Cisco ASA Password Recovery

When inheriting used and abused customer networks it becomes necessary to reset passwords on devices the hard way from time to time.  Fortunately with the Cisco ASA it’s still not all that complicated.  You will see that with each step I included examples of the commands and the output along the way as well.  Let’s dive right in and check out the steps!

First, reset the device by removing and re applying power.  Have a console cable attached when you do this.  As the system begins to boot press “ESC” to break the boot sequence.

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)6) #0: Mon Aug 21 19:34:06 PDT 2006
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 10 seconds.

After breaking from the boot process you will be presented with the “rommon” prompt.  Type “confreg” at this prompt.

Boot interrupted.
MAC Address: 001f.9e00.0001
Link is DOWN
Use ? for help.
rommon #0> confreg

“Confreg” will first display the current configuration register values.  Please take note of these as you will want to restore this later.  Additionally a wizard of sorts will start that will allow you to change the boot up parameters of the unit.

Current Configuration Register: 0x00000001
Configuration Summary:
  boot default image from Flash

Choose all default options with the exception of the option that says “disable system configuration?”.  Be sure to select “Y” for this option.  When all the options are completed you will be notified the changes have been committed.

Do you wish to change this configuration? y/n [n]: Y
enable boot to ROMMON prompt? y/n [n]:
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]:
disable system configuration? y/n [n]: y
go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:
Current Configuration Register: 0x00000040
Configuration Summary:
  boot ROMMON
  ignore system configuration
Update Config Register (0x40) in NVRAM...

Now, type “boot” to have the unit boot.

rommon #1> boot
Launching BootLoader...
Boot configuration file contains 2 entries.
Loading disk0:/asa724-k8.bin... Booting...

After all of the booting messages scroll by you will be left with an essentially un configured unit.  Get into enabled mode and issue the command “copy startup-config running-config”.

ciscoasa> enable
ciscoasa# copy startup-config running-config

The configuration will be loaded.  Now, go ahead and  replaced the passwords, usernames, etc that you need to replace to gain typical access to the unit.  Be sure not to exit enabled mode until you are completed.   I like to use a command like this to find the user and password information I need to update:

ciscoasa# show run | inc password | user | secret

Finally, we must reset the configuration register value to the value displayed earlier.  The command looked something like this for me:

ciscoasa(config)# config-register 0x00000001

To wrap things up copy the running configuration to the startup configuration.  Restart the unit to ensure proper booting (to be sure you won’t find out 9 months from now after a power outage) and you should be good to go!

Additional reading about the ASA password recovery procedure or for other security appliances check out Cisco website:

This entry was posted in Networking and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *