Shopping Product Reviews
June 6, 2021

Password Recovery on Cisco ASA Security Appliance

In this article, I will explain how to perform a password “reset” on your Cisco ASA security appliance. The most commonly used term for this procedure is “password recovery”, left over from the days when you could see passwords in configuration files in plain text. Today, these passwords are encrypted and not really recoverable. Instead, you will gain access to the device through the console port and reset the password (s) to known values.

This procedure requires physical access to the device. To turn your appliance on and off, unplug it from the power strip and plug it in again. Then it will interrupt the startup process and change the configuration register value to prevent the device from reading its stored configuration at startup. Since the device ignores your saved settings at startup, you can access its settings modes without passwords. Once in setup mode, it will load the saved settings from flash memory, change the passwords to a known value, change the setup register value to tell the device to load its saved settings at startup, and reload the device.

Caution: As with all setup procedures, these procedures should be tested in a lab environment prior to use in a production environment to ensure suitability for your situation.

The following steps were designed with a Cisco ASA 5505 security appliance. They are not appropriate for a Cisco PIX firewall appliance.

1. Turn your safety device off and on by removing and reinserting the plug into the power strip.

2. When prompted, press Esc to interrupt the boot process and enter ROM Monitor mode. You should immediately see a rommon prompt (rommon # 0>).

3. At the rommon prompt, enter the confreg command to view the current configuration of the configuration register: rommon # 0> confreg

4. The current configuration register should be the default 0x01 (actually it will show as 0x00000001). The security device will ask if you want to make changes to the configuration register. Answer no when prompted.

5. You should change the configuration register to 0x41, which tells the device to ignore its saved (startup) configuration on boot: rommon # 1> confreg 0x41

6. Reboot the device with the boot command: rommon # 2> boot

7. Notice that the security device ignores your startup settings during the startup process. When it finishes booting, you should see a generic user mode message: ciscoasa>

8. Enter the enable command to enter privileged mode. When the device prompts for a password, simply press (at this point the password is blank): ciscoasa> enable Password: ciscoasa #

9. Copy the startup configuration file to the running configuration with the following command: ciscoasa # copy startup-config running-config Destination file name [running-config]?

10. The previously saved configuration is now the active configuration, but since the security device is already in privileged mode, privileged access is not disabled. Then, in configuration mode, enter the following command to change the privileged mode password to a known value (in this case, we will use the password system): asa # conf t asa (config) #enable password system

11. While still in configuration mode, reset the configuration register to the default value of 0x01 to force the security device to read its startup configuration at boot: asa (config) # config-register 0x01

12. Use the following commands to view the configuration register settings: asa (config) #exit asa # show version

13. At the bottom of the show version command output, you should see the following statement: The configuration register is 0x41 (it will be 0x1 on the next reload)

14. Save the current configuration with the copy run start command so that the above changes are persistent: handle # copy run start Name of the source file [running-config]

15. Reload the security device: handle # reload The system configuration has been changed. Save money? [Y]it is /[N]Oh yeah

Cryptographic checksum: e87f1433 54896e6b 4e21d072 d71a9cbf

2149 bytes copied in 1,480 seconds (2149 bytes / second) Continue reloading? [confirm]

When your security device reloads, you should be able to use your newly reset password to enter privileged mode.

Copyright (c) 2007 Don R. Crawley

admin
0

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Archives

Categories

TOGEL ONLINE
Slot online

Meta

Recent Comments