Cisco ASA IPSec Pre Shared Key Recovery

The Cisco ASA firewall is one of the most common firewalls I have encountered while both working in the corporate IT world as well as in the consulting industry with small to medium clients. Most administrators enjoy working with it as it has both a fairly intuitive interface in the form of the ASDM and a powerful CLI as well. One simple but common complaint, however, is that pre shared keys are difficult to recover from the units when working with IPsec tunnels. The solution is quite simple yet often elusive.

There are a few different ways to do this. As you probably found out, before you searched the internet and found this, “show running-config” displays the keys as asterisks.
First, you can use the “more” command from the CLI to review the configuration with the keys visible.

ciscoasa# more system:running-config

Second, if the http server is configured on the ASA and proper access is allowed you can connect to the unit by accessing this URL: https://<ASA IP Address>/config
Third, copying the configuration to a TFTP, FTP, etc server and then viewing will also allow the pre shared keys to be viewed.

ciscoasa#copy running-config tftp://192.168.1.2/asaconfig.txt
This entry was posted in Networking and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.