Pix 506e Configuration Backup

[rodneyws]

I am familiar with the process of backing up a configuration file to a TFTP server. However, this file contains encrypted VPN passwords. My concern is that when the file is restored to the PIX, the passwords will not be set back to their original state.

Can anyone confirm this or offer any pointers as to how I would go about backing up the entire configuration (passwords included)

Thanks in advance for any help or words of wisdom.

 

[burtsbees]

You can open the config file (in Windows) with Wordpad---not notepad---and edit what you need there. Just double click the "confg" file, and it will ak what you want to open with...choose Word Pad. Be sure to simply save it, and not "save as", because it will make a Notepad file if you "save as". Even if you did a "no password-encryption" on the pix and saved the file via tftp, it would still show something like "password 0 blablabla", with the zero in front of it. Another option (that I don't like to use) would be to save the config by capturing it into a text file via HyperTerminal, after "no password-encryption" and then turning it back on when you are done.

Burt

 

[rodneyws]

I believe the 2nd option you listed will be the one used. Thank you for (what I believe to be) an excellent response.

 

[burtsbees]

You're welcome---just be aware that HypetTerminal has a tendency to send characters now and again the wrong way---this is why I am particular to the first option. For example, I cannot count how many times I have sent a text file back to a router via HyperTerminal, and I get a lot of
"syntax error detected here ^"
If you do this, be sure to
pix>en
pix#conf t
pix(config)#
before you actually send the text file back to the pix.

Burt

 

[rodneyws]

I doubt my boss will use the HyperTerminal-to-text-file method for backing up the configuration. The command you referenced (no password-encryption) will be used just so he can see the passwords and get them documented. That's really what I was interested in... and you provided that. His primary concern was that he did not have records of the various VPN passwords used by our users and didn't want to inconvenience them in any way. I had Googled for the answer before I posted here, but I wasn't entirely sure what question I should be asking so I didn't have much luck. Both of us lack numerous Cisco skills that are considered basic, but I'm WELL aware of my limitations... so I posted here.

Just so you'll understand how much you helped... in less than 8 hours the regional hospital where I work will lose its internet connectivity for several hours due to some fiber moves being made in this area. We just activated a DSL connection yesterday that will be used in place of our regular connection... however, my boss was going to have to modify our PIX 506e to work with the DSL connection. This is what started this whole mess. Getting internet access for our users wasn't really our concern... getting our VPN users back online was critical. Again, I really can't express how much I appreciate your concise, accurate and timely response.

 

[rodneyws]

Unfortunately, I believe the PIX runs a slightly different IOS than the traditional Cisco routers. That command didn't appear to be valid... I'm going to browse through the help files to see if there is a comparable command to be used on a PIX.

 

[burtsbees]

I'm sorry...the command is
pix>en
pix#conf t
pix(config)#no service password-encryption
That is the sameas on IOS routers. I just realized that I missed the keyword "service"...sorry about that.

Burt