how to retrive the VPN or pre shared key on pix

hi guys,

is there any way we can retrive the pre shared key or vpn password, as i have start a new job and dont know the passwords

can some one help
Who is Participating?
batry_boyConnect With a Mentor Commented:
No, I don't think so, given the info you have provided thus far.  For example, if you wanted to change the key to be "cisco123", just put in the following statements:

no isakmp key whatever address <IP address> netmask no-xauth no-config-mode
isakmp key cisco123 address <IP address> netmask no-xauth no-config-mode

where <IP address> is the remote tunnel peer.

For the ASA, the command syntax is different:

tunnel-group <IP address> ipsec-attributes
pre-shared-key cisco123
go to CLI and look for the key.  key usually encrypt in type 7. copy those # then go to
put those # in . it should decrypt for you.
Sorry, but the preshared key used for VPN connections shows up in the PIX config as asterisks (********) won't be able to decrypt it.

However, there is a good side to don't have to know the current pre-shared key in order to change it to something else...just issue the "isakmp key" command with a new pre-shared key value and it will overwrite the current value...
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

that why I said use CLI (command line interface) either via console port or telnet
You can't do that with the pre-shared keys because they don't show up even in encrypted form.
On an PIX7.x / ASA Try the command
more system:running-config

use  write net
to upload the config to a TFTP server, i.e.

write net  (ip address):/pixcnf.cfg

The basic idea is that when you upload the config file to your TFTP server,
you can now view the file on the TFTP server with pre-shared keys not starred out.
ammartahir1978Author Commented:
thank you guys to make you understand the config i have posted the config of the pix, if you see on the isakmp key its all ********

so from above comments i understand is i can change this key to anything but my confusion is do i have to change it in my ASA in head office as well?
so in both i will put

no isakmp key ****** ..........................
isakmp new key ip address netmask ...............

and same in my ASA in head office...right?

thank you
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map TOWHS 20 ipsec-isakmp
crypto map TOWHS 20 match address TOWHS
crypto map TOWHS 20 set peer <public IP address>
crypto map TOWHS 20 set transform-set ESP-AES-256-MD5
crypto map TOWHS interface outside
isakmp enable outside
isakmp key ******** address <IP address>netmask no-xauth no-co
isakmp keepalive 20
isakmp nat-traversal 20
isakmp policy 2 authentication rsa-sig
isakmp policy 2 encryption des
isakmp policy 2 hash sha
isakmp policy 2 group 1
isakmp policy 2 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400

Open in new window

Yes, you will have to change it on your ASA on the other end as well.

When you enter in the "no" form of the command, you can put in whatever you want for the key value, then put in the real key that you want to use when you enter the "isakmp key" command.
ammartahir1978Author Commented:
thank you

batry_boy is there anything else i have to change or just put a no on isakmp key and they put it on again with isakmp command?

can you change my code?
ammartahir1978Author Commented:
this is how it is on the pix of head office, do i have to put no first and then recreate it?

tunnel-group <IP ADDRESS> type ipsec-l2l
tunnel-group <IP ADDRESS>ipsec-attributes
 pre-shared-key *
No, you should be able to overwrite the existing pre-shared key.  Just issue the following commands:

tunnel-group <IP ADDRESS> ipsec-attributes
 pre-shared-key <new_pre_shared_key>
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.