Saturday, 16 May 2020

Cisco ASA - Password Recovery Procedure

If for any reason you are locked out of an ASA appliance and you don’t remember the password to
log-in, then you need to follow the password recovery procedure below:

Step1:
Connect with a console cable to the ASA and power-cycle the device (switch it OFF and ON again)

Step2:
Press continuously the “ESC” key on your keyboard until the device gets into ROMMON mode. This
mode shows the following prompt:
rommon #1>

Step3:
Now we need to change the “configuration register” which is a special register controlling how
the device boots up etc.
rommon #1>confreg
The security appliance displays the current configuration register value, and asks if you want to
change the value. Answer no when prompt.
Current Configuration Register: 0x00000011
Configuration Summary:
boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]: n

Step4:
Now we must manually change the confreg value to 0x41 which means that the appliance will
ignore the startup-configuration when booting. Then, reboot the appliance.
rommon #2>confreg 0x41
rommon #3>boot

Step5:
Now the ASA will ignore its startup configuration and boot up without asking for a password.
ciscoasa>enable
Password: <Hit Enter>
ciscoasa#

Step6:
Copy the startup configuration file into the running configuration.
ciscoasa# copy startup-config running-config
Destination filename [running-config]? <Hit Enter>

Step7:
Now configure a new privileged level password (enable password) and also reset the configuration
register to its original value (0x01)
ciscoasa#conf term
ciscoasa(config)#enable password strongpass
ciscoasa(config)# config-register 0x01
ciscoasa(config)# wr mem

Step8:
Reload the appliance. Now you should be able to log in with the new password.
ciscoasa(config)# reload


No comments:

Post a Comment