Really really need someone who knows the Cisco PIX 501

[SlowToady]

If you know the PIX 501 pretty well, please call me at eight four seven, six nine three six five two three

I really appreciate it, and I'll try and compensate for your time.

Thanks

[HardDrive]

Whaza problem?

[mikester]

I know them, not in a place to call though at the moment.

email the details to submikester at yahoo.com

[SlowToady]

In a nutshell? PIX is now refusing connection from the LAN, and when I remotely SSH to its public IP, it now prompts for a username, instead of just a password. Same if I connect to the VPN and then SSH to it. Previously it only asked for the password. Also, rejects everyone elses VPN connection, except for mine. Logged in on the 13th to reset PPPoE creds., rebooted, tried to connect today and now it's asking for a username.

I'm sort of thinking it might have been compromised, but am not sure. I no longer have access, and the old IT guy lost the console cable (which you can't readily buy like..anywhere). By default the PIX doesn't ask for a username unless you tell it to. I never told it to...

That's one password I wish I would have changed...

Sounds like fun, ey?

Quote:

Originally Posted by HardDrive

Whaza problem?

[mikester]

I can send you a console cable. I have tons of them.

Have you tried rebooting it? If the configuration isn't saved it will revert to the old saved config.

Otherwise, do a password recovery on it (which you do need the console cable for). The password recovery resets the aaa configuration but should leave the rest intact (may depend on the code revision).

Let me know where to send that console cable to.

[87coupe]

copy startup-config running-config

[mikester]

Quote:

Originally Posted by 87coupe

copy startup-config running-config

That won't do it;

First - he can't log into the firewall so he can't execute the command.

Second - when you do that, it doesn't erase what is there already it merges the startup config to whatever the running config is. So since the username command was not originally in the startup config and is in the now running config - it will still be there after the command to copy the start to running config is issued.

I'm almost 100% sure this requires an outage to recover from.

[KaptKaos]

/chants "Listen to Mikester"

You're in good hands.

[masraum]

Yeah, I'd be a bit worried. I'd assume that someone else has been in your PIX. I'd advise turning off the http access once you get back in and I'd try to lock down the networks that are allowed to SSH to the thing from the outside. It probably wouldn't be a bad idea to only allow SSH from the inside as well.

Don't forget to change the telnet and enable passwords once you get back in.

I'm sure you could get a hold of a console cable in your town. You could even try contacting a reseller or the local Cisco office. Any place that has Cisco stuff probably has a hundred laying around. I've got several at home and work. If nothing else, you can get the DB9 snap adapters from Radio Shack, IIRC.

[Axeman]

Try entering "pix" for the username and your enable password to see if you can get in.

[SlowToady]

Worried? Am I ever! I think I'm forming an ulcer. Too many coincidences for me to feel like it hasn't been compromised.

I was going to restrict SSH access this week. HTTP and telnet are already disabled. Amid the cries of "the network is slow" and "please update the accounting software" the PIX got put on the back burner. (And burned me.)

I thought I'd be able to get one, too, but apparently not. I called some Cisco re-sellers, and no one seemed to have the darn thing. WTF? I thought of trying a cross-over cable, but they are wired differently than the roll-over cables, which the PIX needs. I don't understand why they didn't just design it to use a standard cross over or patch cable, but whatever.

The part that really has me worried though is....what else did they get into? Packet sniffing I don't think would get them very far, as it's a switched network. But it'd be easy to fire up nmap, do a little port scanning, enumerate users/groups and guess passwords from there. Now I (somehow) have to determine if they compromised the server. Or if they did infact get onto a desktop machine and guess passwords to the accounting program.

Yep, it's an ulcer alright.

[mikester]

Quote:

Originally Posted by SlowToady

Worried? Am I ever! I think I'm forming an ulcer. Too many coincidences for me to feel like it hasn't been compromised.

I was going to restrict SSH access this week. HTTP and telnet are already disabled. Amid the cries of "the network is slow" and "please update the accounting software" the PIX got put on the back burner. (And burned me.)

I thought I'd be able to get one, too, but apparently not. I called some Cisco re-sellers, and no one seemed to have the darn thing. WTF? I thought of trying a cross-over cable, but they are wired differently than the roll-over cables, which the PIX needs. I don't understand why they didn't just design it to use a standard cross over or patch cable, but whatever.

The part that really has me worried though is....what else did they get into? Packet sniffing I don't think would get them very far, as it's a switched network. But it'd be easy to fire up nmap, do a little port scanning, enumerate users/groups and guess passwords from there. Now I (somehow) have to determine if they compromised the server. Or if they did infact get onto a desktop machine and guess passwords to the accounting program.

Yep, it's an ulcer alright.

I don't mean to worry you but packet sniffing on a switched network can get lots of nice stuff....

[Axeman]

Quote:

Originally Posted by SlowToady

Worried? Am I ever! I think I'm forming an ulcer. Too many coincidences for me to feel like it hasn't been compromised.

I was going to restrict SSH access this week. HTTP and telnet are already disabled. Amid the cries of "the network is slow" and "please update the accounting software" the PIX got put on the back burner. (And burned me.)

I thought I'd be able to get one, too, but apparently not. I called some Cisco re-sellers, and no one seemed to have the darn thing. WTF? I thought of trying a cross-over cable, but they are wired differently than the roll-over cables, which the PIX needs. I don't understand why they didn't just design it to use a standard cross over or patch cable, but whatever.

The part that really has me worried though is....what else did they get into? Packet sniffing I don't think would get them very far, as it's a switched network. But it'd be easy to fire up nmap, do a little port scanning, enumerate users/groups and guess passwords from there. Now I (somehow) have to determine if they compromised the server. Or if they did infact get onto a desktop machine and guess passwords to the accounting program.

Yep, it's an ulcer alright.

Did you try the username "pix" with the enable password? I use TACACS+ for login authentication and if the TACACS servers are not available it will still prompt for a username and in that case it is "pix". I have a lot of experience with the Pix and ASA products so let me know if you need any more help.

Good luck!

[Vipergrün]

There is a standard procedure you can use to reset the password.....assuming you can console into it. Hopefully you have a copy of your startup/running config someplace.

Edit: whoops, Mikester already said this The reboot is a good suggestion.....if the running was not copied to startup.

Good luck man!

[masraum]

Quote:

Originally Posted by SlowToady

I thought I'd be able to get one, too, but apparently not. I called some Cisco re-sellers, and no one seemed to have the darn thing. WTF? I thought of trying a cross-over cable, but they are wired differently than the roll-over cables, which the PIX needs.

A rollover cable is different, but not that special. Nothing that you couldn't easily make out of a straight patch cable. The hardest part of a console cable (assuming you don't have the blue cisco premade) is the DB9 snap adapter.

[masraum]

It's cool that we have so many Network guys on the board.

I've been doing the Cisco thing since Jan 1999. I started on the Cisco TAC, went to Sprint, back to the TAC, to a service provider that did voice and data over MPLS over satellite, and now I'm working for a power company. I love this stuff. I used to have my CCNA CCNP, and CCIE written. I took the CCIE lab once years ago when it was still 2 days, but didn't quite make it (made it to day 2) and never made it back to try again. Since then everything has expired. I keep telling myself I'm going to recert, but it just doesn't seem worth it. But, it will get your resume looked at or get your foot in the door if/when you're looking for a job.

[mikester]

Quote:

Originally Posted by Axeman

Did you try the username "pix" with the enable password? I use TACACS+ for login authentication and if the TACACS servers are not available it will still prompt for a username and in that case it is "pix". I have a lot of experience with the Pix and ASA products so let me know if you need any more help.

Good luck!

For tacacs to backup to local authentication you have to have both configured for the enable access as well as console.

The command is something to the effect of:

aaa authentication enable console TACACS+ enable

aaa authentication ssh console TACACS+ enable

If you don't have the first one right- like this for example:

aaa authentication enable console TACACS+

- then even at the console, if TACACS is down or somehow misconfigured you will not be able to enable to the PIX/ASA/FWSM and you will be screwed and you will need to reboot the device and password recovery to get back into it.

Please don't ask me how I know.

I've been cisco certified since 2000 myself. I've managed to keep my CCNP current and over the last 2 years I've taken the CCIE written twice and passed both times but I've never been able to get enough time to take the lab before my written expired. I'm hoping that this year will be different but I just got word today that while I was out on of my coworkers (our lead engineer) gave notice.

flipping wonderful. Anyone know a good Network Engineer with Voice exp in the LA area? I don't know if we get to keep the head count or not but I'd love to get the bonus associated with recommending someone.

[Axeman]

Quote:

Originally Posted by masraum

It's cool that we have so many Network guys on the board.

I've been doing the Cisco thing since Jan 1999. I started on the Cisco TAC, went to Sprint, back to the TAC, to a service provider that did voice and data over MPLS over satellite, and now I'm working for a power company. I love this stuff. I used to have my CCNA CCNP, and CCIE written. I took the CCIE lab once years ago when it was still 2 days, but didn't quite make it (made it to day 2) and never made it back to try again. Since then everything has expired. I keep telling myself I'm going to recert, but it just doesn't seem worth it. But, it will get your resume looked at or get your foot in the door if/when you're looking for a job.

It is interesting for sure that there are a few network guys on the board. I started doing Cisco back in 96-97 took my CCNA in 98, CCNP in 2000 then was way too busy working 80 hours a week for years so my certs expired. I renewed my CCNA in 2006 and am in the middle of redoing my CCNP, should have it wrapped up in the next 3-4 months max. Was a consultant for large international firms for many years, now been working for the same software company for the past 8 years running a global network. It's a pain now to do the certs, I think when people see that you have 12 years+ worth of experience it doesn't matter, but at the same time it doesn't hurt to have them when you show up at an interview. I used to love this stuff but now I'm just sick of the fact that anything you learn is obsolete within 6 months and you constantly have to relearn your job.
I wish I would have gone the programming way and would make cool stuff for Porsches instead like ECU's etc it would be much more fun! But even though it's a giant headache, the pay is pretty damn good for doing networking so I can't complain!

[mikester]

While I have maintained my NP cert - I would never and have never ever tried to recertify it with an NP level exam.

With the experience you have I am sure that these newer CCIE exams (which are easier in some cases than the NP exams) are probably what you should be spending your time and energy on.

I'm just sayin.

[mikester]

cable (actually 2) shipped.