Cisco Router Tip

[thread_killer]

Ok, I'm sure anyone who has spent some time working with Cisco routers has "locked themselves out" of a router they are remotely connected to at least once. Recently I picked up a tip that can keep you from having to drive out to the remote site, or call up someone there and have them reboot your router.
I've found that when building IPSec tunnels its incredibly easy to screw something up and find yourself with a dead ssh session. Although I try to proof read my scripts as carefully as possible before doing the old paste to host routine, mistakes still happen. This is how I prevent lengthy down time due to a mistake:

Before pasting into my remote box, I issue the reload command, only I set it to reboot after a certain amount of time. So it looks like this.

router hostname> reload in X
router hostname> config t
router hostname# this is where I paste my script in
router hostname# exit
router hostname> wri m

where X is the number of minutes you want to wait until the router reboots itself. That way, if the connection gets dropped, the router reloads itself before memory is written, and you don't have to drive to the remote site. This feature of the reload command has been a big time saver for me. Hope this helps.

TK

[phishphreek]

That is a pretty good method of resetting your password remotely. I have found that if you are logged in remotely and you have the password for the enable command, you can capture the script. The password is "encrypted" but there are several programs available from Cisco and third source parties that will "retrieve" your password from the script that you have captured.

Source: Cisco Networking Academy Program First Year Companion Guide Third Edition.

There are several other ways to recover your password.

Step1: Configure the router to start up without reading the configuration memory (NVRAM). THis is done from what is sometimes called test system mode, ROM mode, or boot mode.

Step2: Reboot the system.

Step3: Access enable mode (which can be done without a password if you set the configuration register correctly in Step1).

Step4: View or change the password, or erase the configuration.

Step5: Reconfigure the router to boot up and read the NVRAM as it normally does.

Step6: Reboot the system.

Here is a list of recovery techniques for Cisco products.
Here a list of password strength testers.

[ammo]

I kind of do the same when remotely tempering (ssh) with my firewall rules on my openbsd boxes:
# cp pf.conf pfnew.conf
# pico pfnew.conf
# pfctl -R pfnew.conf; sleep 30; pfctl -R pf.conf

You have 30 seconds to test the new ruleset (try reconnecting...), then the old ruleset will be reloaded. If in fact you didn't screw up , you can abort the reload with a simple ^C.

Important note though: if you're using stateful entries, it might give a false impression of working if you don't try to reconnect (ie: the current ssh session (for example) might still work because it's already established, but you can't establish new sessions... ). To be more thorough, you might want to do "pfctl -R pfnew.conf -F states; sleep 30; pfctl -R pf.conf".
It will kill all current connections and you will HAVE TO restablish your ssh session, but you won't be mistaken into thinking the new rulset works when it doesn't!

Ammo