Password Recovery for Cisco ASA 5500 Series


Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance

To recover from the loss of passwords, perform the following steps:


Step 1 Connect to the security appliance console port according to the "Accessing the Command-Line Interface".
Buy and Sell Cisco Network Gear.

Step 2 Power off the security appliance, and then power it on.

Step 3 During the startup messages, press the Escape key when prompted to enter ROMMON.

Step 4 To set the security appliance to ignore the startup configuration at reload, enter the following command:

rommon #1> confreg

The security appliance displays the current configuration register value, and asks if you want to change the value:

Current Configuration Register: 0x00000011
Configuration Summary:
  boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]:

Step 5 Record your current configuration register value, so you can restore it later.

Step 6 At the prompt, enter Y to change the value.

The security appliance prompts you for new values.

Step 7 Accept the default values for all settings, except for the "disable system configuration?" value; at that prompt, enter Y.

Step 8 Reload the security appliance by entering the following command:

rommon #2> boot

The security appliance loads a default configuration instead of the startup configuration.

Step 9 Enter privileged EXEC mode by entering the following command:

hostname> enable

Step 10 When prompted for the password, press Return.

The password is blank.

Step 11 Load the startup configuration by entering the following command:

hostname# copy startup-config running-config

Step 12 Enter global configuration mode by entering the following command:

hostname# configure terminal

Step 13 Change the passwords in the configuration by entering the following commands, as necessary:

hostname(config)# password password
hostname(config)# enable password password

hostname(config)# username name password password

Step 14 Change the configuration register to load the startup configuration at the next reload by entering the following command:

hostname(config)# config-register value

Where value is the configuration register value you noted in Step 5. 0x1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.

Step 15 Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config
About these ads

About Ren (NetXG)
I work to much..

46 Responses to Password Recovery for Cisco ASA 5500 Series

  1. Ray Wong says:

    Very Good, Clear step by step.

  2. Nikola says:

    Great! Thanks!

  3. Jesse Mendez says:

    Excellent, it really helps me a lot. It works perfectly, thank you very much.

  4. Huzefa says:

    All the above comments true.. this really helps! thank you so much.

  5. limprulezzz says:

    is this applicable to asa5510?

    great inputs!thanks!

  6. Vahid Pazirandeh says:

    Thanks! I used this on my 5510. :-)

  7. Malik says:

    Dear,
    I am very new in cisco. Cisco ASA 5510 was already in the office which i joined. Later i tried to connect it through putty.exe software but the password given was invalid. So please advise and guide me step by step.
    Regards,
    Malik

  8. SP says:

    This works like a charm…Great job and thanks

  9. Rohullah says:

    thanks nice job it is helping keep it up good work……………

    regards,

    RH

  10. Yogesh Bisht says:

    Thanks, Nice Job…..

  11. tkp says:

    Hi,

    As I got a ASA setup running on HA (Active/Standby) but somehow the enable mode password I can no longer change to a new one. thus I thinking to do a password recovery.

    Anyone got idea whether doing the above password recovery will it affect a ASA HA setup?

    Thank you.

  12. Chris says:

    TKP-

    The above affects the passwords only. Provided you restore the confreg value correctly, the configuration itself will not change… thus HA should not change.

  13. fioz says:

    You are the master. ;)

  14. Paul says:

    Hi,
    I inherited an ASA 5520. when I do the password recovery mentioned here, i get message that ”

    “WARNING: Password recovery and ROMMON command line access has been
    disabled by your security policy. Choosing YES below will cause ALL
    configurations, passwords, images, and files systems to be erased.
    ROMMON command line access will be re-enabled, and a new image must be
    downloaded via ROMMON.”

    I don’t know how to proceed since I dont even have the images for this ASA. and also, what about the licenses.. will it blow it away if i go through and do what the message above says?

    • Ren (NetXG) says:

      Hopefully someone else will chime in on that.

      It’s been a while since I’ve reset those. I also think we had a back of the image when we did it..

      Double check in Cisco’s forums as well..

      Ren

    • Anonymous says:

      Did anyone ever reply? I have a hack for this :)

      -TIMMAY!

    • Anonymous says:

      The previous admin of your ASA has disabled the Password-Recovery mechanism.
      Lucky for you if he didnt enable FIPS-Compliant mode as well, or you would just own a pice of worthless scrap metal.

      As for the required Image downlaod using ROMMON, you need a valid Cisco service contract to access the image file…

      Try and pry the login credentials from the previous owner.

  15. Seeju Chacko says:

    It’s worked perfectly

  16. Excellent – thankyou :)

  17. Anonymous says:

    ren…
    good man

  18. Sam says:

    It helped. thank you

  19. Anonymous says:

    thank thanks and thanks

  20. Subash Varma says:

    It is really simple and easy steps.

    Thank You Very Much

  21. Gary Kuyat says:

    Thank you! This saved my bacon!

  22. Wiz says:

    After completing step 15 ASA 5510 ask Source Filename [running-config]?

    What should be the answer for this

  23. Artie P says:

    Excellent Step-by-step……

  24. Rajeshwr says:

    Excellent…

  25. tqdavenport says:

    Thank you Ren!

    I just want to say that I went through the hastle of registering on this site just so I could thank you for this article.

    Worked like a champ…no guesswork, no errors, no suprises.

    Thank you and Happy New Year!

  26. Edward says:

    Thanks but its always return me to rommon and i can take controll fully on the router

  27. kiru says:

    pretty helpful post, thanks.

  28. Hi Guys,

    I have console access to the ASA5510 and that leads me to ASA-Firewall > mode .
    But as this is a new firewall from other location , we dont have the enable password..
    Will the above method help us resetting the enable password ??

    OMC-Gurgaon-ASA> en
    Password:— Not Known ;-(

    Thanks in advance !!

    • Just to add ,
      However i tried the above procedure till half way until it asked me

      Do you wish to change this configuration? y/n [n]: y
      enable boot to ROMMON prompt? y/n [n]: y
      select specific Flash image index? y/n [n]: y
      enter Flash image index [1->7]: ???

      Please suggest how to proceed after this ? This is how the flash looks like .

      –#– –length– —–date/time—— path
      134 16275456 Jun 24 2009 07:03:46 asa821-k8.bin
      135 11348300 Jun 24 2009 09:17:28 asdm-621.bin
      136 61440 Jan 01 1980 00:00:00 FSCK0000.REC
      3 4096 Jan 01 2003 00:03:18 log
      10 4096 Jan 01 2003 00:03:26 crypto_archive
      11 4096 Jan 01 2003 00:03:46 coredumpinfo
      12 43 May 11 2010 11:16:48 coredumpinfo/coredump.cfg
      138 28672 Jan 01 1980 00:00:00 FSCK0001.REC
      139 9526560 Jun 24 2009 09:14:54 csd_3.4.1108.pkg
      140 4096 Jun 24 2009 09:14:54 sdesktop
      148 1462 Jun 24 2009 09:14:54 sdesktop/data.xml
      141 2397046 Jun 24 2009 09:14:56 anyconnect-wince-ARMv4I-2.3.0254-k9.pkg
      142 2648712 Jun 24 2009 09:14:58 anyconnect-win-2.3.0254-k9.pkg
      143 4217694 Jun 24 2009 09:15:00 anyconnect-macosx-i386-2.3.0254-k9.pkg
      144 4259411 Jun 24 2009 09:15:02 anyconnect-linux-2.3.0254-k9.pkg
      145 4096 Jan 01 1980 00:00:00 FSCK0002.REC
      146 4096 Jan 01 1980 00:00:00 FSCK0003.REC

  29. Pingback: mediaplayer

  30. Pingback: All About Security

  31. Faiz Ahmed says:

    Wow…. Superb!!!! Thanks a lot man!!!

  32. Pranav says:

    very simple explanation…and iam there

  33. Pingback: Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance « IT Knowledge

  34. mohammed says:

    Helpful.. Thanx

  35. Dimitar says:

    Thanks a lot!

  36. Shawn T says:

    Simply AMAZING… short and sweet and to the point!! Thanks a billion!!

  37. sheshraj Yadav says:

    very helpful step by step guideline
    Thanks a lot

  38. Pingback: Сброс пароля на CISCO ASA | dradmin007

  39. Yemi says:

    Thank you so so much, you are a great guy! Simple and easy straightforward.

  40. Greetings from Idaho! I’m bored to death at work so I decided to check out your website on
    my iphone during lunch break. I love the knowledge you
    present here and can’t wait to take a look when I
    get home. I’m surprised at how fast your blog loaded on my cell phone ..
    I’m not even using WIFI, just 3G .. Anyways, fantastic site!

  41. Lorraine says:

    They are abundant expedia if you plan on really experiencing the place.
    Villas for lodging are becoming more and more travellers come for long weekends or mid-week breaks there is an outdoor area
    with a view to the mountains to access easily.

    Luxurious wet shower room expedia with underfloor
    heating. Hence number of business Hotels in Gurgaon remain the same with
    apartments and houses at different places as they have plenty of
    optins to suit vaious pockets. 3 million, even though
    short-term interest rates near zero until at least late 2014.

  42. Are you a small business orr a large business, you may be
    able to generate your list? So for instance if you sell renters’ insurance, you
    will surely be received. Folks are curious about your provide and you have succeeded in having them opt in to hear
    more about yoou and they will group psychotherapy eating disorders send
    their response. When it comes to your direct mail projects.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: