RE: PIX configuration question?

I seem to recall it's a clear ISAKMP command.

HTH

Andy

-----Original Message-----
From: Conlan Adams [mailto:conlan@midwesteyebanks.org] 
Sent: 10 March 2005 19:29
To: Brad Davenport; firewalls@securityfocus.com
Subject: RE: PIX configuration question?

Maybe it's the PIX OS version I am using, but it doesn't list a [no]
isakmp key.   Just isakmp key.  I tried doing the no isakmp key first
assuming it would work, but wasn't shown the love.

hancock(config)# isakmp ?
Usage:  isakmp policy <priority> authen <pre-share|rsa-sig>
        isakmp policy <priority> encrypt <aes|aes-192|aes-256|des|3des>
        isakmp policy <priority> hash <md5|sha>
        isakmp policy <priority> group <1|2|5>
        isakmp policy <priority> lifetime <seconds>
        isakmp key <key-string> address <ip> [netmask <mask>] [no-xauth]
[no-config-mode]
        isakmp enable <if_name>
        isakmp identity <address|hostname|key-id> [<key-id-string>]
        isakmp keepalive <seconds> [<retry seconds>]
        isakmp nat-traversal [<natkeepalive>]
        isakmp client configuration address-pool local <poolname>
[<pif_name>]
        isakmp peer fqdn|ip <fqdn|ip> [no-xauth] [no-config-mode]
        [no] isakmp log <#events>
        {show|clear} isakmp log
-----Original Message-----
From: Brad Davenport [mailto:BDavenport@egisticsinc.com] 
Sent: Thursday, March 10, 2005 2:26 PM
To: Conlan Adams
Subject: RE: PIX configuration question?

Yes you can...



No isakmp key anything address x.x.x.x netmask x.x.x.x no-xauth
no-config-mode


Or whatever.

It doesn't even have to be the key you originally used. Just enter
anything at all after the address word.





Brad Davenport, Director
Network Services
eGistics Inc.
www.egisticsinc.com
bdavenport@egisticsinc.com
972-851-3131
214-995-5629
 

-----Original Message-----
From: Conlan Adams [mailto:conlan@midwesteyebanks.org] 
Sent: Thursday, March 10, 2005 1:21 PM
To: Brad Davenport
Cc: firewalls@securityfocus.com
Subject: RE: PIX configuration question?

I tried that, but you cant no an "isakmp key" statement...

I was able to do this via the PDM, you can just type over what is there
and enter another, but I would like a way to do it via the cli if
feasible in the future.

Conlan Adams

-----Original Message-----
From: Brad Davenport [mailto:BDavenport@egisticsinc.com] 
Sent: Thursday, March 10, 2005 2:11 PM
To: Conlan Adams
Cc: firewalls@securityfocus.com
Subject: RE: PIX configuration question?

Just enter a 
"no isakmp key "whatever" address wha.te.ev.er netmask xxx.xxx.xxx.xxx


Then enter the corresponding address and key .



After that do a sh crypto isakmp sa


To see if they sa is renegotiating. You may want to enter a 

"Clear cytpo sa peer "addres-of-peer-above""



HTH,

Brad D.

Brad Davenport, Director
Network Services
eGistics Inc.
www.egisticsinc.com
bdavenport@egisticsinc.com
972-851-3131
214-995-5629
 
-----Original Message-----
From: Conlan Adams [mailto:conlan@midwesteyebanks.org] 
Sent: Thursday, March 10, 2005 10:57 AM
To: Firewalls-SF
Subject: PIX configuration question?

Ok, please bear with me here, still pretty new to PIX's

I have a PIX 501 at a remote location on a point to point VPN, where I
want to send traffic to a different peer (think Cisco fully meshed) when
this PIX was setup it was setup to be fully meshed but the isakmp
pre-shared keys were entered incorrectly.

Is there a way through the CLI that I can reset the keys, without
turning off IPSEC and breaking my access to it?

Thanks

Conlan Adams