shared keys in configs are obfuscated--need clear text

When you pull the configurations from our ASA and other firewall products the shared key information is obfuscated with stars (****). Of course, if we lost a piece and gear and tried to use the pulled configs they would be useless. How can we get the shared keys as clear text using NCM?

Find more posts tagged with

disa_stig

Compliance

Accepted answers

mattschorr

Thanks for your answers. Yes, TFTP does do clear text but setting the template type to "Cisco Pix Firewall" collection all of the shared keys in clear text through NCM.

Thank you

All comments

cvachovecj

Hi mattschorr,

You have to configure that on the device. NCM can't do anything about a device not sending the key.

Regards,

Jiri

tonyled

when you tftp the file it will show the passes in clear txt

mattschorr

Thanks for your answers. Yes, TFTP does do clear text but setting the template type to "Cisco Pix Firewall" collection all of the shared keys in clear text through NCM.

Thank you

tonyled

i tried both pix and asa settings and it still shows mine as *****

cvachovecj

I see, but it's definitely not redacted by NCM.

Jiri

FormerMember

The best option is to upgrade to ASA version 9.1(5) which has scp as a option to copy, then you can configure SCP using the following in the command template:

<Command Name="DownloadConfigIndirectSCP" Value="copy /noconfirm ${ConfigType} ${TransferProtocol}://${SCPServerUserName}:${SCPServerPassword}@${SCPStorageAddress}/${StorageFilename}&quot;/><Command Name="UploadConfigIndirectSCP" Value="copy /noconfirm ${TransferProtocol}://${SCPServerUserName}:${SCPServerPassword}@${SCPStorageAddress}/${StorageFilename} ${ConfigType}"/>

This will give you the whole config and save it over an encrypted connection. And has the advantage of working over links where TFTP would not function or is not acceptable.

Another option is to use the following:

<Command Name="DownloadConfig" Value="more system:${ConfigType}"/>

This gives the whole configuration, however this produces errors for the startup-config as this can't be recovered by system.