Re: PIX Password Recovery

waka2waka · ‎02-28-2005

Just managed to lock myself out of a 501; no console access, no pdm access, and no telnet/ssh access. Went through the whole password recovery routine, but in that mode, the PIX could not even ping its own inside interface. You can already guess that it could not ping the tftp server.

Any clues?

The tftp server is directly connected to the inside interface of the PIX via a hub.

Patrick Iseli · ‎03-01-2005

When you do the password recovery connect a crossover cable to the outside interface and try again to ping and TFTP.

With the "interface n" commnand it should be possible to set the interace but otherwise it uses the outside interface.

Password Recovery and AAA Configuration Recovery Procedure for the PIX:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml

sicerely

Patrick

waka2waka · ‎03-01-2005

went through all that process. Here's my setup and the output from a recovery attempt:

tftp_server===hub===(inside)_PIX_(outside)===modem

Note that the pix could not even ping its inside interface.

monitor> interface inside

0: i8255X @ PCI(bus:0 dev:13 irq:10)

1: i8255X @ PCI(bus:0 dev:14 irq:7 )

Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9

monitor> address 172.16.1.1

address 172.16.1.1

monitor> server 172.16.1.4

server 172.16.1.4

monitor> file np63.bin

file np63.bin

monitor> gateway 172.16.1.1

gateway 172.16.1.1

monitor> ping 172.16.1.4

Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.16.1.4, timeout is 4 seconds:

.....

Success rate is 0 percent (0/5)

monitor> ping 172.16.1.1

Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.16.1.1, timeout is 4 seconds:

.....

Success rate is 0 percent (0/5)

monitor>tftp

{this just hangs. Not that I really expected it to work after the ping failure!)

kingnascar · ‎03-04-2005

you have to select an interface by its number to apply your commands to

interface 0 is the outside interface

interface 0

ip address 172.16.1.1

server 172.16.1.4

file np63.bin

gateway is irellevant here

ping should work if you are connected to the outside f0

Patrick Iseli · ‎03-04-2005

Do you use personal Firewall software that blocks incomming connections for ICMP (ping) or TFTP ?

Windows XP SP2 ...

sincerely

Patrick

kingnascar · ‎03-04-2005

Looks like I kind of shot myself in the foot earlier, but you might have a negotiation issue with your hub. Some of the early 501's were 10 m only and I don't have real good luck with dual speed hubs negotiating either.

Patrick Iseli · ‎03-04-2005

Might be a good idea to use a Crossover cable and connect the PC and PIX directly to do the password recovery !!!

stephenboyle · ‎04-03-2005

I am having the same problem with a PIX 501. Used crossover cable to the outside interface. Neither could ping the other. Using a patch lead to get into one of the four hub ports on the back of the PIX, the PC was able to ping the PIX, but the PIX could not ping the PC. I looked at the MAC addresses and they didn't match.

However, bear in mind that the patch lead connected directly from the PC to the PIX, nothing in between, so it's not an IP address conflict. The PC is configured with a static address in the same subnet as the PIX.

Any ideas people?