Security

ASA 5500X Password Recovery

2 min read

One day I want to reimage our ASA 5516X box in our office labs from ASA software to FTD software. Unfortunately, due to pandemics, it’s been a quite long time since we use this box, so no one remembers the password, and password recovery must be done before we can continue to reimage.

Perform the following steps:

  1. Connect to the ASA via console port.
    You can use putty or any tools you want, I’m using SecureCRT here.
  2. Reboot the ASA, press ESC when you’re prompted to enter the ROMMON mode.
  3. Update the configuration register value 
    rommon 1 > confreg

Configuration Register: 0x00000001
Configuration Summary
[ 0 ] password recovery
[ 1 ] display break prompt
[ 2 ] auto-boot image in disks
[ 3 ] console baud: 9600
boot: ...... auto-boot index 1 image in disks
  4. Record the current configuration register value, so you can restore it later.
  5. Answer the questions as follows 
    do you wish to change the configuration? y/n  [n]:  y >> this one
disable "password recovery"? y/n  [n]:  n
disable "display break prompt"? y/n  [n]:  n
enable "ignore system configuration"? y/n  [n]:  y >> and this one also
disable "auto-boot image in disks"? y/n  [n]:  n
change console baud rate? y/n  [n]:  n
select specific image in disks to boot? y/n  [n]:
  6. Then, the confreg value will change to 0x00000041 
    Configuration Register: 0x00000041
Configuration Summary
 [ 0 ] password recovery
 [ 1 ] display break prompt
 [ 2 ] ignore system configuration
 [ 3 ] auto-boot image in disks
 [ 4 ] console baud: 9600
  7. Boot the firewall with the “boot” command 
    You must reset or power cycle for new config to take effect
rommon 2 > boot
Located '.boot_string' @ cluster 59867.
  8. ASA will boot with blank password and default hostname (ciscoasa)
  9. Copy start-up config to running-config with command. 
    copy startup-config running-config
  10. After we restore the config, we can change the password and don’t forget to change back the config register value to the value we record earlier or simply type the “no config-register” command.

Disabling Password Recovery

If you want to disable the password recovery feature, use the “no service password-recovery” command to prevent any user from entering ROMMON mode with the configuration intact.

This command will ask the user to erase all flash file systems when the user attempts to enter ROMMON. The ASA will reload if the user opted to cancel the process.

Leave a comment