Showing results for 
Search instead for 
Did you mean: 

Cisco ASA 5505 problem resetting the enable password - how to bypass the security policy

Level 1
Level 1


I am trying to access & control a Cisco ASA 5505 firewall via console access. The problem is that I do not have a working enable password and I need to reset it. I've checked the Cisco manual and other various posts online and these are the instructions I was going to use:

1.      Power cycle ASA
2.      As it boots keep pressing ESC so that the ronmon> prompt shows up
3.      Type confreg
4.      Type n for each item except for: “disable system configuration” (push y)
5.      Type “boot” -> prompt will then become “ciscoasa>”
6.      Type “enable” and leave password blank, push enter, now it will change to ciscoasa#
7.      Type “copy start run”
8.      Now type “config t”
9.      Type “enable password cisco” (this sets pw to cisco)
10.      Type “config-register 0x10011”
11.      Type “exit”
12.      Type “copy run start”
13.      Type “reload” to reboot

The problem is that on Step #2 when I try to interrupt the boot up sequence, I get the following error:

WARNING:  Password recovery and ROMMON command line access has been
disabled by your security policy.  Choosing YES below will cause ALL
configurations, passwords, images, and files systems to be erased.
ROMMON command line access will be re-enabled, and a new image must be
downloaded via ROMMON.

It sounds like at this point the only way to get past this will be a factory reset. This is problematic since I want to retrieve the current running config. This is a live firewall being used daily by a small company.

Any ideas what I should take as the next step? Does anyone know if Cisco has a way to get past this if we purchase a service contract for this ASA to get the support?

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

If password recovery is disabled then you are locked out hard. You have to sacrifice the config to "re-admin" the appliance. Sorry for the bad news but that's the way it is by design. If there was a "back door" it would hardly be a security appliance would it?

Jimmy Dhillon
Level 1
Level 1

my problem is at enable step.

when pressed , it asks for a password. even though i am using the recovery mode, seems like that i need to know the enable password. Anyway this step can be bypassed ?

In step 4, in addition to "disable system configuration?", you should also type "y" on the first question which should say "do you wish to change the configuration?" or something similar.

Also, in step 10, I don't believe that register number is correct, but an easy way to revert the config register to its default value would be to issue the command "no config-register", and then you save and reload if you want to make sure all is gone successful.

thanks Aref. I realized, i got confused with register values and that messed up the whole setup.

Review Cisco Networking for a $25 gift card