Recuperando a Pre-Shared-Key da VPN no PIX/ASA

  • Cisco, Security
  • 17/08/2009

As VPNs IPSec no PIX/ASA são criadas com base em grupos, e antes do usuário se autenticar o grupo deve ser autenticado. Para isso é configurado no servidor VPN (PIX/ASA) e no client (instalado no computador) o nome e a senha do grupo (Pre-Shared-Key).

Por segurança, após a Pre-Shared-Key do grupo VPN ser configurada ela é criptografada e não é exibida no show running-config. Então o que fazer se você precisa configurar o client para um novo usuário e não sabe a senha do grupo?

Observe que o show-running não exibe a Pre-Shared-Key configurada para o grupo VPNBRAIN:

BrainFW01# show running-config
: Saved
:
ASA Version 8.2(1)
!
hostname BrainFW01
domain-name brainwork.com.br
enable password 1fNd8BA3gg2DMlZx encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names

!——- Parte da configuração foi omitida

interface Ethernet0/0
nameif outside
security-level 0
ip address 200.20.20.2 255.255.255.192 standby 200.20.20.3
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.0.0 standby 172.16.0.2
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.10.0.1 255.255.255.0 standby 10.10.0.2

!——- Parte da configuração foi omitida

group-policy VPNBRAIN internal
group-policy VPNBRAIN attributes
dns-server value 172.16.0.10 172.16.0.11
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNBRAIN_splitTunnelAcl
default-domain value brainwork.com.br
username admin password VXSiyjWZ8nmp7vEk encrypted privilege 15
tunnel-group VPNBRAIN type remote-access
tunnel-group VPNBRAIN general-attributes
address-pool vpnpool
default-group-policy VPNBRAIN
tunnel-group VPNBRAIN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:759f1e06b7f44fed061aeec19349a730
: end
BrainFW01#

A solução para esta necessidade é simples, a partir da versão 7 do PIX/ASA OS.

Basta logar no equipamento onde a VPN está configurada, e no modo privilegiado digite more system:running-config. Este comando apresentará a running-config com as Pre-Shared-Keys exibidas em “clear text”.

Exemplo do comando more system:running-config, com a Pre-Shared-Key sendo exibida.

BrainFW01# more system:show running-config
: Saved
:
ASA Version 8.2(1)
!
hostname BrainFW01
domain-name brainwork.com.br
enable password 1fNd8BA3gg2DMlZx encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names

!——- Parte da configuração foi omitida

interface Ethernet0/0
nameif outside
security-level 0
ip address 200.20.20.2 255.255.255.192 standby 200.20.20.3
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.0.0 standby 172.16.0.2
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.10.0.1 255.255.255.0 standby 10.10.0.2

!——- Parte da configuração foi omitida

group-policy VPNBRAIN internal
group-policy VPNBRAIN attributes
dns-server value 172.16.0.10 172.16.0.11
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNBRAIN_splitTunnelAcl
default-domain value brainwork.com.br
username admin password VXSiyjWZ8nmp7vEk encrypted privilege 15
tunnel-group VPNBRAIN type remote-access
tunnel-group VPNBRAIN general-attributes
address-pool vpnpool
default-group-policy VPNBRAIN
tunnel-group VPNBRAIN ipsec-attributes
 pre-shared-key BR@!N#
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:759f1e06b7f44fed061aeec19349a730
: end
BrainFW01#

Outra opção é copiar a running-config para um TFTP Server (copy run ftp://172.16.0.20/running-config). A copia da running-config enviada para o servidor TFTP também apresentará a Pre-Shared-Key em “clear text”.

Mais informações no site da Cisco.

Até a próxima.

Post anterior
Próximo post

About Us

Luckily friends do ashamed to do suppose. Tried meant mr smile so. Exquisite behaviour as to middleton perfectly. Chicken no wishing waiting am. Say concerns dwelling graceful.

Services

Most Recent Posts

  • All Post
  • Branding
  • Certificação
  • Cisco
  • Cloud
  • Configuração
  • Configuração Básica
  • Development
  • Geral
  • Informação
  • Leadership
  • Linux
  • Management
  • Microsoft
  • Network
  • Security
  • UC
  • Virtualização
  • Wireless

Company Info

She wholly fat who window extent either formal. Removing welcomed.

Download Info

Your Business Potential with Our Proven Strategies

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Join Us
Lorem ipsum dolor sit amet, consectetur adipiscing elit.
Facebook-f Twitter Youtube Instagram

Company

About Us

Contact Us

Products

Services

Blog

Features

Analytics

Engagement

Builder

Publisher

Help

Privacy Policy

Terms

Conditions

Product

Lorem ipsum dolor sit amet, consectetur adipiscing elit.
You have been successfully Subscribed! Ops! Something went wrong, please try again.
© 2023 Created with Royal Elementor Addons