Cisco ASA – Password Recovery / Reset


KB ID 0000572 Dtd 17/02/12


You need to access a Cisco ASA device and do not have the passwords, there can be lots of reasons for this, lack of good documentation, bought a second hand firewall, the last firewall admin never told anyone etc.

This method does require physical access to the ASA, a console cable, and a machine running some terminal emulation software.

Note: This procedure is for Cisco ASA 5500 Firewalls, for Cisco PIX go here, and Cisco Catalyst go here.


Password Recovery / Reset Procedure for ASA 5500 Firewalls

Below is a run though on changing the Cisco ASA passwords (setting them to blank then changing them to something else). Basically you boot the ASA to its very basic shell operating system (ROMMON) then force it to reboot without loading its configuration. At this point you can load the config, without having to enter a password, manually change all the passwords, and finally set the ASA to boot properly again.

Below I’ve used both HyperTerminal and Putty to do the same thing, you can use either, or another terminal emulation piece of software, the procedure is the same.

1. Connect to the the ASA via a console cable (settings 9600/8/None/1/None).

Hyperterminal cisco settings

2. Reboot the ASA, and as it boots press Esc to interrupt the normal boot sequence and boot to ROMMON mode.

Note: HyperTerminal does not send the Esc keystroke properly, if you use HyperTerminal you need to press CTRL+Break.


3. Execute the "confreg" command and take a note of the number that’s listed (copy it to notepad to be on the safe side).

ASA configuration register - confreg

4. Answer the questions as follows (Note: Just pressing Enter will supply the default answer). Answer no to all apart from the TWO listed below:

Do you wish to change this configuration? y/n [n]: Y <<< THIS ONE
enable boot to ROMMON prompt? y/n [n]:
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]:
disable system configuration? y/n [n]:
go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:

Cisco ASA Change confreg

5. You may notice, that the configuration register has changed, to boot the firewall execute the "boot" command.

Boot Cisco ASA

6. This time when the ASA boots it will start with a {blank} enable password, you can load the normal config into memory with a "copy startup-config running-config" command.

Cisco Blank Password

7. Now you are in enable mode with the correct config loaded, you can change the passwords, and once completed, change the configuration register setting back with a config-register {paste in the number you saved earlier} command.


Cisco ASA change passwords


Related Articles, References, Credits, or External Links

Cisco Catalyst Password Recovery / Reset

Cisco PIX (500 Series) Password Recovery / Reset

Cisco Router – Password Recovery /Bypass

Author: Migrated

Share This Post On