June 26, 2007
Recovering Hidden PIX Pre-Shared Keys/Passwords
The latest Cisco TAC Newsletter had an interesting tip on recovering hidden pre-shared keys (which I've needed to do many times). So simple, it's brilliant :) here's the reprint:
There are times you will need to add configuration or make changes to a live PIX Firewall or ASA. It is common for the original pre-shared keys used in site-to-site VPNs to be mislaid or forgotten. For example, perhaps the previous manager has left the company. It is not possible to see a copy of the configuration with the keys viewable as they are hidden as ******. The answer is to save a copy of the configuration to a TFTP server. This file can then be viewed using any simple text document. It can also be used to re-configure the device back to its original state if necessary.
-Tony Holmes, Cistek Solutions Ltd, Cheltenham, Glos, England, UK
Posted by JC at 11:09 AM | Comments (1) | TrackBack
September 24, 2006
PIX Authentication Using Local User Database (and Kiwi CatTools)
So here's the scenario I ran into...I just set up a new client for managed network services (where my company (AdTEC Networks) is doing the management). This client happened to have some fairly technical people on staff who wanted privileged mode access to the PIX firewall. No problemo...that is, until I received phone calls with people screaming, "THE NETWORK IS DOWN!!!"
There I am, feeling a cold drip of sweat trickling down the side of my face, scrolling through a running config on a PIX firewall. Aha! Who put that command there?!?! After removing the 'mystery' NAT statement, the network magically works again...now who's to blame...
Of course, all my customer's network admins deny any responsibility, and since there's only a single username / password combination on the PIX (and enable password), there was no way of telling who was responsible. It's time for deeper authentication on the PIX firewall.
Three commands to make this happen:
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
Then create your user accounts using this syntax:
username user1 password TUgFoweE932kS0z encrypted privilege 15
username user2 password TUgFoweE932kS0z encrypted privilege 15
...and so on
Here's the powerful result: The users now log in using their own username (i.e. user1 and user2 in this case) rather than the generic "pix" and their own password. The ultra-cool thing (in my opinion) is that second command "aaa authentication enable console LOCAL" - it synchronizes the enable password with the user account, so the admin can use the same password for the SSH/Telnet session as they do to access enable mode. Sweet!
Last, but not least, pick up a copy of Kiwi CatTools. This AWESOME (and cheap - free for 5 devices) utility does configuration change management. Now, if the configuration changes, I get an email showing me what changed and who made the changes. Niiice.
Posted by JC at 5:30 PM | Comments (4) | TrackBack
March 23, 2006
PIX 7.x Configuration Guide
For some reason, I seem to end up working with the PIX 7.x software lately. My best friend when working with this beast has been the PIX 7.1 Configuration Guide. I figured I'd hyperlink it here for my (and your) easy reference rather than digging around the Cisco website.
Posted by JC at 1:07 PM | Comments (0) | TrackBack