Password Recovery on the Cisco ASA Security Appliance

>

In this write-up, I'll clarify how to perform a password "reset" on your Cisco ASA security appliance. The additional normally utilized term for this process is "password recovery" which is left over from the days when you could in fact view passwords in configuration files in plain text. Currently, such passwords are encrypted and not basically recoverable. Instead, you will gain access to the appliance via the console port and reset the password(s) to known values.

This process requires physical access to the device. You will power-cycle your appliance by unplugging it at the energy strip and plugging it back in. You will then interrupt the boot approach and alter the configuration register value to avoid the appliance from reading its stored configuration at boot. Because the device ignores its saved configuration on boot, you are able to access its configuration modes without passwords. As soon as you're in configuration mode, you will load the saved configuration from flash memory, alter the passwords to a known value, alter the configuration register value to tell the device to load its saved configuration on boot, and reload the device.

Caution: As with all configuration procedures, these procedures should really be tested in a laboratory environment prior to usage in a production environment to make certain suitability for your scenario.

The following methods were created utilizing a Cisco ASA 5505 Security Appliance. They are not proper for a Cisco PIX Firewall appliance.

1. Energy-cycle your security appliance by removing and re-inserting the energy plug at the power strip.

two. When prompted, press Esc to interrupt the boot process and enter ROM Monitor mode. You really should quickly see a rommon prompt (rommon #>).

three. At the rommon prompt, enter the confreg command to view the existing configuration register setting: rommon #>confreg

4. The present configuration register ought to be the default of 0x01 (it will truly display as 0x00000001). The security appliance will ask if you want to make adjustments to the configuration register. Answer no when prompted.

five. You ought to change the configuration register to 0x41, which tells the appliance to ignore its saved (startup) configuration upon boot: rommon #1>confreg 0x41

6. Reset the appliance with the boot command: rommon #2>boot

7. Notice that the security appliance ignores its startup configuration throughout the boot process. When it finishes booting, you should certainly see a generic User Mode prompt: ciscoasa>

8. Enter the enable command to enter Privileged Mode. When the appliance prompts you for a password, just press (at this point, the password is blank): ciscoasa>enable Password: ciscoasa#

9. Copy the startup configuration file into the running configuration with the following command: ciscoasa#copy startup-config running-config Destination filename [running-config]?

10. The previously saved configuration is now the active configuration, but because the security appliance is already in Privileged Mode, privileged access is not disabled. Next, in configuration mode, enter the following command to alter the Privileged Mode password to a identified value (in this case, we'll use the password technique): asa#conf t asa(config)#enable password system

11. When nonetheless in Configuration Mode, reset the configuration register to the default of 0x01 to force the security appliance to read its startup configuration on boot: asa(config)#config-register 0x01

12. Use the following commands to view the configuration register setting: asa(config)#exit asa#show version

13. At bottom of the output of the show version command, you should really see the following statement: Configuration register is 0x41 (will be 0x1 at next reload)

14. Save the current configuration with the copy run begin command to make the above adjustments persistent: asa#copy run start Source filename [running-config]

15. Reload the security appliance: asa# reload Method config has been modified. Save? [Y]es/[N]o:yes

Cryptochecksum: e87f1433 54896e6b 4e21d072 d71a9cbf

2149 bytes copied in 1.480 secs (2149 bytes/sec) Proceed with reload? [confirm]

When your security appliance reloads, you must be able to use your newly reset password to enter privileged mode.

Copyright (c) 2007 Don R. Crawley