Recovering Passwords for the ASA
To recover passwords for the ASA, perform the following steps:
Step 1 Connect to the ASA console port according to the instructions in Accessing the ASA Services Module Console or the Accessing the Appliance Console.
Step 2 Power off the ASA, and then power it on.
Step 3 After startup, press the Escape key when you are prompted to enter ROMMON mode.
Step 4 To update the configuration register value, enter the following command:
Update Config Register (0x41) in NVRAM...
Step 5 To set the ASA to ignore the startup configuration, enter the following command:
The ASA displays the current configuration register value, and asks whether you want to change it:
Current Configuration Register: 0x00000041
boot default image from Flash
ignore system configuration
Do you wish to change this configuration? y/n [n]: y
Step 6 Record the current configuration register value, so you can restore it later.
Step 7 At the prompt, enter Y to change the value.
The ASA prompts you for new values.
Step 8 Accept the default values for all settings, except for the "disable system configuration?" value.
Step 9 At the prompt, enter Y.
Step 10 Reload the ASA by entering the following command:
Boot configuration file contains 1 entry.
Loading disk0:/asa800-226-k8.bin... Booting...Loading...
The ASA loads the default configuration instead of the startup configuration.
Step 11 Access the privileged EXEC mode by entering the following command:
Step 12 When prompted for the password, press Enter.
The password is blank.
Step 13 Load the startup configuration by entering the following command:
ciscoasa# copy startup-config running-config
Step 14 Access the global configuration mode by entering the following command:
ciscoasa# configure terminal
Step 15 Change the passwords, as required, in the default configuration by entering the following commands:
ciscoasa(config)# password password
ciscoasa(config)# enable password password
ciscoasa(config)# username name password password
Step 16 Load the default configuration by entering the following command:
ciscoasa(config)# no config-register
The default configuration register value is 0x1. For more information about the configuration register, see the command reference.
Step 17 Save the new passwords to the startup configuration by entering the following command:
ciscoasa(config)# copy running-config startup-config
Disabling Password Recovery
To disable password recovery to ensure that unauthorized users cannot use the password recovery mechanism to compromise the ASA, enter the following command:
no service password-recovery
ciscoasa (config)# no service password-recovery
Disables password recovery.
On the ASA, the no service password-recovery command prevents you from entering ROMMON mode with the configuration intact. When you enter ROMMON mode, the ASA prompts you to erase all Flash file systems.Yyou cannot enter ROMMON mode without first performing this erasure. If you choose not to erase the Flash file system, the ASA reloads. Because password recovery depends on using ROMMON mode and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to restore the system to an operating state, load a new image and a backup configuration file, if available.
The service password-recovery command appears in the configuration file for information only. When you enter the command at the CLI prompt, the setting is saved in NVRAM. The only way to change the setting is to enter the command at the CLI prompt. Loading a new configuration with a different version of the command does not change the setting. If you disable password recovery when the ASA is configured to ignore the startup configuration at startup (in preparation for password recovery), then the ASA changes the setting to load the startup configuration as usual. If you use failover, and the standby unit is configured to ignore the startup configuration, then the same change is made to the configuration register when the no service password recovery command replicates to the standby unit.