Password Recovery on an ASA Firewall

Unfortunately there are times where you may find you need to reset a Cisco ASA’s passwords because you have forgotten them or you have been handed a device with them already set.

The procedure to do this is relatively simple but it does require rebooting the firewall a couple of times so there will be downtime while you do this.

 

Step 1

You need to connect your laptop to the console port of the ASA. These cables come with the equipment but it is just a USB to serial console cable you need.

 

Step 2

Power the ASA off and then on and after the startup you will be prompted to press the Escape key to interrupt the boot process and go into ROMMON mode.

 

Step 3

Once in ROMMON you then need to change the configuration register value .This value tells the device what to do when booting up and it has a number of different values.

The default value is 0x1 and you need to record this as well will be using it later on.

The one we want to set it to is 0x41 which tells the ASA to ignore it’s startup configuration when booting up so it will come up without reading the current configuration –

asa(config)# confreg 0x41

 

Step 4

After changing the configuration register you then type boot to continue the boot process –

asa(config)# boot

and when the ASA boots up there will be a message on the console saying the startup configuration has been ignored because the configuration register is set to 0x41.

 

Step 5

You need to go to enable mode –

asa> enable

 

Step 6

You then load the startup configuration into the ASA –

asa# copy startup run

 

Step 7

You can now go into configure mode –

asa# conf t

 

Step 8

You can now change any of the passwords on the ASA eg. to change the enable password –

asa(config) enable password <password>

 

Step 9

Once you have reset the password you then need to write your changes to memory –

asa# copy run start

 

Step 10

Finally you need to change your configuration register setting back to 0x1 –

asa(config)# config-register 0x1

and then reload the ASA.