Cisco Community
English
Register
We're here for you! LEARN about free offerings and business continuity best practices during the COVID-19 pandemic
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA password recovery

Labels:
351108
Views
40
Helpful
10
Comments
Parminder Sian
Parminder Sian Beginner
‎11-13-2011 09:33 PM
edited on: ‎03-08-2019 ‎06:43 PM

 

 

Password Recovery Procedure

 

To recover passwords for the ASA, perform the following steps:

 

Step 1 Connect to the ASA console port according to the instructions in "Accessing the Command-Line Interface" section.

 

Step 2 Power off the ASA, and then power it on.

 

Step 3 After startup, press the Escape key when you are prompted to enter ROMMON mode.

 

Step 4 To update the configuration register value, enter the following command:

 

rommon #1> confreg 0x41

 

Update Config Register (0x41) in NVRAM...
 

 

Step 5 To set the ASA to ignore the startup configuration, enter the following command:

 

rommon #1> confreg
 

 

The ASA displays the current configuration register value, and asks whether you want to change it:

 

Current Configuration Register: 0x00000041
Configuration Summary: 
  boot default image from Flash
  ignore system configuration
 
Do you wish to change this configuration? y/n [n]: y
 

 

Step 6 Record the current configuration register value, so you can restore it later.

 

Step 7 At the prompt, enter Y to change the value.

 

The ASA prompts you for new values.

 

Step 8 Accept the default values for all settings. At the prompt, enter Y.

 

Step 9 Reload the ASA by entering the following command:

 

rommon #2> boot
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa800-226-k8.bin... Booting...Loading...

 

 

 

The ASA loads the default configuration instead of the startup configuration.

 

Step 10 Access the privileged EXEC mode by entering the following command:

 

hostname> enable
 

 

Step 11 When prompted for the password, press Enter.

 

The password is blank.

 

Step 12 Load the startup configuration by entering the following command:

 

hostname# copy startup-config running-config
 

 

Step 13 Access the global configuration mode by entering the following command:

 

hostname# configure terminal
 

 

Step 14 Change the passwords, as required, in the default configuration by entering the following commands:

 

hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password
 

 

Step 15 Load the default configuration by entering the following command:

 

hostname(config)# no config-register
 

 

The default configuration register value is 0x1.

 

Step 16 Save the new passwords to the startup configuration by entering the following command:

 

hostname(config)# copy running-config startup-config

 

 

Disabling Password Recovery

 

You might want to disable password recovery to  ensure that unauthorized users cannot use the password recovery  mechanism to compromise the ASA.

 

On the ASA, the no service password-recovery command prevents a user from entering ROMMON mode with the configuration intact. When a user enters ROMMON mode, the ASA  prompts the user to erase all Flash file systems. The user cannot enter  ROMMON mode without first performing this erasure. If a user chooses  not to erase the Flash file system, the ASA  reloads. Because password recovery depends on using ROMMON mode and  maintaining the existing configuration, this erasure prevents you from  recovering a password. However, disabling password recovery prevents  unauthorized users from viewing the configuration or inserting different  passwords. In this case, to restore the system to an operating state,  load a new image and a backup configuration file, if available.

Comments
walter baziuk
walter baziuk Contributor
Contributor
‎03-17-2014 08:14 PM
‎03-17-2014 08:14 PM

excellent, well written  and simple solution

just what i was looking for!

Steve Berglund
Steve Berglund Beginner
Beginner
‎03-26-2014 06:37 PM
‎03-26-2014 06:37 PM

Small differences, but also successful:

 

Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance

To recover passwords, perform the following steps:

 

Step 1 Connect to the security appliance console port according to the "Accessing the Command-Line Interface" section on page 2-4.

Step 2 Power off the security appliance, and then power it on.

Step 3 During the startup messages, press the Escape key when prompted to enter ROMMON.

Step 4 To set the security appliance to ignore the startup configuration at reload, enter the following command:

rommon #1> confreg

 

The security appliance displays the current configuration register value, and asks if you want to change the value:

Current Configuration Register: 0x00000011

Configuration Summary:

  boot TFTP image, boot default image from Flash on netboot failure

Do you wish to change this configuration? y/n [n]:

 

Step 5 Record your current configuration register value, so you can restore it later.

Step 6 At the prompt, enter Y to change the value.

The security appliance prompts you for new values.

Step 7 Accept the default values for all settings, except for the "disable system configuration?" value; at that prompt, enter Y.

Step 8 Reload the security appliance by entering the following command:

rommon #2> boot

 

The security appliance loads a default configuration instead of the startup configuration.

Step 9 Enter privileged EXEC mode by entering the following command:

hostname> enable

 

Step 10 When prompted for the password, press Return.

The password is blank.

Step 11 Load the startup configuration by entering the following command:

hostname# copy startup-config running-config

 

Step 12 Enter global configuration mode by entering the following command:

hostname# configure terminal

 

Step 13 Change the passwords in the configuration by entering the following commands, as necessary:

hostname(config)# password password

hostname(config)# enable password password

hostname(config)# username name password password

 

Step 14 Change the configuration register to load the startup configuration at the next reload by entering the following command:

hostname(config)# config-register value

 

Where value is the configuration register value you noted in Step 5 and 0x1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.

Step 15 Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config

 

rhutchings1
rhutchings1
Community Member
‎08-28-2015 05:41 PM
‎08-28-2015 05:41 PM

Further modified instructions for the vulcan minded:

 

Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance

To recover passwords, perform the following steps:

 

Step 1 Connect to the security appliance console port according to the "Accessing the Command-Line Interface" section on page 2-4.

Step 2 Power off the security appliance, and then power it on.

Step 3 During the startup messages, press the Escape key when prompted to enter ROMMON.

Step 4 To set the security appliance to ignore the startup configuration at reload, enter the following command:

rommon #1> confreg

 

The security appliance displays the current configuration register value, and asks if you want to change the value:

Current Configuration Register: 0x00000011

Configuration Summary:

  boot TFTP image, boot default image from Flash on netboot failure

Do you wish to change this configuration? y/n [n]:

 

Step 5 Record your current configuration register value (the number that is similar to 0x00000011 in the example above,) so you can restore it later.

Step 6 Enter Y to change the configuration and press Y.

The security appliance prompts you for new values.

Step 7 Accept the default values for all settings (which is N for all settings by the way,) except for the "disable system configuration?" value; at that prompt, enter Y.

Step 8 Reload the security appliance by entering the following command:

rommon #2> boot

 

The security appliance loads a default configuration instead of the startup configuration.

Step 9 Enter privileged EXEC mode by entering the following command:

hostname> enable

 

Step 10 When prompted for the password, press Return.

The password is blank.

Step 11 Load the startup configuration by entering the following command:

hostname# copy startup-config running-config

 

Step 12 Enter global configuration mode by entering the following command:

hostname# configure terminal

 

Step 13 Change the passwords in the configuration by entering the following commands, as necessary.  Note:  the second word "password" below is where you enter your actual password since the password "password" is not a password at all.

hostname(config)# password password

hostname(config)# enable password password

hostname(config)# username name password password

 

Step 14 Change the configuration register to load the startup configuration at the next reload by entering the following command:

hostname(config)# config-register value

 

Where value is the configuration register value you noted in Step 5 and 0x1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.

Step 15 Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config

Step 16 You will need to repeat steps 4 through 8, except this time at step seven press N for the "disable system configuration?" 

ksiahatgar
ksiahatgar
Community Member
‎06-10-2016 06:51 AM
‎06-10-2016 06:51 AM

What about ASA 5525-x because it does not accept password password command, is the password recovery like ASA 5520 ? or which steps are necessary for ASA 5525-x password recovery ? 

rwosburn
rwosburn
Community Member
‎08-04-2016 05:54 AM
‎08-04-2016 05:54 AM

Can this be done in an Active/Standby configuration without an outage?  I was thinking that I could reset the password on the standby ASA and when it returned to service, its configuration would be newer so it would push the new passwords over to the active ASA.  Is this correct?

theodoxa1
theodoxa1 Beginner
Beginner
‎08-09-2017 10:55 AM
‎08-09-2017 10:55 AM

That appears to have worked, except I received a message when I copied the startup-config to the running-config saying "Enter the certificate in hexadecimal representation". I assume I lost all my ASA Issued client certificates? Not a big deal as this ASA hasn't been used in months.

WasifKhan@idesigndata.com
WasifKhan@idesigndata.com Beginner
Beginner
‎12-27-2017 01:20 AM
‎12-27-2017 01:20 AM

@Parminder Sian Thanks Bro , Its Helps me a lot . Really very appreciating work by you. :) 

@Parminder Sian wrote:

 

 

Password Recovery Procedure

 

To recover passwords for the ASA, perform the following steps:

 

Step 1 Connect to the ASA console port according to the instructions in "Accessing the Command-Line Interface" section.

 

Step 2 Power off the ASA, and then power it on.

 

Step 3 After startup, press the Escape key when you are prompted to enter ROMMON mode.

 

Step 4 To update the configuration register value, enter the following command:

 

rommon #1> confreg 0x41

 

Update Config Register (0x41) in NVRAM...
 

 

Step 5 To set the ASA to ignore the startup configuration, enter the following command:

 

rommon #1> confreg
 

 

The ASA displays the current configuration register value, and asks whether you want to change it:

 

Current Configuration Register: 0x00000041
Configuration Summary: 
  boot default image from Flash
  ignore system configuration
 
Do you wish to change this configuration? y/n [n]: y
 

 

Step 6 Record the current configuration register value, so you can restore it later.

 

Step 7 At the prompt, enter Y to change the value.

 

The ASA prompts you for new values.

 

Step 8 Accept the default values for all settings. At the prompt, enter Y.

 

Step 9 Reload the ASA by entering the following command:

 

rommon #2> boot
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa800-226-k8.bin... Booting...Loading...

 

 

 

The ASA loads the default configuration instead of the startup configuration.

 

Step 10 Access the privileged EXEC mode by entering the following command:

 

hostname> enable
 

 

Step 11 When prompted for the password, press Enter.

 

The password is blank.

 

Step 12 Load the startup configuration by entering the following command:

 

hostname# copy startup-config running-config
 

 

Step 13 Access the global configuration mode by entering the following command:

 

hostname# configure terminal
 

 

Step 14 Change the passwords, as required, in the default configuration by entering the following commands:

 

hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password
 

 

Step 15 Load the default configuration by entering the following command:

 

hostname(config)# no config-register
 

 

The default configuration register value is 0x1.

 

Step 16 Save the new passwords to the startup configuration by entering the following command:

 

hostname(config)# copy running-config startup-config

 

 

Disabling Password Recovery

 

You might want to disable password recovery to  ensure that unauthorized users cannot use the password recovery  mechanism to compromise the ASA.

 

On the ASA, the no service password-recovery command prevents a user from entering ROMMON mode with the configuration intact. When a user enters ROMMON mode, the ASA  prompts the user to erase all Flash file systems. The user cannot enter  ROMMON mode without first performing this erasure. If a user chooses  not to erase the Flash file system, the ASA  reloads. Because password recovery depends on using ROMMON mode and  maintaining the existing configuration, this erasure prevents you from  recovering a password. However, disabling password recovery prevents  unauthorized users from viewing the configuration or inserting different  passwords. In this case, to restore the system to an operating state,  load a new image and a backup configuration file, if available.

@Parminder Sian wrote:

 

 

Password Recovery Procedure

 

To recover passwords for the ASA, perform the following steps:

 

Step 1 Connect to the ASA console port according to the instructions in "Accessing the Command-Line Interface" section.

 

Step 2 Power off the ASA, and then power it on.

 

Step 3 After startup, press the Escape key when you are prompted to enter ROMMON mode.

 

Step 4 To update the configuration register value, enter the following command:

 

rommon #1> confreg 0x41

 

Update Config Register (0x41) in NVRAM...
 

 

Step 5 To set the ASA to ignore the startup configuration, enter the following command:

 

rommon #1> confreg
 

 

The ASA displays the current configuration register value, and asks whether you want to change it:

 

Current Configuration Register: 0x00000041
Configuration Summary: 
  boot default image from Flash
  ignore system configuration
 
Do you wish to change this configuration? y/n [n]: y
 

 

Step 6 Record the current configuration register value, so you can restore it later.

 

Step 7 At the prompt, enter Y to change the value.

 

The ASA prompts you for new values.

 

Step 8 Accept the default values for all settings. At the prompt, enter Y.

 

Step 9 Reload the ASA by entering the following command:

 

rommon #2> boot
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa800-226-k8.bin... Booting...Loading...

 

 

 

The ASA loads the default configuration instead of the startup configuration.

 

Step 10 Access the privileged EXEC mode by entering the following command:

 

hostname> enable
 

 

Step 11 When prompted for the password, press Enter.

 

The password is blank.

 

Step 12 Load the startup configuration by entering the following command:

 

hostname# copy startup-config running-config
 

 

Step 13 Access the global configuration mode by entering the following command:

 

hostname# configure terminal
 

 

Step 14 Change the passwords, as required, in the default configuration by entering the following commands:

 

hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password
 

 

Step 15 Load the default configuration by entering the following command:

 

hostname(config)# no config-register
 

 

The default configuration register value is 0x1.

 

Step 16 Save the new passwords to the startup configuration by entering the following command:

 

hostname(config)# copy running-config startup-config

 

 

Disabling Password Recovery

 

You might want to disable password recovery to  ensure that unauthorized users cannot use the password recovery  mechanism to compromise the ASA.

 

On the ASA, the no service password-recovery command prevents a user from entering ROMMON mode with the configuration intact. When a user enters ROMMON mode, the ASA  prompts the user to erase all Flash file systems. The user cannot enter  ROMMON mode without first performing this erasure. If a user chooses  not to erase the Flash file system, the ASA  reloads. Because password recovery depends on using ROMMON mode and  maintaining the existing configuration, this erasure prevents you from  recovering a password. However, disabling password recovery prevents  unauthorized users from viewing the configuration or inserting different  passwords. In this case, to restore the system to an operating state,  load a new image and a backup configuration file, if available.

@Parminder Sian wrote:

 

 

Password Recovery Procedure

 

To recover passwords for the ASA, perform the following steps:

 

Step 1 Connect to the ASA console port according to the instructions in "Accessing the Command-Line Interface" section.

 

Step 2 Power off the ASA, and then power it on.

 

Step 3 After startup, press the Escape key when you are prompted to enter ROMMON mode.

 

Step 4 To update the configuration register value, enter the following command:

 

rommon #1> confreg 0x41

 

Update Config Register (0x41) in NVRAM...
 

 

Step 5 To set the ASA to ignore the startup configuration, enter the following command:

 

rommon #1> confreg
 

 

The ASA displays the current configuration register value, and asks whether you want to change it:

 

Current Configuration Register: 0x00000041
Configuration Summary: 
  boot default image from Flash
  ignore system configuration
 
Do you wish to change this configuration? y/n [n]: y
 

 

Step 6 Record the current configuration register value, so you can restore it later.

 

Step 7 At the prompt, enter Y to change the value.

 

The ASA prompts you for new values.

 

Step 8 Accept the default values for all settings. At the prompt, enter Y.

 

Step 9 Reload the ASA by entering the following command:

 

rommon #2> boot
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa800-226-k8.bin... Booting...Loading...

 

 

 

The ASA loads the default configuration instead of the startup configuration.

 

Step 10 Access the privileged EXEC mode by entering the following command:

 

hostname> enable
 

 

Step 11 When prompted for the password, press Enter.

 

The password is blank.

 

Step 12 Load the startup configuration by entering the following command:

 

hostname# copy startup-config running-config
 

 

Step 13 Access the global configuration mode by entering the following command:

 

hostname# configure terminal
 

 

Step 14 Change the passwords, as required, in the default configuration by entering the following commands:

 

hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password
 

 

Step 15 Load the default configuration by entering the following command:

 

hostname(config)# no config-register
 

 

The default configuration register value is 0x1.

 

Step 16 Save the new passwords to the startup configuration by entering the following command:

 

hostname(config)# copy running-config startup-config

 

 

Disabling Password Recovery

 

You might want to disable password recovery to  ensure that unauthorized users cannot use the password recovery  mechanism to compromise the ASA.

 

On the ASA, the no service password-recovery command prevents a user from entering ROMMON mode with the configuration intact. When a user enters ROMMON mode, the ASA  prompts the user to erase all Flash file systems. The user cannot enter  ROMMON mode without first performing this erasure. If a user chooses  not to erase the Flash file system, the ASA  reloads. Because password recovery depends on using ROMMON mode and  maintaining the existing configuration, this erasure prevents you from  recovering a password. However, disabling password recovery prevents  unauthorized users from viewing the configuration or inserting different  passwords. In this case, to restore the system to an operating state,  load a new image and a backup configuration file, if available.

 

slicerpro
slicerpro Beginner
Beginner
‎03-30-2018 09:26 AM
‎03-30-2018 09:26 AM

This guide is missing something around step 6 or 7 where when asked whether to "disable system configuration", you are supposed to answer yes. That is the only way to bypass the existing password and overwrite it with a new one.

Other than that, it is an excellent life saver.

pune.noc1
pune.noc1 Beginner
Beginner
‎04-05-2018 09:44 PM
‎04-05-2018 09:44 PM

I have firewall 5516, by mistake I have disable password recovery option also I have forgot username and password how to reset the firewall or how to load new ISO file.

 

Please help

mestasew1
mestasew1 Beginner
Beginner
‎08-29-2018 08:21 PM
‎08-29-2018 08:21 PM

Somehow it helped me to reset the password on 5506x. Will I be able to reset to factory default from privilege exec ?

Latest Contents
How many users/systems supported on ASA 5506-X with Firepowe...
Created by chintankothari101991 on 04-09-2020 11:56 PM
2
0
2
0
Can anyone tell me how many users/systems supported on ASA 5506-X with Firepower module?Also can tell anyone me on what basis how many users are supported on the particular firewall is determined?Please explain anyoneThanks in advance!
ASA S2S VPN Firewall Creation
Created by suchit.s@hcl.com on 04-09-2020 08:59 PM
0
0
0
0
Hi All, I was building VPN firewall using two Cisco ASA 5516 boxes. I want to use single ISP shared between both ASA. I've chosen two Public IPs and configured on ASA units. I've picked another IP for VPN Load-Balancing. Does this support for S2... view more
ASA 5516-X Firewall
Created by Senbonzakura on 04-09-2020 08:51 PM
3
0
3
0
Greetings, would anyone who has personal experience configuring a ASA 5516-X Firewall be able to give me their input? What features are turned on by default when it comes to security along with layer-6 security and what features are not on but you recomme... view more
DMVPN SSH access to spoke from hub LAN
Created by AFlack20 on 04-09-2020 07:56 PM
1
0
1
0
Hey all, I'm having a heck of a time trying to enable my spoke 5506 asa to allow remote management over a DMVPN tunnel from the hub side of the network. Finally got to a point where I can now ping the inside interface across the tunnel but when I try... view more
FTD LDAP Attribute Map
Created by mumbles202 on 04-09-2020 05:38 PM
2
0
2
0
Rolling out a 2110 on a FMC, both running 6.5 and followed this document: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214283-configure-anyconnect-ldap-mapping-on-fir.html And while can assign the FlexConfig policy to the u... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
Spotlight Awards- February 2020

Follow our Social Media Channels