Cisco Router Tip
Results 1 to 3 of 3

Thread: Cisco Router Tip

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    274

    Cisco Router Tip

    Ok, I'm sure anyone who has spent some time working with Cisco routers has "locked themselves out" of a router they are remotely connected to at least once. Recently I picked up a tip that can keep you from having to drive out to the remote site, or call up someone there and have them reboot your router.
    I've found that when building IPSec tunnels its incredibly easy to screw something up and find yourself with a dead ssh session. Although I try to proof read my scripts as carefully as possible before doing the old paste to host routine, mistakes still happen. This is how I prevent lengthy down time due to a mistake:

    Before pasting into my remote box, I issue the reload command, only I set it to reboot after a certain amount of time. So it looks like this.

    router hostname> reload in X
    router hostname> config t
    router hostname# this is where I paste my script in
    router hostname# exit
    router hostname> wri m

    where X is the number of minutes you want to wait until the router reboots itself. That way, if the connection gets dropped, the router reloads itself before memory is written, and you don't have to drive to the remote site. This feature of the reload command has been a big time saver for me. Hope this helps.

    TK

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    That is a pretty good method of resetting your password remotely. I have found that if you are logged in remotely and you have the password for the enable command, you can capture the script. The password is "encrypted" but there are several programs available from Cisco and third source parties that will "retrieve" your password from the script that you have captured.

    Source: Cisco Networking Academy Program First Year Companion Guide Third Edition.

    There are several other ways to recover your password.

    Step1: Configure the router to start up without reading the configuration memory (NVRAM). THis is done from what is sometimes called test system mode, ROM mode, or boot mode.

    Step2: Reboot the system.

    Step3: Access enable mode (which can be done without a password if you set the configuration register correctly in Step1).

    Step4: View or change the password, or erase the configuration.

    Step5: Reconfigure the router to boot up and read the NVRAM as it normally does.

    Step6: Reboot the system.
    Here is a list of recovery techniques for Cisco products.
    Here a list of password strength testers.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    I kind of do the same when remotely tempering (ssh) with my firewall rules on my openbsd boxes:
    # cp pf.conf pfnew.conf
    # pico pfnew.conf
    # pfctl -R pfnew.conf; sleep 30; pfctl -R pf.conf

    You have 30 seconds to test the new ruleset (try reconnecting...), then the old ruleset will be reloaded. If in fact you didn't screw up , you can abort the reload with a simple ^C.

    Important note though: if you're using stateful entries, it might give a false impression of working if you don't try to reconnect (ie: the current ssh session (for example) might still work because it's already established, but you can't establish new sessions... ). To be more thorough, you might want to do "pfctl -R pfnew.conf -F states; sleep 30; pfctl -R pf.conf".
    It will kill all current connections and you will HAVE TO restablish your ssh session, but you won't be mistaken into thinking the new rulset works when it doesn't!

    Ammo
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides