Mad Router

Recovery Password for ASA 5500 Series Adaptive Security Appliance

by Florent on May.19, 2008, under Cisco

How to get your configuration back when you have forgotten your enable password?

I assume that you already are connected to the ASA with the console port.

Restart the ASA (manually you can switch ON/OFF).

Then, when prompted press ESCAPE to enter ROMMON mode.


We want to bypass the startup-config on the next restart of the ASA, so we will change the value of the configuration register.

We need to use the confreg command. By using this command, we enter in a wizzard which will ask us some questions.



We answer yes at the first question, we want to change the value. (At this point you should store the configuration register value).

We will use the default values for all settings, except for “disable system configuration?” which is the option that will permit to bypass the startup-config. So we answer y.

rommon #0> confreg

Current Configuration Register: 0x00000001
Configuration Summary:
  boot default image from Flash

Do you wish to change this configuration? y/n [n]: y
enable boot to ROMMON prompt? y/n [n]:
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]:
disable system configuration? y/n [n]: y
go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:

Current Configuration Register: 0x00000040
Configuration Summary:
  boot ROMMON
  ignore system configuration

Update Config Register (0x40) in NVRAM...

rommon #1> boot

We can now reload the ASA with the boot command.

Once the ASA has been reloaded, we can enter privileged mode without any password (the startup-config has been bypassed).

ciscoasa> en
Password: [enter]
ciscoasa#

Now we load the startup-config in the running-config

ciscoasa# copy startup-config running-config

Destination filename [running-config]?

Cryptochecksum (unchanged): ab580f48 aeed7459 2da4751b b0061ac3

1726 bytes copied in 0.50 secs
MadRouterASA#

We enter global configuration mode and change the password.

MadRouterASA# conf t
MadRouterASA(config)# enable password Cisco

We change back the configuration register value.

MadRouterASA(config)# config-register 0x00000001

Now You can save your running-config.

MadRouterASA# copy running-config startup-config

That’s it.. !

:, , , ,
1 comment for this entry:
  1. pello
    July 5th, 2008 on 11:59 am

    Bien pratique surtout que le bouton reset sur les 5505 n’est pas activĂ© :)

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...

Archives

All entries, chronologically...