Password Recovery for Cisco ASA 5500 Series
Posted by Ren (NetXG) on November 27, 2007
Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance
To recover from the loss of passwords, perform the following steps:
Step 1 Connect to the security appliance console port according to the "Accessing the Command-Line Interface".
Step 2 Power off the security appliance, and then power it on.
Step 3 During the startup messages, press the Escape key when prompted to enter ROMMON.
Step 4 To set the security appliance to ignore the startup configuration at reload, enter the following command:
rommon #1> confreg
The security appliance displays the current configuration register value, and asks if you want to change the value:
Current Configuration Register: 0x00000011
Configuration Summary:
boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]:
Step 5 Record your current configuration register value, so you can restore it later.
Step 6 At the prompt, enter Y to change the value.
The security appliance prompts you for new values.
Step 7 Accept the default values for all settings, except for the "disable system configuration?" value; at that prompt, enter Y.
Step 8 Reload the security appliance by entering the following command:
rommon #2> boot
The security appliance loads a default configuration instead of the startup configuration.
Step 9 Enter privileged EXEC mode by entering the following command:
hostname> enable
Step 10 When prompted for the password, press Return.
The password is blank.
Step 11 Load the startup configuration by entering the following command:
hostname# copy startup-config running-config
Step 12 Enter global configuration mode by entering the following command:
hostname# configure terminal
Step 13 Change the passwords in the configuration by entering the following commands, as necessary:
hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password
Step 14 Change the configuration register to load the startup configuration at the next reload by entering the following command:
hostname(config)# config-register value
Where value is the configuration register value you noted in Step 5. 0×1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.
Step 15 Save the new passwords to the startup configuration by entering the following command:
hostname(config)# copy running-config startup-config
Ray Wong said
Very Good, Clear step by step.
Nikola said
Great! Thanks!
Jesse Mendez said
Excellent, it really helps me a lot. It works perfectly, thank you very much.
Huzefa said
All the above comments true.. this really helps! thank you so much.
limprulezzz said
is this applicable to asa5510?
great inputs!thanks!
Vahid Pazirandeh said
Thanks! I used this on my 5510.
Malik said
Dear,
I am very new in cisco. Cisco ASA 5510 was already in the office which i joined. Later i tried to connect it through putty.exe software but the password given was invalid. So please advise and guide me step by step.
Regards,
Malik
SP said
This works like a charm…Great job and thanks
Rohullah said
thanks nice job it is helping keep it up good work……………
regards,
RH
Yogesh Bisht said
Thanks, Nice Job…..
tkp said
Hi,
As I got a ASA setup running on HA (Active/Standby) but somehow the enable mode password I can no longer change to a new one. thus I thinking to do a password recovery.
Anyone got idea whether doing the above password recovery will it affect a ASA HA setup?
Thank you.
Chris said
TKP-
The above affects the passwords only. Provided you restore the confreg value correctly, the configuration itself will not change… thus HA should not change.
fioz said
You are the master.
Paul said
Hi,
I inherited an ASA 5520. when I do the password recovery mentioned here, i get message that ”
“WARNING: Password recovery and ROMMON command line access has been
disabled by your security policy. Choosing YES below will cause ALL
configurations, passwords, images, and files systems to be erased.
ROMMON command line access will be re-enabled, and a new image must be
downloaded via ROMMON.”
I don’t know how to proceed since I dont even have the images for this ASA. and also, what about the licenses.. will it blow it away if i go through and do what the message above says?
Ren (NetXG) said
Hopefully someone else will chime in on that.
It’s been a while since I’ve reset those. I also think we had a back of the image when we did it..
Double check in Cisco’s forums as well..
Ren
Anonymous said
Did anyone ever reply? I have a hack for this
-TIMMAY!
Anonymous said
The previous admin of your ASA has disabled the Password-Recovery mechanism.
Lucky for you if he didnt enable FIPS-Compliant mode as well, or you would just own a pice of worthless scrap metal.
As for the required Image downlaod using ROMMON, you need a valid Cisco service contract to access the image file…
Try and pry the login credentials from the previous owner.
Seeju Chacko said
It’s worked perfectly
Paul Morgan-Roach said
Excellent – thankyou
Anonymous said
ren…
good man
Sam said
It helped. thank you
Anonymous said
thank thanks and thanks
Subash Varma said
It is really simple and easy steps.
Thank You Very Much
Gary Kuyat said
Thank you! This saved my bacon!
Wiz said
After completing step 15 ASA 5510 ask Source Filename [running-config]?
What should be the answer for this
Artie P said
Excellent Step-by-step……
Rajeshwr said
Excellent…
tqdavenport said
Thank you Ren!
I just want to say that I went through the hastle of registering on this site just so I could thank you for this article.
Worked like a champ…no guesswork, no errors, no suprises.
Thank you and Happy New Year!
Edward said
Thanks but its always return me to rommon and i can take controll fully on the router
kiru said
pretty helpful post, thanks.
Karan Singh Bhandari said
Hi Guys,
I have console access to the ASA5510 and that leads me to ASA-Firewall > mode .
But as this is a new firewall from other location , we dont have the enable password..
Will the above method help us resetting the enable password ??
OMC-Gurgaon-ASA> en
Password:— Not Known ;-(
Thanks in advance !!
Karan Singh Bhandari said
Just to add ,
However i tried the above procedure till half way until it asked me
Do you wish to change this configuration? y/n [n]: y
enable boot to ROMMON prompt? y/n [n]: y
select specific Flash image index? y/n [n]: y
enter Flash image index [1->7]: ???
Please suggest how to proceed after this ? This is how the flash looks like .
–#– –length– —–date/time—— path
134 16275456 Jun 24 2009 07:03:46 asa821-k8.bin
135 11348300 Jun 24 2009 09:17:28 asdm-621.bin
136 61440 Jan 01 1980 00:00:00 FSCK0000.REC
3 4096 Jan 01 2003 00:03:18 log
10 4096 Jan 01 2003 00:03:26 crypto_archive
11 4096 Jan 01 2003 00:03:46 coredumpinfo
12 43 May 11 2010 11:16:48 coredumpinfo/coredump.cfg
138 28672 Jan 01 1980 00:00:00 FSCK0001.REC
139 9526560 Jun 24 2009 09:14:54 csd_3.4.1108.pkg
140 4096 Jun 24 2009 09:14:54 sdesktop
148 1462 Jun 24 2009 09:14:54 sdesktop/data.xml
141 2397046 Jun 24 2009 09:14:56 anyconnect-wince-ARMv4I-2.3.0254-k9.pkg
142 2648712 Jun 24 2009 09:14:58 anyconnect-win-2.3.0254-k9.pkg
143 4217694 Jun 24 2009 09:15:00 anyconnect-macosx-i386-2.3.0254-k9.pkg
144 4259411 Jun 24 2009 09:15:02 anyconnect-linux-2.3.0254-k9.pkg
145 4096 Jan 01 1980 00:00:00 FSCK0002.REC
146 4096 Jan 01 1980 00:00:00 FSCK0003.REC
mediaplayer said
mediaplayer…
[...]Password Recovery for Cisco ASA 5500 Series « Network Exchange – NetXG[...]…
All About Security said
All About Security…
[...]Password Recovery for Cisco ASA 5500 Series « Network Exchange – NetXG[...]…
Faiz Ahmed said
Wow…. Superb!!!! Thanks a lot man!!!