Markhorr Networks

Cisco ASA Password Recovery Procedure

To recover passwords for the ASA, perform the following steps:

Step 1: Connect to the ASA console port either directly or remotely if provided through OOB.

Step 2: Power off the ASA, and then power it on. Or ask engineer at remote-site to do that for you.

Step 3: After startup, press the Escape key when you are prompted to enter ROMMON mode.

Step 4: To update the configuration register value, enter the following command:

rommon #1> confreg 0x41
 Update Config Register (0x41) in NVRAM...
 Step 5 To set the ASA to ignore the startup configuration, enter the following command:

rommon #1> confreg
 The ASA displays the current configuration register value, and asks whether you want to change it:

Current Configuration Register: 0x00000001  Configuration Summary:
 boot default image from Flash

Do you wish to change this configuration? y/n [n]: y
 enable boot to ROMMON prompt? y/n [n]:
 enable TFTP netboot? y/n [n]:
 enable Flash boot? y/n [n]:
 select specific Flash image index? y/n [n]:
 disable system configuration? y/n [n]: y  go to ROMMON prompt if netboot fails? y/n [n]:
 enable passing NVRAM file specs in auto-boot mode? y/n [n]:
 disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:

Current Configuration Register: 0x00000040  Configuration Summary:
 boot ROMMON
 ignore system configuration

Update Config Register (0x40) in NVRAM...

Step 5: Reload the box

rommon #1> boot
 Launching BootLoader...
 Boot configuration file contains 1 entry.
 Loading disk0:/asa800-226-k8.bin... Booting...Loading...
 The ASA loads the default configuration instead of the startup configuration.

Step 6: Access the privileged EXEC mode by entering the following command:

ciscoasa> enable

Step 7: When prompted for the password, press Enter.

The password is blank.

Step 8: Load the startup configuration by entering the following command:

ciscoasa# copy startup-config running-config

Step 9: Access the global configuration mode by entering the following command:

ciscoasa# configure terminal

Step 10: Change the passwords, as required, in the default configuration by entering the following commands:

ciscoasa(config)# username userlogin pass mypassword pri 15
 ciscoasa(config)# enable password password
 ciscoasa(config)# config-register 0x00000001

or

ciscoasa(config)# no config-register

The default configuration register value is 0x1.

Step 11: Load the default configuration by entering the following command:
Step 12: Save the new passwords to the startup configuration by entering the following command:

ciscoasa(config)# copy running-config startup-config

ciscoasa# wr mem

ciscoasa#reload

Proceed with reload? [confirm]

***
 *** --- START GRACEFUL SHUTDOWN ---
 Shutting down isakmp
 Shutting down webvpn
 Shutting down File system

***
 *** --- SHUTDOWN NOW ---

Rebooting....

Published by

markhorr

Leave a comment