Note: This procedure allows you to reset the password WITHOUT LOSING THE CONFIG
You need to access a Cisco ASA device and do not have the passwords, there can be lots of reasons for this, lack of good documentation, bought a second hand firewall, the last firewall admin never told anyone etc.
This method does require physical access to the ASA, a console cable, and a machine running some terminal emulation software.
Note: This procedure is for Cisco ASA 5500-X and ASA 5500 Firewalls, for Cisco PIX go here, and Cisco Catalyst go here.
Password Recovery ASA5505-X
Password Recovery ASA 5500
Password Recovery / Reset Procedure for ASA 5500-X/5500 Firewalls
Below is a run though on changing the Cisco ASA passwords (setting them to blank then changing them to something else). Basically you boot the ASA to its very basic shell operating system (ROMMON) then force it to reboot without loading its configuration. At this point you can load the config, without having to enter a password, manually change all the passwords, and finally set the ASA to boot properly again.
Below I’ve used both HyperTerminal and Putty to do the same thing, you can use either, or another terminal emulation piece of software, the procedure is the same.
1. Connect to the the ASA via a console cable (settings 9600/8/None/1/None).
2. Reboot the ASA, and as it boots press Esc to interrupt the normal boot sequence and boot to ROMMON mode.
3. Execute the “confreg” command and take a note of the number that’s listed (copy it to notepad to be on the safe side).
4. Answer the questions as follows (Note: Just pressing Enter will supply the default answer). Answer no to all apart from the TWO listed below:
ON AN ASA 5500-X (Slightly Different)
do you wish to change the configuration? y/n [n]: Y<<< THIS ONE disable “password recovery”? y/n [n]: n disable “display break prompt”? y/n [n]: n enable “ignore system configuration”? y/n [n]: Y<<< AND THIS ONE disable “auto-boot image in disks”? y/n [n]: n change console baud rate? y/n [n]: n select specific image in disks to boot? y/n [n]: n
ON AN ASA 5500
Do you wish to change this configuration? y/n [n]:Y<<< THIS ONE enable boot to ROMMON prompt? y/n [n]:
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]: disable system configuration? y/n [n]: Y<<< AND THIS ONE go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:
5. You may notice, that the configuration register has changed, on an ASA 5500 to 0x00000040, or on an ASA5505-X to 0x00000041, to boot the firewall execute the “boot” command.
6. This time when the ASA boots it will start with a {blank} enable password, you can load the normal config into memory with a “copy startup-config running-config” command.
7. Now you are in enable mode with the correct config loaded, you can change the passwords, and once completed, change the configuration register setting back with a config-register {paste in the number you saved earlier} command, or simply a no config-register command. Save the changes, (write mem) and reboot the firewall.
Related Articles, References, Credits, or External Links
After recently picking up some second hand ASA5512-X firewalls, I went to run them up, and make sure they were ok, however on boot up they went straight to ROMMON like so;
[box]
Use ? for help.
rommon #0>
[/box]
Now I know what ROMMON is, it’s the base operating system of the device, its job is a bit like the BIOS on a PC, it locates and loads the operating system. The only time you should ever see a rommon prompt is
If you ‘force’ a device into rommon mode as it boots.
The devices config register is incorrectly set.
The operating system is missing/corrupt.
The flash memory of the device is broken, (or needs reformatting).
Chances are, the firm who ‘re-sold’ them simply did some password recovery, and forgot to set the config register back again.
Solution
I’ve recovered enough passwords and booted form the network enough times to know that if the OS is present on the device, I can load it manually with the ‘boot’ command.
Once loaded up and logged in, lets have a look at the config register, (it should look like 0x1).
[box]
ciscoasa# show ver | incl register
Configuration register is 0x40 << Aha!!
ciscoasa#
[/box]
The easiest way to rectify this is to delete the config register, and it will then reset to the default.
[box]
ciscoasa# configure terminal
ciscoasa(config)# no config-register
ciscoasa(config)# exit
ciscoasa#
ciscoasa# show ver | incl registerConfiguration register is 0x40 (will be 0x1 at next reload)
ciscoasa#
[/box]
Reload/reboot the firewall and if it boot properly, then you know you have rectified the problem, but you can re-check..
[box]
ciscoasa# show ver | incl register
Configuration register is 0x1 << Boom!
ciscoasa#
[/box]
Related Articles, References, Credits, or External Links
If you have a Cisco router that you have forgotten the password for, or have been given one, or simply bought one from ebay, you may not know the password. In fact many years ago an ISP was going to charge me a ridiculas amount of money to put an entry in a routers routing table, this procedure ‘ahem’ would have allowed to to do it myself, for free, and then reload the router.
Solution
The reason you are able to do this is because of the router’s configuration register, this is the setting that decides how the system boots and how it operates. Usually it’s set to 0x2102 you can see this on a working router by running a ‘show version‘ command.
There are a number of different config register settings;
Configuration Register
Router Behavior
0x102
Ignores break, 9600 console baud
0x1202
1200 baud rate
0x2101
Boots into bootstrap, ignores break, Boots into ROM if initial boot fails, 9600 console baud rate
0x2102
Ignores break, Boots into ROM if initial boot fails, 9600 console baud rate default value for most platforms
0x2120
Boots into ROMmon, 19200 console speed
0x2122
Ignores break, Boots into ROM if initial boot fails, 19200 console baud rate
0x2124
NetBoot, Ignores break, Boots into ROM if initial boot fails, 19200 console speed
0x2142
Ignores break ,Boots into ROM if initial boot fails, 9600 console baud rate, Ignores the contents of Non-Volatile RAM (NVRAM) (ignores configuration)
0x2902
Ignores break, Boots into ROM if initial boot fails, 4800 console baud rate
0x2922
Ignores break, Boots into ROM if initial boot fails, 38400 console baud rate
0x3122
Ignores break, Boots into ROM if initial boot fails, 57600 console baud rate
0x3902
Ignores break, Boots into ROM if initial boot fails, 2400 console baud rate
0x3922
Ignores break, Boots into ROM if initial boot fails, 115200 console baud rate
The one we are interested in I’ve emboldened above (0x2142), if we can boot the router, without loading the config, we can manually load the config whilst we have administrative access, which means we can do what we like, (including changing the passwords).
1. Connect a console cable to the router and connect to it using some terminal emulation software (like PuTTy)*. Power cycle the router and as it starts to boot press the ‘break’ key (on some keyboards press Ctrl+Break, on others you can simply press the Esc Key. You will know you are successful if the router boots into ROMMON mode. Issue the following commands;
[box]
rommon 1 > confreg 0x2142
rommon 2 > reset
[/box]
*Typically at Baud 9600, 8 bits, 1 Stop Bit, No parity, No flow control.
2. The router will reboot, when prompted select no to not enter the setup dialog. (Don’t panic your config is safe in NVRAM!).
3. Now you can go to enable mode without entering a password, and load the routers startup-configuration into memory.
4. You can at this point make any changes you like, but we are here to change the passwords. On this router I want to reset the enable password, and I protect console access with a username and password, so I want to add a new one for myself. Set the configuration register back to its default setting of 0x2101, save the changes. Then reload the router and make sure you can now get access.
[box]
Petes-Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)# enable secret P@ssword123
Petes-Router(config)# username petelong privilege 15 password P@ssword123
Petes-Router(config)# config-register 0x2102
Petes-Router(config)# end
Petes-Router# write memory
Petes-Router# reload
Proceed with reload? [confirm] {Enter}
[/box]
5. And we are in.
Related Articles, References, Credits, or External Links
If you are locked out of your PIX firewall then you will need to do some password recovery, this procedure will reset the enable password and remove any AAA username and password settings on the PIX.
Note: If you have a PIX 520 (This has a floppy drive, and the process is different) CLICK HERE
Solution
Before You Start !
1. You need to know the software version that is running on the PIX e.g 6.3(5) or 7.0(1)
2. You need a TFTP server set up and running CLICK HERE for instructions.
3. You need to be connected to the PIX via its console cable CLICK HERE for instructions.
4. You need to download the “PIX Password Lockout Utility” that’s appripriate for your PIX i.e if your running 6.3(5) download , np63.bin or version 7.0(1) download np70.bin etc, you get get them HERE Put the file in the root directory of your TFTP server.
Procedure
1. Connect to the Firewall via console cable, then power cycle the firewall, as the firewall reboots press BREAK or ESC to interrupt the boot sequence and get to the monitor prompt.
[box]
monitor>
[/box]
2. Now the firewall has no config loaded, so you need to tell it everything it needs to know, firstly we need to set up the inside interface so we can load in the password reset utility. Use the interface command (PIX’s with only two interfaces it will default to the inside interface).
Last time I had to do one of these the process was very straight forward, one command and the ASA got its new image from FTP, extracted it, and then installed it.
I had a CX module fail last week, and Cisco shipped me out a replacement. After installing it and running the setup, I needed to upgrade it (it will be managed by PRSM). It was running version 9.0.2 (probably been on the shelf a while!). And every time I tried to run a system upgrade it told me this, (regardless of what version I tried to install).
[box]This package is not applicable to release 9.0.2.[/box]
If I tried to set a boot image in the ASA, I got the following errors;
[box] Module 1 cannot be recovered.
OR
ERROR: Module in slot 1 does not support recovery
[/box]
Well there is a boot image especially for the 5585-X CX module, so how do you use it?
Solution
Remember the ASA-SSP-CX unit is basically the same hardware as the ASA, you need to boot that card to ROMMON, then install the boot image via TFTP. Once that’s loaded you can run setup and install the new software package.
1. As you can see this one’s running a very old OS.
[box] Petes-CX>show version
Cisco ASA CX Platform 9.0.2 (103)
Cisco Prime Security Manager 9.0.2 (103) for Petes-CX firewall
Petes-CX>
[/box]
2. Reload the module and as it starts to boot, send a ‘break’ keystroke.
[box] Petes-CX>system reload
Are you sure you want to reload the system? [N]: y
Broadcast message from root (console) (Mon Jan 19 14:47:09 2015):
The system is going down for reboot NOW!
INIT: SwitchingStopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 3862)
.
Stopping Advanced Configuration and Power Interface daemon: no /usr/sbin/acpid found; none killed
stopping Busybox inetd: inetd… stopped inetd (pid 3875)
done.
Stopping Vixie-cron.
Stopping ntpd: stopped process in pidfile ‘/var/run/ntp.pid’ (pid 3880)
done
Stopping syslogd/klogd: done
Deconfiguring network interfaces… done.
Stopping CGroup Rules Engine Daemon…stopped /usr/sbin/cgrulesengd (pid 3865)
Success
CGRE[3865]: Stopped CGroup Rules Engine Daemon at Mon Jan 19 14:47:13 2015
Stopping cgconfig service: Success
Sending all processes the TERM signal…
Sending all processes the KILL signal…
Unmounting remote filesystems…
Deactivating swap…
Unmounting local filesystems…
umount2: Device or resource busy
——————————————
–Output Removed for the Sake of Brevity–
——————————————
The system is restarting…
CISCO SYSTEMS
Embedded BIOS Version 2.0(13)0 20:40:45 10/21/11
USB storage device found … SMART eUSB USB Device
Total memory : 12 GB
Total number of CPU cores : 8
CPLD revision 0008h
Cisco Systems ROMMON Version (2.0(13)0) #0: Fri Oct 21 20:01:34 CDT 2011
Use BREAK or ESC to interrupt boot.Use SPACE to begin boot immediately.Boot in 10 seconds.
Boot interrupted.
Management0/0
Link is UP
MAC Address: 6c20.5658.928c
Use ? for help.
rommon #0>
[/box]
3. Remember in ROMMON mode you need to set up all the network settings to copy in the boot image (where 192.168.1.10 will be the CX,and .101 is the TFTP server).
Note: This is the BOOT image, it will have a .img file extension.
Cisco ASA CX Boot 9.3.2.1 (9)
Type ? for list of commands
Petes-CX-boot>
[/box]
WARNING the following procedure will erase all the settings from your CX module
6. Partition the CX module drive. (This takes a long time, good time to put the kettle on!)
[box]
Petes-CX-boot>partition
WARNING: You are about to erase all policy configurations and data.
You cannot undo this action.
Are you sure you want to proceed? [y/n]:y
Logical volume “data” successfully removed
Logical volume “var” successfully removed
Logical volume “packages” successfully removed
——————————————
–Output Removed for the Sake of Brevity–
——————————————
Persistent partition is there so create symbolic link /etc/ntp.conf
Persistent partition is there so create symbolic link /etc/hosts
Petes-CX-boot>
[/box]
7. Run the basic setup.
[box]
Petes-CX-boot>setup
Welcome to Cisco Prime Security Manager Setup
[hit Ctrl-C to abort]
Default values are inside []
Enter a hostname [asacx]: Petes-CX
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 192.168.1.10
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 192.168.1.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 192.168.1.20
Do you want to configure Secondary DNS Server? (y/n) [n]: Y
Enter the secondary DNS server IP address: 192.168.1.21
Do you want to configure Local Domain Name? (y/n) [n]: Y
Enter the local domain name: petenetlive.com
Do you want to configure Search domains? (y/n) [n]: Y
Enter the comma separated list for search domains: petenetlive.com
Do you want to enable the NTP service? [Y]: Y
Enter the NTP servers separated by commas: 192.168.1.31,192.168.1.32
Do you want to enable the NTP symmetric key authentication? [N]: N
Please review the final configuration:
Hostname:Petes-CX
Management Interface Configuration
IPv4 Configuration:static
IP Address:192.168.1.10
Netmask:255.255.255.0
Gateway:192.168.1.1
IPv6 Configuration:Stateless autoconfiguration
DNS Configuration:
Domain:petenetlive.com
Search:
petenetlive.com
DNS Server:
192.168.1.20
192.168.1.21
NTP configuration:
192.168.1.31,192.168.1.32
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address based on network prefix and a device identifier. Although this address is unlikely to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying…
Restarting network services…
Restarting NTP service…
Done.
Press ENTER to continue…
Petes-CX-boot>
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
Upgrading..
Starting upgrade process ..
Populating new system image..
Copying over new application components..
Cleaning up old application components..
Reboot is required to complete the upgrade. Press ‘Enter’ to reboot the system.