In this blog article, I will explain how to perform a password rest on your Cisco ASA security appliance. The more commonly used term for this procedure is password recovery which is from the days when you could view passwords in configuration files in plain text. Today, passwords are encrypted and not actually recoverable. Instead, you will gain access to the appliance via the console port and reset the password(s) to new values.
The procedure requires physical access to the device. You will power-cycle your device by unplugging the power cord from the power strip and plugging it back in. You will then interrupt the boot process and change the configuration register value to prevent the appliance from reading the stored configuration at boot. Since the device ignores the saved configuration on boot, you are able to access the configuration mode without a password. Once you are in configuration mode you will load the saved configuration from flash memory, change the passwords to a new value, change the configuration register value to tell the device to load the saved configuration on boot, and reload the device.
Caution: As with all configuration procedures, this procedure should be tested in a lab environment prior to usage in a prodcution environment to ensure suitability for your situation.
The following steps were designed using a Cisco ASA 5505 Security Appliance, the steps will not work for a Cisco PIX Firewall appliance.
- Power cycle your security appliance by removing and re-inserting the power plug at the power strip.
- When prompted, press ESC to interrupt the boot process and enter ROM Monitor mode. You should immediately see a rommon prompt (rommon #0>).
- At the rommon prompt, enter the confreg command to view the current configuration register setting: rommon #0>confreg
- The current configuration register should be the default of 0x01 (it will actually display as 0x00000001). The security applicance will ask if you want to make changes to the configuration register. Answer NO when prompted.
- You must change the configuration register to 0x41, which tells the appliance to ignore the saved startup configuration at boot: rommon #1>confreg 0x41
- Rest the appliance with the boot command: rommon #2>boot
- Notice that the security appliance ignores the startup configuration during the boot process. When the device completes booing, you should see a generic User Mode prompt: ciscoasa>
- Enter the enable command to enter Privileged Mode. When the appliance prompts you for a password, simply press Enter (the password is currently blank)
- Copy the startup configuration file into the running configuration withe the following command: ciscoasa#copy startup-config running-config
- The previously saved configuration is now the active configuration, but since the security appliance is already in Privileged Mode, privileged access is not disabled. Next, in configuration mode, enter the following command to change the Privileged Mode password to a new value (in this example, we will use "system"): asa(config)#enable password system
- While still in configuration mode, reset the configuration register to the default of 0x01 to force the security appliance to read the startup configuration on boot: asa(config)#config-register 0x01
- Exit configuration mode and use the following command to view the configuration register setting: asa#show version
- At the bottom of the output, you should see the following statement: Configuration register is 0x41 (it will be 0x01 at next reload).
- Save the current configuration with the copy running-config startup-config: asa#copy running-config startup-config
- Reload the security appliance: asa#reload
- The device will notify you that the System config has been modified and will ask if you want to save. Select Yes
When the security appliance reloads, you should be able to use the password you just set to enter privileged mode.