How to regain access to a Cisco PIX firewall after locking yourself out

Today I managed to lock myself out of our PIX firewall.  We’re moving to a new network, and I needed to update the internal IP addresses so that it’ll continue serving traffic to our web servers.

What got me in trouble:  I had tried changing the inside IP address without  enabling DHCP beforehand.   No matter which IP address I used, no matter how often I rebooted the PIX, I simply couldn’t get connected back in via telnet.

This took some serious effort which I don’t want to ever have to endure again, so I’m going to note the steps that ended up working for me…

1)      Find the blue serial null modem cable (I found it in the box labelled “misc cables” and will put it back there after I’m done)

2)      Set up a Linux box that has a serial port next to the router.  Connect the cable.

3)      On the linux box, type dmesg | grep tty and look for which port is being used for the serial port.  On this machine it was ttyS0, but might be something else.

  • If the only thing that appears is tty0 (which is the console), that might mean that the BIOS has the serial port turned off.   Sure enough, that was my situation.
  • If that’s the case, restart the machine and go into the BIOS, turning it back on.

4)      Assuming you found which port is the serial port, try running the following command:  cu –l /dev/ttyS0 –s 9600

  • I figured out after a long while, that you can’t do this as root—at least not by default.  So on my Ubuntu box, I had to exit the root shell and return to my non-privileged account in order to get cu to work properly.
  • If you get a message that cu isn’t installed, go ahead and install it using apt-get install or yum install, depending on which flavor of Linux you’re running.

5)      Once I got connected, the PIX prompted for what name it should be known by, which IP address would be the inside address, the current UTC date, and a couple of other basic things like that.  I happily provided them.

6)      After I saved the updates and disconnected, I still wasn’t able to telnet into the unit.  That left me scratching my head for quite a while—I could ping the unit, but it simply refused to let me connect via telnet.  I tried shutting down my local firewall, but to no avail.  Finally, after doing some additional digging, I realized I needed to reconnect via the serial connection and tell the PIX to allow telnet.  So I connected back in, went into enable mode, issued a conf t, and added this line:  telnet inside   (Note that the last .0 on the IP address tells the PIX to allow telnetting from any address on the 192.168.1 network.)

After a full day of wrestling with this issue, I’m finally back online.  Hope this helps someone avoid the same pitfalls.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.