saved
: Written by enable_15 at 12:53:00.274 UTC Tue Jul 18 2006
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx encrypted
passwd xxxx encrypted
hostname pixFW
domain-name happypix.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 10.1.1.16 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 123.123.123.123 255.255.255.192
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool happypixVPN 10.1.1.20-10.1.1.30
pdm location 10.1.1.0 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.16 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 123.123.123.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local happypixVPN
vpdn group PPTP-VPDN-GROUP client configuration dns 10.1.1.10
vpdn group PPTP-VPDN-GROUP client configuration wins 10.1.1.10
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username monitor password ********
vpdn enable outside
dhcpd address 10.1.1.100-10.1.1.131 inside
dhcpd dns 10.1.1.10 123.123.123.123
dhcpd lease 43600
dhcpd ping_timeout 750
dhcpd enable inside
username ipsec password xxxx encrypted privilege 15
username james password xxxx encrypted privilege 15
terminal width 80
Cryptochecksum:xxxx
pixFW(config)#
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:rockethobbit
ID: 17134248
I messed up that ssh command and wrote it to memory. How to I remove the mistake line from the config?
0
 
LVL 2

Assisted Solution

by:ch0wn
ch0wn earned 125 total points
ID: 17134351
Clear SSH will remove it.  When you retype it you want it to be all zeros so that any ip can connect.  

Also I forgot to mention that you will need to generate a rsa key for SSH to work.  

So you would type:

hostname pixFW
domain-name happypix.org
ca gen rsa key 1024
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
passwd happypixpassword
ca save all
0
 

Author Comment

by:rockethobbit
ID: 17134963
Tried, but key already generated. Is that a problem?

happypix(config)# ca gen rsa key 1024
For <key_modulus_size> >= 1024, key generation could
  take up to several minutes. Please wait.
% You already have RSA keys defined for pixFW.happypix.org.
% Please remove the keys by issuing ca zeroize rsa command
%   before generating RSA keys again.
0
 

Author Comment

by:rockethobbit
ID: 17135083
I have tried to putty into the pix from the internal side and it's asking for a login and password.

There was an existing account called ipsec that I do not know the password for, but I also created another account called: james

I know the password for james, but when I try to login using putty with that account I get a accessed denied message.

You can see the account name in the config posting I made, Is there something wrong with the account or do I need to add it to a group or something? If it needs to be added to a group I am not sure how to do that.
0
 
LVL 10

Expert Comment

by:naveedb
ID: 17135639
1. I am now trying to get into the device manager and it's asking for a user name and password. I do not know enough about the pix to find out what the username is and the password. I have tried the default user name and passwords for device manager with no luck. Can I find out the user and pass from the terminal? If yes, How?

Try username pix, and the password you used to login.

2. How do I check if VPN is enabled?

It looks it is enabled, or configured. Did you try to connec to it?

2.1 How do I check what accounts are enabled for VPN if it is enabled?

vpdn group PPTP-VPDN-GROUP client authentication local
 
tells to user local username/password. From your config, only one user is setup.
vpdn username monitor password ********

3. How can I enable telneting into PIX from internet? I can only telnet from the internal network.
Add the following command;
telnet 0.0.0.0 0.0.0.0 outside

****************************
Also, check the following article for troubleshooting PDM
http://www.cisco.com/warp/public/110/pdm_http404.shtml

********************************

To regenerate RSA keys, issue the following command
ca zeroize rsa

0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question