Link to home
Start Free TrialLog in
Avatar of ammartahir1978
ammartahir1978Flag for United Kingdom of Great Britain and Northern Ireland

asked on

how to retrive the VPN or pre shared key on pix

hi guys,

is there any way we can retrive the pre shared key or vpn password, as i have start a new job and dont know the passwords

can some one help
Avatar of ajeab
ajeab

go to CLI and look for the key.  key usually encrypt in type 7. copy those # then go to
http://www.ibeast.com/content/tools/CiscoPassword/index.asp
put those # in . it should decrypt for you.
Sorry, but the preshared key used for VPN connections shows up in the PIX config as asterisks (********)...you won't be able to decrypt it.

However, there is a good side to this...you don't have to know the current pre-shared key in order to change it to something else...just issue the "isakmp key" command with a new pre-shared key value and it will overwrite the current value...
that why I said use CLI (command line interface) either via console port or telnet
You can't do that with the pre-shared keys because they don't show up even in encrypted form.
On an PIX7.x / ASA Try the command
more system:running-config

Otherwise...
use  write net
to upload the config to a TFTP server, i.e.

write net  (ip address):/pixcnf.cfg

The basic idea is that when you upload the config file to your TFTP server,
you can now view the file on the TFTP server with pre-shared keys not starred out.
Avatar of ammartahir1978

ASKER

thank you guys to make you understand the config i have posted the config of the pix, if you see on the isakmp key its all ********

so from above comments i understand is i can change this key to anything but my confusion is do i have to change it in my ASA in head office as well?
so in both i will put

no isakmp key ****** ..........................
then
isakmp new key ip address netmask ...............

and same in my ASA in head office...right?

thank you
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map TOWHS 20 ipsec-isakmp
crypto map TOWHS 20 match address TOWHS
crypto map TOWHS 20 set peer <public IP address>
crypto map TOWHS 20 set transform-set ESP-AES-256-MD5
crypto map TOWHS interface outside
isakmp enable outside
isakmp key ******** address <IP address>netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp keepalive 20
isakmp nat-traversal 20
isakmp policy 2 authentication rsa-sig
isakmp policy 2 encryption des
isakmp policy 2 hash sha
isakmp policy 2 group 1
isakmp policy 2 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400

Open in new window

Yes, you will have to change it on your ASA on the other end as well.

When you enter in the "no" form of the command, you can put in whatever you want for the key value, then put in the real key that you want to use when you enter the "isakmp key" command.
thank you

batry_boy is there anything else i have to change or just put a no on isakmp key and they put it on again with isakmp command?

can you change my code?
ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
this is how it is on the pix of head office, do i have to put no first and then recreate it?

tunnel-group <IP ADDRESS> type ipsec-l2l
tunnel-group <IP ADDRESS>ipsec-attributes
 pre-shared-key *
No, you should be able to overwrite the existing pre-shared key.  Just issue the following commands:

tunnel-group <IP ADDRESS> ipsec-attributes
 pre-shared-key <new_pre_shared_key>