Sep 19, 2011

How To Recover a Pre-Shared Key on Your Cisco PIX or ASA Firewall

I am in the process of replacing our office Cisco ASA 5505 firewall with a lower end solution that has more features for a lower cost. One of the things we need to do is WAN failover, plus have the ability to have multiple VLANs configured in the firewall. We can do that on our ASA but we would have to upgrade from our base license to the Cisco Security Plus License. That costs about $550 or so. We decided it would be cheaper to replace it with a cheaper Netgear SRX5308.

We're a small office, so the Netgear should be fine for our needs, plus it has a lifetime warranty with it. With the ASA it is uneccesarily expensive because of the Cisco name, and it is also unecessarily complicated to use. I'm actually pretty happy about the decision, even though I know some of you Cisco die-hards will scoff at me.

Anyway, one of the things I have to do is reconfigure some of the site-to-site VPNs we had setup in the ASA. Setup on the Netgear is stupid easy, but since I didn't setup the original VPN tunnels, I had no idea what the pre-shared keys were. We connect with firewalls that are managed by a 3rd party, so I couldn't check on the partner firewalls for the keys either. I'm not a big Cisco guru, so I use ASDM a lot to manage the firewall. In there the pre-shared keys were hidden. When I ran show run from an SSH session all I could see was pre-shared-key *. Damn it!

It turns out unhiding the pre-shared key isn't that difficult. You can do it from the command line. To show the keys in plain text run the following from enabled mode:

more system:running-config

Scroll down through your running config, and you will see that your pre-shared keys are now unhidden, and now you can use them on your new firewall!

[Via Cisco] tags:

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam