ASA password recovery or disabling password recovery? Some experts shared their experience or examples of ASA Password Recovery. Maybe they can help you solve your problem while recovering the password for your ASA.
Let’s look at these three examples.
The First One
Step1. Connect to the ASA console port according to the instructions in “Accessing the Command-Line Interface” section.
Step2. Power off the ASA, and then power it on.
Step3. After startup, press the Escape key when you are prompted to enter ROMMON mode.
Step4. To update the configuration register value, enter the following command:
rommon #1> confreg 0x41
Update Config Register (0x41) in NVRAM...
Step5. To set the ASA to ignore the startup configuration, enter the following command:
rommon #1> confreg
The ASA displays the current configuration register value, and asks whether you want to change it:
Current Configuration Register: 0x00000041
Configuration Summary:
boot default image from Flash
ignore system configuration
Do you wish to change this configuration? y/n [n]: y
Step6. Record the current configuration register value, so you can restore it later.
Step7. At the prompt, enter Y to change the value.
The ASA prompts you for new values.
Step8. Accept the default values for all settings. At the prompt, enter Y.
Step9. Reload the ASA by entering the following command:
rommon #2> boot
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa800-226-k8.bin... Booting...Loading...
The ASA loads the default configuration instead of the startup configuration.
Step10. Access the privileged EXEC mode by entering the following command:
hostname> enable
Step11. When prompted for the password, press Enter.
The password is blank.
Step12. Load the startup configuration by entering the following command:
hostname# copy startup-config running-config
Step13. Access the global configuration mode by entering the following command:
hostname# configure terminal
Step14. Change the passwords, as required, in the default configuration by entering the following commands:
hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password
Step15. Load the default configuration by entering the following command:
hostname(config)# no config-register
The default configuration register value is 0x1.
Step16. Save the new passwords to the startup configuration by entering the following command:
hostname(config)# copy running-config startup-config
Disabling Password Recovery
You might want to disable password recovery to ensure that unauthorized users cannot use the password recovery mechanism to compromise the ASA.
On the ASA, the no service password-recovery command prevents a user from entering ROMMON mode with the configuration intact. When a user enters ROMMON mode, the ASA prompts the user to erase all Flash file systems. The user cannot enter ROMMON mode without first performing this erasure. If a user chooses not to erase the Flash file system, the ASA reloads. Because password recovery depends on using ROMMON mode and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to restore the system to an operating state, load a new image and a backup configuration file, if available.
The Second Option
Further modified instructions for the vulcan minded:
Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance
To recover passwords, perform the following steps:
Step1. Connect to the security appliance console port according to the “Accessing the Command-Line Interface” section on page 2-4.
Step2. Power off the security appliance, and then power it on.
Step3. During the startup messages, press the Escape key when prompted to enter ROMMON.
Step4. To set the security appliance to ignore the startup configuration at reload, enter the following command:
rommon #1> confreg
The security appliance displays the current configuration register value, and asks if you want to change the value:
Current Configuration Register: 0x00000011
Configuration Summary:
boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]:
Step 5 Record your current configuration register value (the number that is similar to 0x00000011 in the example above,) so you can restore it later.
Step6. Enter Y to change the configuration and press Y.
The security appliance prompts you for new values.
Step7. Accept the default values for all settings (which is N for all settings by the way,) except for the “disable system configuration?” value; at that prompt, enter Y.
Step8. Reload the security appliance by entering the following command:
rommon #2> boot
The security appliance loads a default configuration instead of the startup configuration.
Step9. Enter privileged EXEC mode by entering the following command:
hostname> enable
Step10. When prompted for the password, press Return.
The password is blank.
Step11. Load the startup configuration by entering the following command:
hostname# copy startup-config running-config
Step12. Enter global configuration mode by entering the following command:
hostname# configure terminal
Step13. Change the passwords in the configuration by entering the following commands, as necessary. Note: the second word “password” below is where you enter your actual password since the password “password” is not a password at all.
hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password
Step14. Change the configuration register to load the startup configuration at the next reload by entering the following command:
hostname(config)# config-register value
Where value is the configuration register value you noted in Step 5 and 0x1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.
Step15. Save the new passwords to the startup configuration by entering the following command:
hostname(config)# copy running-config startup-config
Step16. You will need to repeat steps 4 through 8, except this time at step seven press N for the “disable system configuration?”
The Third One
Small differences, but also successful:
Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance
To recover passwords, perform the following steps:
Step1. Connect to the security appliance console port according to the “Accessing the Command-Line Interface” section on page 2-4.
Step2. Power off the security appliance, and then power it on.
Step3. During the startup messages, press the Escape key when prompted to enter ROMMON.
Step4. To set the security appliance to ignore the startup configuration at reload, enter the following command:
rommon #1> confreg
The security appliance displays the current configuration register value, and asks if you want to change the value:
Current Configuration Register: 0x00000011
Configuration Summary:
boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]:
Step5. Record your current configuration register value, so you can restore it later.
Step6. At the prompt, enter Y to change the value.
The security appliance prompts you for new values.
Step7. Accept the default values for all settings, except for the “disable system configuration?” value; at that prompt, enter Y.
Step8. Reload the security appliance by entering the following command:
rommon #2> boot
The security appliance loads a default configuration instead of the startup configuration.
Step9. Enter privileged EXEC mode by entering the following command:
hostname> enable
Step10. When prompted for the password, press Return.
The password is blank.
Step11. Load the startup configuration by entering the following command:
hostname# copy startup-config running-config
Step12. Enter global configuration mode by entering the following command:
hostname# configure terminal
Step13. Change the passwords in the configuration by entering the following commands, as necessary:
hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password
Step14. Change the configuration register to load the startup configuration at the next reload by entering the following command:
hostname(config)# config-register value
Where value is the configuration register value you noted in Step 5 and 0x1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.
Step15. Save the new passwords to the startup configuration by entering the following command:
hostname(config)# copy running-config startup-config
Reference from https://supportforums.cisco.com/document/79016/asa-password-recovery
More Cisco Network Topics
How to Deploy the ASA 5508-X or ASA 5516-X in Your Network?
How to Start a Cisco ASA 5585-X Series
