In this article, I'll explicate how to accomplish a password "reset" on your Cisco Asa safety appliance. The more ordinarily used term for this procedure is "password recovery" which is left over from the days when you could for real view passwords in configuration files in plain text. Today, such passwords are encrypted and not for real recoverable. Instead, you will gain entrance to the appliance via the console port and reset the password(s) to known values.
This procedure requires physical entrance to the device. You will power-cycle your appliance by unplugging it at the power strip and plugging it back in. You will then interrupt the boot process and turn the configuration register value to preclude the appliance from reading its stored configuration at boot. Since the expedient ignores its saved configuration on boot, you are able to entrance its configuration modes without passwords. Once you're in configuration mode, you will load the saved configuration from flash memory, turn the passwords to a known value, turn the configuration register value to tell the expedient to load its saved configuration on boot, and reload the device.
8 Port Wireless N Router
Caution: As with all configuration procedures, these procedures should be tested in a laboratory environment prior to usage in a yield environment to ensure suitability for your situation.
The following steps were designed using a Cisco Asa 5505 safety Appliance. They are not suitable for a Cisco Pix Firewall appliance.
1. Power-cycle your safety appliance by removing and re-inserting the power plug at the power strip.
2. When prompted, press Esc to interrupt the boot process and enter Rom Monitor mode. You should immediately see a rommon prompt (rommon #0>).
3. At the rommon prompt, enter the confreg command to view the current configuration register setting: rommon #0>confreg
4. The current configuration register should be the default of 0x01 (it will for real display as 0x00000001). The safety appliance will ask if you want to make changes to the configuration register. Write back no when prompted.
5. You must turn the configuration register to 0x41, which tells the appliance to ignore its saved (startup) configuration upon boot: rommon #1>confreg 0x41
6. Reset the appliance with the boot command: rommon #2>boot
7. Notice that the safety appliance ignores its startup configuration while the boot process. When it finishes booting, you should see a generic User Mode prompt: ciscoasa>
8. Enter the enable command to enter Privileged Mode. When the appliance prompts you for a password, simply press (at this point, the password is blank): ciscoasa>enable Password: ciscoasa#
9. Copy the startup configuration file into the running configuration with the following command: ciscoasa#copy startup-config running-config Destination filename [running-config]?
10. The previously saved configuration is now the active configuration, but since the safety appliance is already in Privileged Mode, privileged entrance is not disabled. Next, in configuration mode, enter the following command to turn the Privileged Mode password to a known value (in this case, we'll use the password system): asa#conf t asa(config)#enable password system
11. While still in Configuration Mode, reset the configuration register to the default of 0x01 to force the safety appliance to read its startup configuration on boot: asa(config)#config-register 0x01
12. Use the following commands to view the configuration register setting: asa(config)#exit asa#show version
13. At bottom of the yield of the show version command, you should see the following statement: Configuration register is 0x41 (will be 0x1 at next reload)
14. Save the current configuration with the copy run start command to make the above changes persistent: asa#copy run start Source filename [running-config]
15. Reload the safety appliance: asa# reload law config has been modified. Save? [Y]es/[N]o:yes
Cryptochecksum: e87f1433 54896e6b 4e21d072 d71a9cbf
2149 bytes copied in 1.480 secs (2149 bytes/sec) head somewhere with reload? [confirm]
When your safety appliance reloads, you should be able to use your newly reset password to enter privileged mode.
Copyright (c) 2007 Don R. Crawley
Password salvage on the Cisco Asa security Appliance