I'm a PIX idiot, but I know just enough Cisco to do some research on this question. A consultant has indicated this is possible, though I'm unconvinced. We have a PIX 515 with a couple tunnels configured. We want to back up the configuration of these tunnels to TFTP. As part of the backup, we want the pre-shared keys shown in plaintext (if this is possible). I.e., when you show run tunn, you'll see "pre-shared-key *". We want the actual key instead of the asterisk.
Possible? How?
do a "write net" this will send all keys clear text.
Addendum: do the "write net" from configuration mode, after having configured an appropriate tftp-server command.
Absolutely not needed, not recomended nor a requirement. It can create an administrative nightmare. When you hard set that within a configuration the pix uses that to get it's config at every boot. You would now need to do a wr mem in addition to a wr net for every configuration change you make or at next boot you will not have the correct configuration.
You have not provided any evidence to back that up. The link you provided says *nothing* about the PIX using that URL to try to fetch the configuration at boot time.
That's PIX 4.4 and it says,
The tftp-server command lets you specify the IP address of a server that you use to propagate PIX Firewall configuration files to your firewalls. Use tftp-server with the configure net command to read from the configuration or with the write net command to store the configuration in the file you specify.
The contents of the path name you specify in tftp-server are appended to the end of the IP address you specify in the configure net and write net commands. The more of a file and path name specification you provide with the tftp-server command, the less you need to do with the configure net and write net commands. If you specify the full path and filename in tftp-server, the IP address in configure net and write net can be represented with a colon (:).
Sometime by 5.3, this was added rephrased:
PIX Firewall supports only one TFTP server.
The path name you specify in the tftp-server is appended to the end of the IP address you specify in the configure net and write net commands. The more you specify of a file and path name with the tftp-server command, the less you need to specify with the configure net and write net commands. If you specify the full path and filename in the tftp-server command, the IP address in the configure net and write net commands can be represented with a colon (:).
By the time of PIX 6.3, the wording is still exactly the same.
What does the PIX 6.3 Configuration Guide have to say on the topic?
Store the configuration on another system using the tftp-server command to initially specify a host and the write net command to store the configuration.
As we say in comp.lang.c: "C&V please." Chapter and Verse. Exact URL and indicate -specifically- what part you want to point out; don't just point us to a general section and expect us to read between the lines.
Wrong answer.
[] is a syntax indicating an optional IP, but if you have not set your tftp-server then there is no default IP and the command will fail.If you do specify an IP and the route to it is not through ethernet1 (and I do not mean "the inside interface", I mean ethernet1 specifically!) and you have not specified a tftp-server command, then you will not be able to reach your tftp server. The tftp-server command is the *only* way to change the default tftp interface to something other than ethernet1 . And yes, if you do not -have- an ethernet1 (e.g., you are on a 535 with only gigabit cards), then you cannot write net without having used tftp-server, because the default is to try ethernet1 no matter IP range it is and no matter whether it exists or not.
I can personally testify that your claims about tftp-server are without foundation in any PIX major release from 5.2 to 6.3; I could list off a number of subreleases along the way that I had direct experience in as well. I was the PIX administrator and I was the administrator of our configured tftp-server, and I checked the system logs on the tftp-server literally dozens of times a day for over 5 years (including the great majority of weekends and holidays.)
Attempting to fetch a configuration at boot-time via bootp is something that an IOS box might easily be configured to do, but PIX 5.2 thru 6.3 attempt such neither via bootp nor via tftp.
I stand correct on the booting the config from a TFTP with current versions. I know it used to work that way, perhaps it was in an older version. I have been bit in the ass by it before. It did NOT over write the config it did a config merge. Rules you know were removed were back in at every reboot. Now I'm going to have to dig up some old images and make sure I wasn't smoking too much crack back then! I can say for 100% certainy that you do NOT need to specify any tftp server when using the wr net command when writing to any address off E1, I do it almost every day. pixfirewall# sho tftp-server pixfirewall# wr net 192.168.10.2:pix_config.txt Building configuration... TFTP write 'pix_config.txt' at 192.168.10.2 on interface 1 [OK] pixfirewall#
Out of curiosity, how (or why, really) is "copy run tftp" different in this regard? It's what I'm more familiar with (I understand the "write" syntax is older and/or deprecated?) and it prompts for its parameters, usefully recalling the previous TFTP address used. Is there an advantage to "write" that I've been completely unaware of?
"copy run tftp" is not supported until PIX 7; before that it is "write net".
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.