Note: This procedure allows you to reset the password WITHOUT LOSING THE CONFIG
You need to access a Cisco ASA device and do not have the passwords, there can be lots of reasons for this, lack of good documentation, bought a second hand firewall, the last firewall admin never told anyone etc.
This method does require physical access to the ASA, a console cable, and a machine running some terminal emulation software.
Note: This procedure is for Cisco ASA 5500-X and ASA 5500 Firewalls, for Cisco PIX go here, and Cisco Catalyst go here.
Password Recovery ASA5505-X
Password Recovery ASA 5500
Password Recovery / Reset Procedure for ASA 5500-X/5500 Firewalls
Below is a run though on changing the Cisco ASA passwords (setting them to blank then changing them to something else). Basically you boot the ASA to its very basic shell operating system (ROMMON) then force it to reboot without loading its configuration. At this point you can load the config, without having to enter a password, manually change all the passwords, and finally set the ASA to boot properly again.
Below I’ve used both HyperTerminal and Putty to do the same thing, you can use either, or another terminal emulation piece of software, the procedure is the same.
1. Connect to the the ASA via a console cable (settings 9600/8/None/1/None).
2. Reboot the ASA, and as it boots press Esc to interrupt the normal boot sequence and boot to ROMMON mode.
3. Execute the “confreg” command and take a note of the number that’s listed (copy it to notepad to be on the safe side).
4. Answer the questions as follows (Note: Just pressing Enter will supply the default answer). Answer no to all apart from the TWO listed below:
ON AN ASA 5500-X (Slightly Different)
do you wish to change the configuration? y/n [n]: Y<<< THIS ONE disable “password recovery”? y/n [n]: n disable “display break prompt”? y/n [n]: n enable “ignore system configuration”? y/n [n]: Y<<< AND THIS ONE disable “auto-boot image in disks”? y/n [n]: n change console baud rate? y/n [n]: n select specific image in disks to boot? y/n [n]: n
ON AN ASA 5500
Do you wish to change this configuration? y/n [n]:Y<<< THIS ONE enable boot to ROMMON prompt? y/n [n]:
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]: disable system configuration? y/n [n]: Y<<< AND THIS ONE go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:
5. You may notice, that the configuration register has changed, on an ASA 5500 to 0x00000040, or on an ASA5505-X to 0x00000041, to boot the firewall execute the “boot” command.
6. This time when the ASA boots it will start with a {blank} enable password, you can load the normal config into memory with a “copy startup-config running-config” command.
7. Now you are in enable mode with the correct config loaded, you can change the passwords, and once completed, change the configuration register setting back with a config-register {paste in the number you saved earlier} command, or simply a no config-register command. Save the changes, (write mem) and reboot the firewall.
Related Articles, References, Credits, or External Links
Unless your firewall is brand new (in which case the passwords will either be {blank} or cisco), to access a Cisco firewall you will need a password, (this stands to reason it is a security device after all!).
Cisco Firewall Usernames
As for usernames, with a few exceptions, you do not USUALLY need a username. Those exceptions being;
Access via SSH needs a username (before version 8.4 you could use the username pix, and the Telnet password, this no longer works).
If you have set up authentication to be done by AAA.
Cisco Firewall Forgotten Password Recovery
If you do not know the password then you need to perform some password recovery.
Cisco ASA – Methods of Access.
1. Console Cable: This uses the rollover cable that came with the firewall, They are usually pale blue in colour, and the more modern ones have a moulded serial socket on them. The older ones have a grey network to serial converter that plugs on the end. Access is via some Terminal Emulation Software, e.g. PuTTy or HyperTerminal. This method of access is enabled by default, but requires physical access to the devices console port.
2. Telnet: This simply allows connection via a telnet client, all versions of Windows have one, though Microsoft have done a good job of Hiding it in Windows 7. You can also use PuTTy, HyperTerminal, or another third party telnet client. This is considered the LEAST SECURE method of connection, (as passwords are sent in clear text). On a new firewall the telnet password is usually set to cisco (all lower case).
3. Web Browser: (How the vast majority of people access the firewall). Depending on the age and version of the firewall dictates what “Web Server” you are connecting to, devices running Version 7 and above use the “Adaptive Security Device Manager”. Cisco firewalls running an Operating system of version 6 and below use the “PIX Device Manager”. Both the ADSM and the PDM have a similar look and feel, and both require you have to Java installed and working.
4. SSH: Secure Sockets Handshake: This is sometimes called “secure telnet” as it does not send passwords and user names in clear text. It requires you supply a username and a password. Firewalls running an OS older than 8.4 can use the username of pix and the telnet password. After version 8.4 you need to enable AAA authentication and have a username and password setup for SSH access.
5. ASDM Client software: (Version 7 firewalls and above). You will need to have the software installed on your PC for this to work (you can download it from the firewall’s web interface, or install from the CD that came with the firewall).
Cisco ASA Remote Management via VPN
Even if you allow traffic for a remote subnet, there are additional steps you need to take to allow either a remote client VPN session, or a machine at another site that’s connected via VPN. Click here for details.
Solution
Connecting to a Cisco Firewall Using a Console Cable
Obviously before you start you will need a console cable, you CAN NOT use a normal network cable, OR a crossover cable as they are wired differently! They are wired the opposite way round at each end, for this reason some people (and some documentation) refer to them as rollover cables. They are usually Pale blue (or black). Note if you find your console cable is too short you can extend it with a normal network cable coupler and a standard straight through network cable.
On each end of the console cable the wiring is reversed.
Old (Top) and New (Bottom) versions of the Console Cable.
Note: If you don’t have a serial socket on your PC or Laptop you will need a USB to Serial converter (this will need a driver installing to add another COM Port to the PC).
Option 1 Using PuTTY for Serial Access.
1. Connect your console cable, then download and run PuTTy. (I’m assuming you are using the COM1 socket on your machine, if you have multiple serial sockets then change accordingly).
2. By default PuTTy will connect with the correct port settings, if you want to change the settings see the option I’ve indicated below. Simply select Serial and then ‘Open’.
3. You will be connected. (Note: The password you see me entering below is the enable password).
Option 2 Using HyperTerminal for Serial Access
1. Connect your console cable, then download install and run HyperTerminal. (Note: With Windows XP and older it’s included with Windows, look in > All Programs > Communications). Give your connection a name > OK.
2. Change the ‘Connect Using’ option to COM1 > OK.
3. Set the connection port settings from top to bottom, they are, 9600, 8, None, 1, None > Apply > OK.
4. You will be connected. (Note: The password you see me entering below is the enable password).
Connecting to a Cisco Firewall via Telnet
To connect via telnet, the IP address you are connecting from (or the network you are in) has to have been granted access. If you cannot access the firewall using Telnet then you will need to connect via a console cable. Note Windows 7/2008/Vista needs to have telnet added.
Option 1 Use Windows Telnet Client for Firewall Access
1. Ensure you have a network connection to the firewall and you know its IP address > Start.
2. In the search/run box type cmd {enter}.
3. Execute the telnet command followed by the IP address of the firewall.
Also to access via this method you need to know the firewall’s “Enable Password”. If you use a proxy server then you will need to remove it from the browser settings while you carry out the following. Ensure also that you have Java installed and working.
1. Ensure you have a network connection to the firewall and you know its IP address > launch your web browser.
2. If you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”. IE6 Users will see this instead.
3. Click “Run ASDM” (older versions say ‘Run ADSM Applet’). Note: for information on the other option ‘Install ASDM launcher…’ see connecting via ASDM).
The Startup Wizard is for setting up a new firewall, I don’t recommend you ever use this unless you follow this guide.
4. You might receive a few Java warning messages, answer them in the affirmative.
Note: After version 8.4 you can only access the Cisco ASA using AAA authentication, see here. Prior to version 8.4 you can use the username of ‘pix’ and the firewall’s telnet password.
1. Ensure you have a network connection to the firewall and you know its IP address > Launch PuTTy.
2. Tick SSH > enter the IP address of the firewall > Open.
3. The first time you connect you will be asked to accept the certificate > Yes.
4. You will be connected, supply the username and password configured for AAA access., (or username pix and the telnet password if you are older than version 8.4).
Connecting to a Cisco Firewall via ASDM Client Software
1. Ensure you have a network connection to the firewall and you know its IP address > launch your web browser.
2. If you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”. IE6 Users will see this instead.
3. Select ‘Install ASDM Launcher and Run ASDM’.
4. The username is usually blank (unless you are using AAA), and you will need to enter the enable password.
5. Run (or save if you want to install manually later).
6. Accept all the defaults.
7. The ASDM, will once again ask for the password. (By default it will place a shortcut on the desktop for the next time you need to access the firewall).
8. The ASDM will launch and you will be connected.
Connecting to a Cisco Firewall via Pix Device Manager
1. Open your web browser and navigate to the following,
https://{inside IP address of the firewall}
Note if you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”.
IE6 Users will see this instead
2. If Prompted leave the username blank, and the password is the firewall’s enable password.
Note if you are using AAA you might need to enter a username and password.
3. You will see this.
4.You might receive a few Java warning messages, answer them in the affirmative, on some newer versions of Java you may also need to enter the password a second time.
5. The PDM opens. You are successfully connected.
Related Articles, References, Credits, or External Links
I noticed the alarm light was lit amber on an SRX240 Juniper firewall.
Solution
This will not serve as a solution to every alarm on the SRX, but it should point you where to look, and show you how to resolve the two problems I identified on my firewall.
View SRX Alarm Status in J-Web
The status is displayed on the ‘Dashboard’ tab, here you can see I’ve got two minor alarms.
View SRX Alarm Status at Command Line
If connected via console cable or SSH.
[box]
root@FW-02> show system alarms
2 alarms currently active
Alarm time Class Description
2014-08-26 21:52:14 GMT Minor Autorecovery information needs to be saved
2014-08-26 21:52:14 GMT Minor Rescue configuration is not set
[/box]
Juniper SRX – Rescue Information Is Not Set (J-Web)
This one is easy to fix in J-Web, Maintain > Config Management Rescue > Set Rescue Configuration.
Then click OK.
Juniper SRX – Rescue Information Is Not Set (Command Line)
To do the same via console cable or SSH.
[box]
root@FW-02> request system configuration rescue save
[/box]
Juniper SRX – Autorecovery Information Needs To Be Saved (Command Line)
Despite my best efforts I could not locate how to do this in the GUI, so I had to use command line.
[box]
root@FW-02> show system alarms
1 alarms currently active
Alarm time Class Description
2014-08-26 21:52:14 GMT Minor Autorecovery information needs to be saved
root@FW-02> request system autorecovery state save
Saving config recovery information
Saving license recovery information
Saving BSD label recovery information
root@FW-02>
[/box]
Related Articles, References, Credits, or External Links
It’s not often I work on Cisco routers, but as I tend to do most of the Cisco ASA Firewalls, I’m the unofficial “Cisco Guy”. Which is fine until someone wants a router or some complex switching, then I need to do some heavy duty frowning.
Last time I put in a Cisco router it was a baby Cisco 800 series (an 877W) so I assumed the 1921 ISR router I had to put in would be the same. Before I used the Cisco SDM console that’s now either depreciated or not used, and a quick look in the flash memory of the router told me there was nothing in there apart from the IOS.
Now for all your web based router needs, you use the “Cisco Configuration Professional” software, it comes in two flavours:
1. Express – this installs on the router itself and is a cut down version.
2. PC Version – the full suite of tools installs on a Windows PC (that has Java installed) Note: is does NOT need anything else installing on the router.
To download the software you will need a valid Cisco CCO login and a valid support contract (or SmartNet) for your router. (download link).
Solution
1. Using the console cable provided with your router connect a PC/Laptop to the router and access using Hyperterminal or PuTTy, (See here for details).
2. Connect an ethernet port to your LAN, we are going to configure it to get an IP from DHCP (assuming you have DHCP of course if not give is a static IP address).
3. While connected via console cable, go to enable mode, set the ether net port you connected to DHCP, then configure Telnet and SSH login, and finally allow HTTP access.
Note: If you get an error message like “IP address may not be configured on L2 Links” then assign the IP address to the VLAN (usually, but not always VLAN 1).This is seen on smaller 800 series routers, to resolve also make sure the Ethernet port is NOT shutdown like this;
[box]
interface FastEthernet0
! <<<<<<<Note: Make sure the Ethernet ports you will use are NOT in a shutdown state!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
ip address 192168.1..1 255.255.255.0 <<<Or use DHCP as appropriate
[/box]
4. So all being well, this is what you should see if you issue a “show run” command.
5. Lets make sure it got an IP address with “show ip interface”.
6. Install CCP on you PC and launch it > Select “Manage Devices” > Enter the IP, username and password you set earlier > OK.
7. If discovery fails make sure you’re cabled correctly and select “Discover”.
8. It connects over https so it’s normal to see this, just click yes.
9. You can now configure the router as required.
10. If you have the Security/Firewall IOS you can also manage that from here.
Related Articles, References, Credits, or External Links
There are many different versions of PIX and ASA Firewalls. So, if you want to get a backup of the configuration and save it elsewhere, (so in the event of a failure, (or more likely someone tinkering and breaking the firewall)). you will be able to recall and restore that configuration. By far the easiest method is to use a TFTP server – and it works on ALL versions, so learn it once and use it many times.
Note: Some people flatly refuse to use command line, if that’s you, you can also backup and restore from the ASDM click here.
OK for starters you need to get a TFTP server – while this sounds very grand, its a little piece of software that will run on just about any windows PC, I use an application called 3CDeamon and I’ve put information on how to get it and how to set it up (about 5 min’s work) HERE. Or if you have a Mac it’s built in.
I’ll assume at this point you have the TFTP server installed and running, and you know the IP address of machine that’s running it.
NOTE: TFTP uses UDP Port 69, if you have firewalls in between the one you are working on, and the TFTP server then this port needs to be open.
2. To back up the firewall you need to specify the IP address of where you want to send it(i.e. the TFTP server), what you want to call the backup, and you tie them together with a “Write Net” command. The syntax is,
write net {ip address}:{filename}
[box]
Petes-ASA# write net 172.254.1.2:firewall_backup
Building configuration...
INFO: Default tftp-server not set, using highest security interface
Cryptochecksum: 85c211cb 3099b392 9e7206e6 e1548bcd
!
[OK]
Petes-ASA#
[/box]
3. On your TFTP server you will see that a file has been received.
4. If you look in the TFTP server root directory you will find the file, though it has no file extension you can open it and view it using a text editor like notepad or wordpad, just remember NOT to save it with a txt or rtf extension when you close it again. Keep it safe you will need it if you ever want to restore.
Restore
1. To restore you must have already backed up the firewall earlier and have that backup in the TFTP servers root directory.
3. Enter configuration mode using the “conf t” command.
[box]
Petes-ASA# configure terminal
Petes-ASA(config)#
[/box]
4. Unlike when you backed up the firewall to restore the configuration you use the copy tftp start command.
[box]
Petes-ASA(config)# copy tftp start
[/box]
5. Supply it with the IP address of your TFTP Server.
[box]
Address or name of remote host []? 172.254.1.2
[/box]
6. Supply it with the name of the file you backed up earlier.
[box]
Source filename []? firewall_backup
[/box]
7. The file will get copied over.
[box]
Accessing tftp://172.254.1.2/firewall_backup...!
Writing system file...
!
2974 bytes copied in 0.90 secs
Petes-ASA(config)#
[/box]
8. On your TFTP server you will see the file being “copied out”
9. Not finished yet, the file now lives in the “Startup” configuration so its not been loaded from memory yet, the best way to do this is to reboot the firewall. To do this issue the reload command, and confirm by pressing enter.
[box]
Petes-ASA(config)# reload
Proceed with reload? [confirm] {Enter}
Petes-ASA(config)#
*** *** — START GRACEFUL SHUTDOWN — Shutting down isakmp Shutting down webvpn Shutting down File system
** *** — SHUTDOWN NOW —
[/box]
10. After the reboot, you will be running on the restored configuration.
Note: With a Version 6 Firewall – restoring a config from TFTP simply “Merges” the new one with the config on the firewall, in most cases this is NOT what you want, to get round this place the following command at the top of the config you are restoring
clear config all
Backup a Cisco 5500 firewall from the ASDM
1. Connect to the firewall via ASDM, then Tools > Backup Configuration > Browse to a Location to Save the File > If you have certificates to backup, then choose and confirm a password > OK.
2. Watch the progress > Close > OK.
Restore a Cisco 5500 firewall from the ASDM
1. Connect to the firewall via ASDM, then Tools > Restore Configuration >Browse to the .zip file you saved earlier > Select File > Next > Restore.
2. If you are restoring certificates enter the password you used above > OK > Then choose whether to ‘replace‘ the config on the firewall, or ‘merge‘ the restored config with the one on the firewall.
3. The ASDM will detect theres been a change, just drag that window to one side, Wait for the restore to finish > Close. You will probably need to reconnect to the firewall now.
Related Articles, References, Credits, or External Links