how to retrive the VPN or pre shared key on pix

hi guys,

is there any way we can retrive the pre shared key or vpn password, as i have start a new job and dont know the passwords

can some one help
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

go to CLI and look for the key.  key usually encrypt in type 7. copy those # then go to
put those # in . it should decrypt for you.
Sorry, but the preshared key used for VPN connections shows up in the PIX config as asterisks (********) won't be able to decrypt it.

However, there is a good side to don't have to know the current pre-shared key in order to change it to something else...just issue the "isakmp key" command with a new pre-shared key value and it will overwrite the current value...
that why I said use CLI (command line interface) either via console port or telnet
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

You can't do that with the pre-shared keys because they don't show up even in encrypted form.
On an PIX7.x / ASA Try the command
more system:running-config

use  write net
to upload the config to a TFTP server, i.e.

write net  (ip address):/pixcnf.cfg

The basic idea is that when you upload the config file to your TFTP server,
you can now view the file on the TFTP server with pre-shared keys not starred out.
ammartahir1978Author Commented:
thank you guys to make you understand the config i have posted the config of the pix, if you see on the isakmp key its all ********

so from above comments i understand is i can change this key to anything but my confusion is do i have to change it in my ASA in head office as well?
so in both i will put

no isakmp key ****** ..........................
isakmp new key ip address netmask ...............

and same in my ASA in head office...right?

thank you
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map TOWHS 20 ipsec-isakmp
crypto map TOWHS 20 match address TOWHS
crypto map TOWHS 20 set peer <public IP address>
crypto map TOWHS 20 set transform-set ESP-AES-256-MD5
crypto map TOWHS interface outside
isakmp enable outside
isakmp key ******** address <IP address>netmask no-xauth no-co
isakmp keepalive 20
isakmp nat-traversal 20
isakmp policy 2 authentication rsa-sig
isakmp policy 2 encryption des
isakmp policy 2 hash sha
isakmp policy 2 group 1
isakmp policy 2 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400

Open in new window

Yes, you will have to change it on your ASA on the other end as well.

When you enter in the "no" form of the command, you can put in whatever you want for the key value, then put in the real key that you want to use when you enter the "isakmp key" command.
ammartahir1978Author Commented:
thank you

batry_boy is there anything else i have to change or just put a no on isakmp key and they put it on again with isakmp command?

can you change my code?
No, I don't think so, given the info you have provided thus far.  For example, if you wanted to change the key to be "cisco123", just put in the following statements:

no isakmp key whatever address <IP address> netmask no-xauth no-config-mode
isakmp key cisco123 address <IP address> netmask no-xauth no-config-mode

where <IP address> is the remote tunnel peer.

For the ASA, the command syntax is different:

tunnel-group <IP address> ipsec-attributes
pre-shared-key cisco123

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ammartahir1978Author Commented:
this is how it is on the pix of head office, do i have to put no first and then recreate it?

tunnel-group <IP ADDRESS> type ipsec-l2l
tunnel-group <IP ADDRESS>ipsec-attributes
 pre-shared-key *
No, you should be able to overwrite the existing pre-shared key.  Just issue the following commands:

tunnel-group <IP ADDRESS> ipsec-attributes
 pre-shared-key <new_pre_shared_key>
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.