Uberleet

Linux Systems Articles for better insights

How to reset password on Cisco ASA Firewalls


Cataylist 5585 (and similar) Password Recovery

Introduction

An absolute beginner will want to plan for 30 minutes of downtime, but might tell their team 1 hour for safety margin.

Follow these steps to reset the password:

1) Console into the ASA

2) Reboot the ASA

3) Press the escape key during reboot to enter ROMMon

4) Record the current configuration register

This will be useful to getting the system back the proper configuration later. To learn more about conifguration regsiters and the different address spaces, click here.

Type:

rommon #1> confreg

You will see similar to the following:

Current Configuration Register: 0x00000011
Configuration Summary:
boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]:

Record the conifguration register value shown on your console. Then press 'y' to change the configuration.

5) Hit 'y' to get past all the default options.

When you get to “disable system configuration” hit y.

4) Reboot the ASA

Now the firewall will reload and totally bypass current configuration.

5) Recover access at the console after startup

The ASA will boot up with no enable password and not prompt for a username and password on the console.

Type

enable

Copy the NVRAM config to memory

copy startup-config running-config

Enter config mode and change the password(s)

configure terminal
password NEW_PASSWORD
enable password NEW_PASSWORD
username USER password NEW_PASSWORD

Restore the configuration register to the entry point you wrote down earlier in step 4.

config-register 0x0000###

Save your config back to NVRAM

copy running-config startup-config

6) Yay, success!

Now your system is reconfigured with your passwords and the coniguration will point back to your config file on reboot.

Get the current config register

The configuration register is what tells the switch/router which behavior to boot into, it is a hexadecimal pointer to control the load point of configuration. This controls htings like:

  • How the router boots (into ROMmon, NetBoot)
  • Options while booting (ignore configuration, disable boot messages)
  • Console speed (baud rate for a terminal emulation session)

The configuration register can be set from configuration mode using the config-register command. From ROMmon, use the confreg command. Issue the show version command to view the current setting of the configuration register:

Router#show version
Cisco Internetwork Operating System Software 
IOS (tm) 2500 Software (C2500-JS-L), Version 12.1(5), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Wed 25-Oct-00 05:18 by cmong
Image text-base: 0x03071DB0, data-base: 0x00001000
ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE
BOOTFLASH: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a),
 RELEASE SOFTWARE (fc1)
Router uptime is 7 minutes
System returned to ROM by reload
System image file is "flash:c2500-js-l_121-5.bin"
cisco 2500 (68030) processor (revision D) with 16384K/2048K bytes of memory.
Processor board ID 03867477, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
1 Token Ring/IEEE 802.5 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read ONLY)
Configuration register is 0x2102

The factory-default setting for the configuration register is 0x2102. If you don't know or can't run show version you can assume register 0x2102.

Pull the plug on the router.

Your router will begin to reboot, and should be ready for action within 30-60 seconds.

Break once the routing processor starts

The ROMmon boots into SP (switch processor) first, on some systems it will boot to Rommon 1> and you need to type boot. The system will boot into RP next (routing processor) which is your sign to BREAK SEQUENCE over to ROMmon.

Start pressing the BREAK sequence as soon as RP gains control:

00:00:03: %OIR-6-CONSOLE: Changing console ownership to route processor

DO NOT INTERRUPT UNTIL AFTER THIS MESSAGE. You may have to issue BREAK a few times.

Pro Tip: Ctrl-A + F sends break sequence using Minicom on Linux.

Pro Tip: Command + B sends break sequence using Z-Terminal on Mac.

Pro Tip: Ctrl + BREAK sends break sequence using Hyperterminal on Windows.

Change the configuration register to boot ROM (ignore NVRAM)

If your break sequence worked, you should see a RomMon 1> prompt.

Immediately type confreg 0x2142 and press enter. This is important because after 10 seconds the router has a tendecy to crash and reboot, so it's important you change config register before it does. If it crashes, simply wait and it will reboot into the proper config mode.

Here is what the 'software forced crash' looks like:

rommon 1 > 
 00:00:41: %SYS-SP-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure co. 
00:00:41: %SYS-SP-2-INTSCHED: 't_idle' at level 7 
 -Process= "SCP Download Process", ipl= 7, pid= 57 
 -Traceback= 4013991C 401232B4 402827F4 40282994 40283010 405CB010 402A9858 4013C 
 00:00:41: %SYS-SP-2-INTSCHED: 't_idle' at level 7 
 -Process= "SCP Download Process", ipl= 7, pid= 57 
 -Traceback= 4013991C 401232B4 402827F4 40282994 40283010 405CB010 402A9858 4013C 
 00:00:41: %SYS-SP-2-INTSCHED: 't_idle' at level 7 
 -Process= "SCP Download Process", ipl= 7, pid= 57 
 -Traceback= 4013991C 401232B4 402827F4 40282994 40283010 405CB010 402A9858 4013C 
 00:00:41: %OIR-SP-6-CONSOLE: Changing console ownership to switch processor

*** System received a Software forced crash *** 
 signal= 0x17, code= 0x24, context= 0x4269f6f4 
 PC = 0x401370d8, Cause = 0x3020, Status Reg = 0x34008002

The router will reboot and ignore NVRAM configuration because of config register 0x2142. If you see that the router configuration is still present (still previous hostname), it indicates that the configuration register was not changed to 0x2142 in time prior to the crash.

Cancel the 'initial switch configuration'

Unless you want to lose your configurations, please say 'no' when it asks to run first-time configuration.

Enable yourself to administrator!

Type enable at the Router> prompt. You are in enable mode with no password. The Router# prompt is displayed.

Copy NVRAM config into running memory.

configure memory or copy start running will copy NVRAM to RAM. Do not issue configure terminal yet!

Check your config

Run write terminal or show running These commands show the configuration of the router. In this configuration, you see the shutdown command under all the interfaces.

Conf t

Issue the configure terminal command to enter global configuration mode and make the changes. The prompt is now hostname(config)#.

Change enable password

Issue the enable secret < password > in global configuration mode to change the enable password.

Set config-register 0x2102 again.

Issue the config-register 0x2102 command, or the hexadecimal value you recorded in Step 2 in global configuration mode.

Change vty passwords, if present.

Router(config)#line vty 0 4
Router(config-line)#password cisco
Router(config-line)#^Z
Router#

Bring up interfaces

Issue the no shutdown command on every interface that is normally in use. Issue a show ip interface brief command to see a list of interfaces and their current status.

Exit conf t mode

CTL-Z or end should leave configuration mode, and write memory or copy running startup will write the changes to NVRAM.

Reload / Restart Router

Now bring the router back up by running reset or power cycle the device and ensure everything comes back online!