Password Restoration on the Cisco ASA Protection Appliance3 min read
In this article, I am going to describe how to accomplish a password “reset” on your Cisco ASA protection equipment. The additional typically made use of term for this course of action is “password restoration” which is left around from the days when you could actually view passwords in configuration files in basic textual content. Now, these types of passwords are encrypted and not basically recoverable. Instead, you will attain accessibility to the appliance by means of the console port and reset the password(s) to recognized values.
This method calls for actual physical accessibility to the unit. You will electrical power-cycle your appliance by unplugging it at the energy strip and plugging it again in. You will then interrupt the boot system and alter the configuration register worth to stop the appliance from looking at its stored configuration at boot. Considering that the gadget ignores its saved configuration on boot, you are capable to entry its configuration modes without passwords. The moment you are in configuration manner, you will load the saved configuration from flash memory, modify the passwords to a acknowledged value, change the configuration sign up worth to notify the unit to load its saved configuration on boot, and reload the machine.
Caution: As with all configuration procedures, these treatments really should be tested in a laboratory atmosphere prior to utilization in a output natural environment to ensure suitability for your condition.
The pursuing methods were being built utilizing a Cisco ASA 5505 Stability Equipment. They are not appropriate for a Cisco PIX Firewall appliance.
1. Electric power-cycle your protection appliance by removing and re-inserting the electricity plug at the electricity strip.
2. When prompted, press Esc to interrupt the boot process and enter ROM Monitor manner. You should promptly see a rommon prompt (rommon #0>).
3. At the rommon prompt, enter the confreg command to check out the latest configuration register setting: rommon #0>confreg
4. The current configuration sign-up really should be the default of 0x01 (it will actually display as 0x00000001). The security equipment will ask if you want to make changes to the configuration sign-up. Response no when prompted.
5. You must transform the configuration sign up to 0x41, which tells the appliance to disregard its saved (startup) configuration on boot: rommon #1>confreg 0x41
6. Reset the equipment with the boot command: rommon #2>boot
7. Notice that the safety appliance ignores its startup configuration during the boot method. When it finishes booting, you ought to see a generic User Method prompt: ciscoasa>
8. Enter the allow command to enter Privileged Method. When the equipment prompts you for a password, simply just press (at this stage, the password is blank): ciscoasa>enable Password: ciscoasa#
9. Copy the startup configuration file into the working configuration with the next command: ciscoasa#duplicate startup-config working-config Spot filename [running-config]?
10. The previously saved configuration is now the energetic configuration, but due to the fact the security appliance is currently in Privileged Method, privileged obtain is not disabled. Upcoming, in configuration manner, enter the next command to modify the Privileged Manner password to a regarded worth (in this case, we will use the password procedure): asa#conf t asa(config)#enable password procedure
11. Whilst even now in Configuration Method, reset the configuration sign up to the default of 0x01 to pressure the security appliance to read its startup configuration on boot: asa(config)#config-sign-up 0x01
12. Use the next commands to view the configuration sign up setting: asa(config)#exit asa#clearly show version
13. At base of the output of the present version command, you need to see the pursuing assertion: Configuration sign-up is 0x41 (will be 0x1 at future reload)
14. Save the present configuration with the duplicate operate start out command to make the above improvements persistent: asa#copy run begin Source filename [running-config]
15. Reload the security equipment: asa# reload Process config has been modified. Conserve? [Y]es/[N]o:certainly
Cryptochecksum: e87f1433 54896e6b 4e21d072 d71a9cbf
2149 bytes copied in 1.480 secs (2149 bytes/sec) Commence with reload? [confirm]
When your protection equipment reloads, you must be able to use your recently reset password to enter privileged mode.
Copyright (c) 2007 Don R. Crawley