Note: This procedure allows you to reset the password WITHOUT LOSING THE CONFIG
You need to access a Cisco ASA device and do not have the passwords, there can be lots of reasons for this, lack of good documentation, bought a second hand firewall, the last firewall admin never told anyone etc.
This method does require physical access to the ASA, a console cable, and a machine running some terminal emulation software.
Note: This procedure is for Cisco ASA 5500-X and ASA 5500 Firewalls, for Cisco PIX go here, and Cisco Catalyst go here.
Password Recovery ASA5505-X
Password Recovery ASA 5500
Password Recovery / Reset Procedure for ASA 5500-X/5500 Firewalls
Below is a run though on changing the Cisco ASA passwords (setting them to blank then changing them to something else). Basically you boot the ASA to its very basic shell operating system (ROMMON) then force it to reboot without loading its configuration. At this point you can load the config, without having to enter a password, manually change all the passwords, and finally set the ASA to boot properly again.
Below I’ve used both HyperTerminal and Putty to do the same thing, you can use either, or another terminal emulation piece of software, the procedure is the same.
1. Connect to the the ASA via a console cable (settings 9600/8/None/1/None).
2. Reboot the ASA, and as it boots press Esc to interrupt the normal boot sequence and boot to ROMMON mode.
3. Execute the “confreg” command and take a note of the number that’s listed (copy it to notepad to be on the safe side).
4. Answer the questions as follows (Note: Just pressing Enter will supply the default answer). Answer no to all apart from the TWO listed below:
ON AN ASA 5500-X (Slightly Different)
do you wish to change the configuration? y/n [n]: Y<<< THIS ONE disable “password recovery”? y/n [n]: n disable “display break prompt”? y/n [n]: n enable “ignore system configuration”? y/n [n]: Y<<< AND THIS ONE disable “auto-boot image in disks”? y/n [n]: n change console baud rate? y/n [n]: n select specific image in disks to boot? y/n [n]: n
ON AN ASA 5500
Do you wish to change this configuration? y/n [n]:Y<<< THIS ONE enable boot to ROMMON prompt? y/n [n]:
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]: disable system configuration? y/n [n]: Y<<< AND THIS ONE go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:
5. You may notice, that the configuration register has changed, on an ASA 5500 to 0x00000040, or on an ASA5505-X to 0x00000041, to boot the firewall execute the “boot” command.
6. This time when the ASA boots it will start with a {blank} enable password, you can load the normal config into memory with a “copy startup-config running-config” command.
7. Now you are in enable mode with the correct config loaded, you can change the passwords, and once completed, change the configuration register setting back with a config-register {paste in the number you saved earlier} command, or simply a no config-register command. Save the changes, (write mem) and reboot the firewall.
Related Articles, References, Credits, or External Links
Quite a while ago I wrote the “Connecting to and managing Cisco firewalls” article, which is still pretty complete, but I’ve been asked on a few occasions, “How do I actually configure the firewall to allow remote administration via, SSH, or HTTPS/ASDM, or Telnet
If you have no network connection to the firewall, then you will need to connect via console cable (CLICK HERE).
Solution
Cisco ASA Allow SSH – Via Command Line
1. Log on to the firewall > Go to enable mode > Go to configure terminal mode.
[box]
User Access Verification
Password:*******
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA(config)#
[/box]
2. Now you can either allow access for one machine, or a whole network, the syntax is “ssh {ip address} {subnet mask} {interface that you will be connecting to}.
[box]
The following will just allow one external host (123.123.123.123).
PetesASA(config)# ssh 192.168.1.10 255.255.255.255 outsideThe following will just allow a whole internal network 192.168.1.1 to 254
PetesASA(config)# ssh 192.168.1.0 255.255.255.0 inside
[/box]
3. You will need to create a username and password for SSH access, then set SSH to use the LOCAL database to check of usernames and passwords, (unless you are using LDAP, RADIUS, TACACS, or Kerberos for authentication.)
4. By default the SSH session times out after 5 mins, I prefer to change this to 45 minutes.
[box]
PetesASA(config)# ssh timeout 45
[/box]
5. To encrypt the SSH access you need to have an RSA keypair on the firewall, (Note: this is generated from the firewall’s host name, and its domain name, if you ever change either, the keypair will break, and SSH access will cease until the keypair is re-created). To create a key issue a “crypto key generate rsa” command;
[box]
PetesASA(config)# crypto key generate rsa mod 2048
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
PetesASA(config)#
[/box]
Note: I set the key size to 2048, this is considered good practice
7. Lastly, save the changes with a “write mem” command;
[box]
PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
[/box]
Cisco ASA Allow SSH – Via ASDM (version shown 6.4(7))
1. Connect via ASDM > Navigate to Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH > Add > Select SSH > Supply the IP and subnet > OK. (Note you can set both the timeout, and the SSH versions you will accept, on this page also). Note you still need to generate the RSA Key (See step 5 above, good luck finding that in the ASDM – see the following article).
Cisco ASA – Enable AAA for SSH (Local Database) ASDM version 6.4(7)
Cisco ASA – Add a User to the Local Database
Cisco ASA – Allow HTTPS/ASDM – Via Command Line
1. Log on to the firewall > Go to enable mode > Go to configure terminal mode.
[box]
User Access Verification
Password: *******
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA(config)#
[/box]
2. Now you can either allow access for one machine or a whole network, the syntax is “http {ip address} {subnet mask} {interface that it’s connected to}.
[box]
The following will just allow one host (192.168.1.10).
PetesASA(config)# http 192.168.1.10 255.255.255.255 inside
The following will just allow a whole network 192.168.1.1 to 254
PetesASA(config)# http 192.168.1.0 255.255.255.0 inside
[/box]
3. Unlike telnet and SSH, HTTPS/ADSM access is via the firewalls enable password (Unless you have enabled AAA logon). this password is set with the “enable password {password}” command. (Note: You will already have entered this password in step 1, only do this if you wish to change it).
[box]
PetesASA(config)# enable password PASSWORD123
[/box]
4. You need to make sure that HTTPS access is enabled with a “http server enable” command.
[box]
PetesASA(config)# http server enable
Note: if your port forwarding https on your firewall you will NOT be able to get access externally unless you put it on a different port (i.e.1234).
PetesASA(config)# http server enable 1234
[/box]
5. Lastly, save the changes with a “write mem” command.
[box]
PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
OK, the title of this might raise an eyebrow, but if you have access to the ASDM and you want to grant access to another IP/Network them you might want to do this. Connect via ASDM > Navigate to Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH > Add > Select ASDM/HTTPS > Supply the IP and subnet > OK. (Note: You can also enable and disable the http Server here and change its port number).
Cisco ASA Allow Telnet – Via Command Line
WARNING: Telenet is insecure, if possible don’t use it, (usernames and password are sent unencrypted.)
1. Log on to the firewall > Go to enable mode > Go to configure terminal mode.
[box]
User Access Verification
Password: *******
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA(config)#
[/box]
2. Now you can either allow access for one machine, or a whole network, the syntax is “telnet {ip address} {subnet mask} {interface that its connected to}.
[box]
The following will just allow one host (192.168.1.10).
PetesASA(config)# telnet 192.168.1.10 255.255.255.255 insideThe following will just allow a whole network 192.168.1.1 to 254
PetesASA(config)# telnet 192.168.1.0 255.255.255.0 inside
[/box]
3. To set the password you use the “passwd” command (yes that’s spelled correctly).
[box]
PetesASA(config)# passwd PASSWORD123
[/box]
4. By default the telnet session times out after 5 mins, I prefer to change this to 45 minutes.
[box]
PetesASA(config)# telnet timeout 45
[/box]
5. Lastly, save the changes with a “write mem” command.
[box]
PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
[/box]
Allow Telnet – Via ASDM (version shown 6.4(7))
1. Connect via ASDM > Navigate to Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH > Add > Select Telnet > Supply the IP and subnet > OK. (Note you can set the timeout on this page also).
Related Articles, References, Credits, or External Links
Unless your firewall is brand new (in which case the passwords will either be {blank} or cisco), to access a Cisco firewall you will need a password, (this stands to reason it is a security device after all!).
Cisco Firewall Usernames
As for usernames, with a few exceptions, you do not USUALLY need a username. Those exceptions being;
Access via SSH needs a username (before version 8.4 you could use the username pix, and the Telnet password, this no longer works).
If you have set up authentication to be done by AAA.
Cisco Firewall Forgotten Password Recovery
If you do not know the password then you need to perform some password recovery.
Cisco ASA – Methods of Access.
1. Console Cable: This uses the rollover cable that came with the firewall, They are usually pale blue in colour, and the more modern ones have a moulded serial socket on them. The older ones have a grey network to serial converter that plugs on the end. Access is via some Terminal Emulation Software, e.g. PuTTy or HyperTerminal. This method of access is enabled by default, but requires physical access to the devices console port.
2. Telnet: This simply allows connection via a telnet client, all versions of Windows have one, though Microsoft have done a good job of Hiding it in Windows 7. You can also use PuTTy, HyperTerminal, or another third party telnet client. This is considered the LEAST SECURE method of connection, (as passwords are sent in clear text). On a new firewall the telnet password is usually set to cisco (all lower case).
3. Web Browser: (How the vast majority of people access the firewall). Depending on the age and version of the firewall dictates what “Web Server” you are connecting to, devices running Version 7 and above use the “Adaptive Security Device Manager”. Cisco firewalls running an Operating system of version 6 and below use the “PIX Device Manager”. Both the ADSM and the PDM have a similar look and feel, and both require you have to Java installed and working.
4. SSH: Secure Sockets Handshake: This is sometimes called “secure telnet” as it does not send passwords and user names in clear text. It requires you supply a username and a password. Firewalls running an OS older than 8.4 can use the username of pix and the telnet password. After version 8.4 you need to enable AAA authentication and have a username and password setup for SSH access.
5. ASDM Client software: (Version 7 firewalls and above). You will need to have the software installed on your PC for this to work (you can download it from the firewall’s web interface, or install from the CD that came with the firewall).
Cisco ASA Remote Management via VPN
Even if you allow traffic for a remote subnet, there are additional steps you need to take to allow either a remote client VPN session, or a machine at another site that’s connected via VPN. Click here for details.
Solution
Connecting to a Cisco Firewall Using a Console Cable
Obviously before you start you will need a console cable, you CAN NOT use a normal network cable, OR a crossover cable as they are wired differently! They are wired the opposite way round at each end, for this reason some people (and some documentation) refer to them as rollover cables. They are usually Pale blue (or black). Note if you find your console cable is too short you can extend it with a normal network cable coupler and a standard straight through network cable.
On each end of the console cable the wiring is reversed.
Old (Top) and New (Bottom) versions of the Console Cable.
Note: If you don’t have a serial socket on your PC or Laptop you will need a USB to Serial converter (this will need a driver installing to add another COM Port to the PC).
Option 1 Using PuTTY for Serial Access.
1. Connect your console cable, then download and run PuTTy. (I’m assuming you are using the COM1 socket on your machine, if you have multiple serial sockets then change accordingly).
2. By default PuTTy will connect with the correct port settings, if you want to change the settings see the option I’ve indicated below. Simply select Serial and then ‘Open’.
3. You will be connected. (Note: The password you see me entering below is the enable password).
Option 2 Using HyperTerminal for Serial Access
1. Connect your console cable, then download install and run HyperTerminal. (Note: With Windows XP and older it’s included with Windows, look in > All Programs > Communications). Give your connection a name > OK.
2. Change the ‘Connect Using’ option to COM1 > OK.
3. Set the connection port settings from top to bottom, they are, 9600, 8, None, 1, None > Apply > OK.
4. You will be connected. (Note: The password you see me entering below is the enable password).
Connecting to a Cisco Firewall via Telnet
To connect via telnet, the IP address you are connecting from (or the network you are in) has to have been granted access. If you cannot access the firewall using Telnet then you will need to connect via a console cable. Note Windows 7/2008/Vista needs to have telnet added.
Option 1 Use Windows Telnet Client for Firewall Access
1. Ensure you have a network connection to the firewall and you know its IP address > Start.
2. In the search/run box type cmd {enter}.
3. Execute the telnet command followed by the IP address of the firewall.
Also to access via this method you need to know the firewall’s “Enable Password”. If you use a proxy server then you will need to remove it from the browser settings while you carry out the following. Ensure also that you have Java installed and working.
1. Ensure you have a network connection to the firewall and you know its IP address > launch your web browser.
2. If you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”. IE6 Users will see this instead.
3. Click “Run ASDM” (older versions say ‘Run ADSM Applet’). Note: for information on the other option ‘Install ASDM launcher…’ see connecting via ASDM).
The Startup Wizard is for setting up a new firewall, I don’t recommend you ever use this unless you follow this guide.
4. You might receive a few Java warning messages, answer them in the affirmative.
Note: After version 8.4 you can only access the Cisco ASA using AAA authentication, see here. Prior to version 8.4 you can use the username of ‘pix’ and the firewall’s telnet password.
1. Ensure you have a network connection to the firewall and you know its IP address > Launch PuTTy.
2. Tick SSH > enter the IP address of the firewall > Open.
3. The first time you connect you will be asked to accept the certificate > Yes.
4. You will be connected, supply the username and password configured for AAA access., (or username pix and the telnet password if you are older than version 8.4).
Connecting to a Cisco Firewall via ASDM Client Software
1. Ensure you have a network connection to the firewall and you know its IP address > launch your web browser.
2. If you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”. IE6 Users will see this instead.
3. Select ‘Install ASDM Launcher and Run ASDM’.
4. The username is usually blank (unless you are using AAA), and you will need to enter the enable password.
5. Run (or save if you want to install manually later).
6. Accept all the defaults.
7. The ASDM, will once again ask for the password. (By default it will place a shortcut on the desktop for the next time you need to access the firewall).
8. The ASDM will launch and you will be connected.
Connecting to a Cisco Firewall via Pix Device Manager
1. Open your web browser and navigate to the following,
https://{inside IP address of the firewall}
Note if you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”.
IE6 Users will see this instead
2. If Prompted leave the username blank, and the password is the firewall’s enable password.
Note if you are using AAA you might need to enter a username and password.
3. You will see this.
4.You might receive a few Java warning messages, answer them in the affirmative, on some newer versions of Java you may also need to enter the password a second time.
5. The PDM opens. You are successfully connected.
Related Articles, References, Credits, or External Links
The following is by no means an extensive list of everything that can be done. It’s just a run though of what I would consider ‘good practice’.
Solution
Create a user for SSH and Remove Shell access for the ‘root’ user.
1. Connect to the server via SSH or open a terminal session and su to root. Create a new user then set and confirm the new users password.
[box] useradd {username}
passwd {username} [/box]
2. Test access for your new user.
3. To make changes to shell access, you need to edit the sshd_config file, to do that I’m using the nano editor.
Note: If you do not have nano installed, run ‘yum install nano’.
[box] nano /etc/ssh/sshd_config[/box]
4. Locate PermitRootLogin and change it to no.
5. Locate the PermitRootLogin without-password”. line and comment it out (prefix it with a hash #, (or pound if you’re American).
[box] # PermitRootLogin without-password”.[/box]
Limit SSH / Shell access to particular User(s)
6. Add the following line to allow the user you create above only.
[box] AllowUsers {username}[/box]
Note: If you had multiple users, you can add them separated by a space.
Disable SSH Version 1 and Force SSH Version2
7. Ensure Protocol 2 is NOT hashed out and activation of protocol 1IS hashed out.
Change the SSH / shell Port Number
8. SSH by default runs over TCP port 22, this is a well know port to advertise to the outside world, to change it (in this case to 2200), change the existing Port 22 line;
[box] Port 2200[/box]
Note: There is not hard and fast rule on what port to use, but for production, I would suggest a random number above 1024 but below 65535.
9. At this point close nano and save the changes, (press CTRL+W and Y to save the changes).
10. The changes will not take effect until after you have restarted the SSH service/daemon.
[box] service sshd restart[/box]
11. At this point you can check that the root user no longer has SSH / Shell access.