Password Recovery Procedure for the ASA Security Appliance
Unlike the PIX devices, the ASA Security Appliances use a method of changing the
configuration register numbers to recover a lost password. This is similar to how you would
recover a password on a Cisco router:
Step 1 Start the terminal-emulation software, and connect your portable or
desktop computer to the console port of the PIX Firewall.
Step 2 After you power on the Cisco ASA Security Appliance and the start-up
messages appear, press the Esc key. The rommon #0> prompt is
displayed.
Step 3 Use the confreg command to view the current state of the configuration
register. Enter no when you are prompted to make changes to the
register.
Step 4 Use the confreg 0x41 command if the configuration register has not
already been set to 0x41. This will tell the ASA Security Appliance to
ignore the start-up configuration on its next reboot.
Step 5 Use the boot command to reset the ASA Security Appliance. If all the
commands have been successfully applied, the following should be
displayed:
rommon #2> boot
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/PIX-7.0.bin... Booting...
###################
...
Ignoring startup configuration as instructed by configuration
register.
Type help or '?' for a list of available commands.
hostname>
Step 6 Use the enable command to gain privileged command access to the ASA
Security Appliance. When prompted for a password, hit Enter. The
password at this point is blank.
Step 7 Use the copy startup-config running-config command to reinstate the
current configuration used before the password recovery process
started. When you receive the following message, press Enter to accept:
Destination filename [running-config]?
This will not disable privileged access until you exit out or reboot the
ASA Security Appliance.
Overview of Simple Network Management Protocol on the PIX Firewall 97
Step 8 Use the enable password NEWPASSWORD command to set a new
enable password for the ASA Security Appliance. The ASA should now
have a new enable password for all future access attempts.
Step 9 Use the config-register 0x01 to reset the configuration register to a
normal boot mode. Once the ASA reboots, it will start using the current
configuration with the new enable password.
Step 10 Use the copy run start command to save the current configuration. This
will store the new password in the starting-config file if the Security
Appliance resets.