PIX: show / copy pre-shared key in plaintext

Discussion in 'Cisco' started by nemo@weathersong.net, Nov 7, 2006.

  1. Guest

    I'm a PIX idiot, but I know just enough Cisco to do some research on
    this question. A consultant has indicated this is possible, though I'm
    unconvinced. We have a PIX 515 with a couple tunnels configured. We
    want to back up the configuration of these tunnels to TFTP. As part of
    the backup, we want the pre-shared keys shown in plaintext (if this is
    possible). I.e., when you show run tunn, you'll see "pre-shared-key *".
    We want the actual key instead of the asterisk.

    Possible? How?
     
    , Nov 7, 2006
    #1
    1. Advertising

  2. Brian V Guest

    Re: show / copy pre-shared key in plaintext

    <> wrote in message
    news:...
    > I'm a PIX idiot, but I know just enough Cisco to do some research on
    > this question. A consultant has indicated this is possible, though I'm
    > unconvinced. We have a PIX 515 with a couple tunnels configured. We
    > want to back up the configuration of these tunnels to TFTP. As part of
    > the backup, we want the pre-shared keys shown in plaintext (if this is
    > possible). I.e., when you show run tunn, you'll see "pre-shared-key *".
    > We want the actual key instead of the asterisk.
    >
    > Possible? How?
    >


    do a "write net" this will send all keys clear text.
     
    Brian V, Nov 7, 2006
    #2
    1. Advertising

  3. Re: show / copy pre-shared key in plaintext

    In article <>,
    Brian V <> wrote:

    ><> wrote in message
    >news:...
    >> I'm a PIX idiot, but I know just enough Cisco to do some research on
    >> this question. A consultant has indicated this is possible, though I'm
    >> unconvinced. We have a PIX 515 with a couple tunnels configured. We
    >> want to back up the configuration of these tunnels to TFTP. As part of
    >> the backup, we want the pre-shared keys shown in plaintext


    >do a "write net" this will send all keys clear text.


    Addendum: do the "write net" from configuration mode, after having
    configured an appropriate tftp-server command.
     
    Walter Roberson, Nov 7, 2006
    #3
  4. Guest

    Re: show / copy pre-shared key in plaintext

    Of course it would be something that simple. Thank you!

    Brian V wrote:
    > do a "write net" this will send all keys clear text.
     
    , Nov 7, 2006
    #4
  5. Brian V Guest

    Re: show / copy pre-shared key in plaintext

    "Walter Roberson" <> wrote in message
    news:Ii84h.274956$5R2.222512@pd7urf3no...
    > In article <>,
    > Brian V <> wrote:
    >
    >><> wrote in message
    >>news:...
    >>> I'm a PIX idiot, but I know just enough Cisco to do some research on
    >>> this question. A consultant has indicated this is possible, though I'm
    >>> unconvinced. We have a PIX 515 with a couple tunnels configured. We
    >>> want to back up the configuration of these tunnels to TFTP. As part of
    >>> the backup, we want the pre-shared keys shown in plaintext

    >
    >>do a "write net" this will send all keys clear text.

    >
    > Addendum: do the "write net" from configuration mode, after having
    > configured an appropriate tftp-server command.
    >


    Absolutely not needed, not recomended nor a requirement. It can create an
    administrative nightmare. When you hard set that within a configuration the
    pix uses that to get it's config at every boot. You would now need to do a
    wr mem in addition to a wr net for every configuration change you make or at
    next boot you will not have the correct configuration.
    http://www.cisco.com/en/US/products...tion_guide_chapter09186a008008c13c.html#22929

    write net [<tftp_ip>]:<filename> is all that is needed to backup a pix
    config. We use it practically daily as it is our policy to provide our
    customers with before and after backup copy of their configurations any time
    we make a change to a network device.
     
    Brian V, Nov 8, 2006
    #5
  6. Re: show / copy pre-shared key in plaintext

    In article <>,
    Brian V <> wrote:

    >"Walter Roberson" <> wrote in message
    >news:Ii84h.274956$5R2.222512@pd7urf3no...


    >> Addendum: do the "write net" from configuration mode, after having
    >> configured an appropriate tftp-server command.


    >Absolutely not needed, not recomended nor a requirement. It can create an
    >administrative nightmare. When you hard set that within a configuration the
    >pix uses that to get it's config at every boot.


    You have not provided any evidence to back that up. The link you
    provided says *nothing* about the PIX using that URL to try to fetch
    the configuration at boot time.

    >http://www.cisco.com/en/US/products...tion_guide_chapter09186a008008c13c.html#22929


    That's PIX 4.4 and it says,

    The tftp-server command lets you specify the IP address of a
    server that you use to propagate PIX Firewall configuration
    files to your firewalls. Use tftp-server with the configure net
    command to read from the configuration or with the write net
    command to store the configuration in the file you specify.

    The contents of the path name you specify in tftp-server are
    appended to the end of the IP address you specify in the
    configure net and write net commands. The more of a file and
    path name specification you provide with the tftp-server
    command, the less you need to do with the configure net and
    write net commands. If you specify the full path and filename
    in tftp-server, the IP address in configure net and write net
    can be represented with a colon :)).

    Sometime by 5.3, this was added rephrased:

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_53/config/commands.htm#1026079

    The tftp-server command lets you specify the IP address of the
    server that you use to propagate PIX Firewall configuration
    files to your firewalls. Use the tftp-server command with the
    configure net command to read from the configuration or with
    the write net command to store the configuration in the file
    you specify. The clear tftp-server command removes the
    tftp-server command from your configuration.

    PIX Firewall supports only one TFTP server.

    The path name you specify in the tftp-server is appended to the
    end of the IP address you specify in the configure net and
    write net commands. The more you specify of a file and path
    name with the tftp-server command, the less you need to specify
    with the configure net and write net commands. If you specify
    the full path and filename in the tftp-server command, the IP
    address in the configure net and write net commands can be
    represented with a colon :)).

    By the time of PIX 6.3, the wording is still exactly the same.

    What does the PIX 6.3 Configuration Guide have to say on the topic?

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/overvw.htm#wp1052724

    You should back up your configuration in at least one of the
    following ways: [...]

    Store the configuration on another system using the tftp-server
    command to initially specify a host and the write net command
    to store the configuration.


    >You would now need to do a
    >wr mem in addition to a wr net for every configuration change you make or at
    >next boot you will not have the correct configuration.


    As we say in comp.lang.c: "C&V please." Chapter and Verse. Exact
    URL and indicate -specifically- what part you want to point out; don't
    just point us to a general section and expect us to read between the
    lines.


    >write net [<tftp_ip>]:<filename> is all that is needed to backup a pix
    >config.


    Wrong answer.

    [<tftp_ip>] is a syntax indicating an optional IP, but if you have not
    set your tftp-server then there is no default IP and the command will fail.

    If you do specify an IP and the route to it is not through ethernet1
    (and I do not mean "the inside interface", I mean ethernet1 specifically!)
    and you have not specified a tftp-server command, then you will
    not be able to reach your tftp server. The tftp-server command is
    the *only* way to change the default tftp interface to something
    other than ethernet1 . And yes, if you do not -have- an ethernet1
    (e.g., you are on a 535 with only gigabit cards), then you cannot
    write net without having used tftp-server, because the default
    is to try ethernet1 no matter IP range it is and no matter whether
    it exists or not.

    >We use it practically daily as it is our policy to provide our
    >customers with before and after backup copy of their configurations any time
    >we make a change to a network device.


    I can personally testify that your claims about tftp-server are
    without foundation in any PIX major release from 5.2 to 6.3; I could
    list off a number of subreleases along the way that I had direct
    experience in as well. I was the PIX administrator and I was the
    administrator of our configured tftp-server, and I checked the system
    logs on the tftp-server literally dozens of times a day for over 5 years
    (including the great majority of weekends and holidays.)


    Attempting to fetch a configuration at boot-time via bootp is something
    that an IOS box might easily be configured to do, but PIX 5.2 thru 6.3
    attempt such neither via bootp nor via tftp.
     
    Walter Roberson, Nov 8, 2006
    #6
  7. Brian V Guest

    Re: show / copy pre-shared key in plaintext

    "Walter Roberson" <> wrote in message
    news:SAd4h.282310$R63.3627@pd7urf1no...
    > In article <>,
    > Brian V <> wrote:
    >
    >>"Walter Roberson" <> wrote in message
    >>news:Ii84h.274956$5R2.222512@pd7urf3no...

    >
    >>> Addendum: do the "write net" from configuration mode, after having
    >>> configured an appropriate tftp-server command.

    >
    >>Absolutely not needed, not recomended nor a requirement. It can create an
    >>administrative nightmare. When you hard set that within a configuration
    >>the
    >>pix uses that to get it's config at every boot.

    >
    > You have not provided any evidence to back that up. The link you
    > provided says *nothing* about the PIX using that URL to try to fetch
    > the configuration at boot time.
    >
    >>http://www.cisco.com/en/US/products...tion_guide_chapter09186a008008c13c.html#22929

    >
    > That's PIX 4.4 and it says,
    >
    > The tftp-server command lets you specify the IP address of a
    > server that you use to propagate PIX Firewall configuration
    > files to your firewalls. Use tftp-server with the configure net
    > command to read from the configuration or with the write net
    > command to store the configuration in the file you specify.
    >
    > The contents of the path name you specify in tftp-server are
    > appended to the end of the IP address you specify in the
    > configure net and write net commands. The more of a file and
    > path name specification you provide with the tftp-server
    > command, the less you need to do with the configure net and
    > write net commands. If you specify the full path and filename
    > in tftp-server, the IP address in configure net and write net
    > can be represented with a colon :)).
    >
    > Sometime by 5.3, this was added rephrased:
    >
    > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_53/config/commands.htm#1026079
    >
    > The tftp-server command lets you specify the IP address of the
    > server that you use to propagate PIX Firewall configuration
    > files to your firewalls. Use the tftp-server command with the
    > configure net command to read from the configuration or with
    > the write net command to store the configuration in the file
    > you specify. The clear tftp-server command removes the
    > tftp-server command from your configuration.
    >
    > PIX Firewall supports only one TFTP server.
    >
    > The path name you specify in the tftp-server is appended to the
    > end of the IP address you specify in the configure net and
    > write net commands. The more you specify of a file and path
    > name with the tftp-server command, the less you need to specify
    > with the configure net and write net commands. If you specify
    > the full path and filename in the tftp-server command, the IP
    > address in the configure net and write net commands can be
    > represented with a colon :)).
    >
    > By the time of PIX 6.3, the wording is still exactly the same.
    >
    > What does the PIX 6.3 Configuration Guide have to say on the topic?
    >
    > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/overvw.htm#wp1052724
    >
    > You should back up your configuration in at least one of the
    > following ways: [...]
    >
    > Store the configuration on another system using the tftp-server
    > command to initially specify a host and the write net command
    > to store the configuration.
    >
    >
    >>You would now need to do a
    >>wr mem in addition to a wr net for every configuration change you make or
    >>at
    >>next boot you will not have the correct configuration.

    >
    > As we say in comp.lang.c: "C&V please." Chapter and Verse. Exact
    > URL and indicate -specifically- what part you want to point out; don't
    > just point us to a general section and expect us to read between the
    > lines.
    >
    >
    >>write net [<tftp_ip>]:<filename> is all that is needed to backup a pix
    >>config.

    >
    > Wrong answer.
    >
    > [<tftp_ip>] is a syntax indicating an optional IP, but if you have not
    > set your tftp-server then there is no default IP and the command will
    > fail.
    >
    > If you do specify an IP and the route to it is not through ethernet1
    > (and I do not mean "the inside interface", I mean ethernet1 specifically!)
    > and you have not specified a tftp-server command, then you will
    > not be able to reach your tftp server. The tftp-server command is
    > the *only* way to change the default tftp interface to something
    > other than ethernet1 . And yes, if you do not -have- an ethernet1
    > (e.g., you are on a 535 with only gigabit cards), then you cannot
    > write net without having used tftp-server, because the default
    > is to try ethernet1 no matter IP range it is and no matter whether
    > it exists or not.
    >
    >>We use it practically daily as it is our policy to provide our
    >>customers with before and after backup copy of their configurations any
    >>time
    >>we make a change to a network device.

    >
    > I can personally testify that your claims about tftp-server are
    > without foundation in any PIX major release from 5.2 to 6.3; I could
    > list off a number of subreleases along the way that I had direct
    > experience in as well. I was the PIX administrator and I was the
    > administrator of our configured tftp-server, and I checked the system
    > logs on the tftp-server literally dozens of times a day for over 5 years
    > (including the great majority of weekends and holidays.)
    >
    >
    > Attempting to fetch a configuration at boot-time via bootp is something
    > that an IOS box might easily be configured to do, but PIX 5.2 thru 6.3
    > attempt such neither via bootp nor via tftp.


    I stand correct on the booting the config from a TFTP with current
    versions. I know it used to work that way, perhaps it was in an older
    version. I have been bit in the ass by it before. It did NOT over write the
    config it did a config merge. Rules you know were removed were back in at
    every reboot. Now I'm going to have to dig up some old images and make sure
    I wasn't smoking too much crack back then!
    I can say for 100% certainy that you do NOT need to specify any tftp
    server when using the wr net command when writing to any address off E1, I
    do it almost every day.
    pixfirewall# sho tftp-server
    pixfirewall# wr net 192.168.10.2:pix_config.txt
    Building configuration...
    TFTP write 'pix_config.txt' at 192.168.10.2 on interface 1
    [OK]
    pixfirewall#
     
    Brian V, Nov 8, 2006
    #7
  8. Guest

    Re: show / copy pre-shared key in plaintext

    Out of curiosity, how (or why, really) is "copy run tftp" different in
    this regard? It's what I'm more familiar with (I understand the "write"
    syntax is older and/or deprecated?) and it prompts for its parameters,
    usefully recalling the previous TFTP address used. Is there an
    advantage to "write" that I've been completely unaware of?
     
    , Nov 8, 2006
    #8
  9. Re: show / copy pre-shared key in plaintext

    In article <>,
    <> wrote:
    >Out of curiosity, how (or why, really) is "copy run tftp" different in
    >this regard? It's what I'm more familiar with (I understand the "write"
    >syntax is older and/or deprecated?) and it prompts for its parameters,
    >usefully recalling the previous TFTP address used. Is there an
    >advantage to "write" that I've been completely unaware of?


    "copy run tftp" is not supported until PIX 7; before that it is
    "write net".
     
    Walter Roberson, Nov 8, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. shifty
    Replies:
    13
    Views:
    2,428
    shifty
    Dec 31, 2004
  2. Will Dockery

    Re: OT: Graphic poetry begins (pre-hotspot, pre-poetry)

    Will Dockery, May 31, 2005, in forum: Digital Photography
    Replies:
    4
    Views:
    372
    Will Dockery
    Jun 1, 2005
  3. tweety

    View pre shared keys on pix

    tweety, Nov 6, 2007, in forum: Cisco
    Replies:
    4
    Views:
    703
    Brian V
    Nov 6, 2007
  4. News Reader
    Replies:
    0
    Views:
    634
    News Reader
    Apr 29, 2008
  5. joeandmav
    Replies:
    0
    Views:
    7,931
    joeandmav
    Feb 3, 2009
Loading...

Share This Page