Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance
To recover passwords, perform the following steps:
Step 1 Connect a PC to the console port using the provided console cable, and connect to the console using a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
Step 2 Press the Enter key to see the following prompt:
hostname>
This prompt indicates that you are in user EXEC mode.
Step 3 To access privileged EXEC mode, enter the following command:
hostname> enable
The following prompt appears:
Password:
Step 4 Enter the enable password at the prompt.
By default, the password is blank, and you can press the Enter key to continue.
The prompt changes to:
hostname#
To exit privileged mode, enter the disable, exit, or quit command.
Step 5 To access global configuration mode, enter the following command:
hostname# configure terminal
The prompt changes to the following:
hostname(config)#
Step 6 Power off the security appliance, and then power it on.
Step 7 During the startup messages, press the Escape key when prompted to enter ROMMON.
Step 8 To set the security appliance to ignore the startup configuration at reload, enter the following command:
rommon #1> confreg
The security appliance displays the current configuration register value, and asks if you want to change the value:
Current Configuration Register: 0x00000011
Configuration Summary:
boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]:
Step 9 Record your current configuration register value, so you can restore it later.
Step 10 At the prompt, enter Y to change the value.
The security appliance prompts you for new values.
Step 11 Accept the default values for all settings, except for the “disable system configuration?” value; at that prompt, enter Y.
Step 12 Reload the security appliance by entering the following command:
rommon #2> boot
The security appliance loads a default configuration instead of the startup configuration.
Step 13 Enter privileged EXEC mode by entering the following command:
hostname> enable
Step 14 When prompted for the password, press Return.
The password is blank.
Step 15 Load the startup configuration by entering the following command:
hostname# copy startup-config running-config
Step 16 Enter global configuration mode by entering the following command:
hostname# configure terminal
Step 17 Change the passwords in the configuration by entering the following commands, as necessary:
hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password
Step 18 Change the configuration register to load the startup configuration at the next reload by entering the following command:
hostname(config)# config-register value
Where value is the configuration register value you noted in Step 8 and 0x1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.
Step 19 Save the new passwords to the startup configuration by entering the following command:
hostname(config)# copy running-config startup-config
Step-by-Step Procedure
Issue the hw-module module <module_num> password-resetcommand from the Cisco ASA CLI. For the AIP module, this command sets the configuration register in ROMMON to cause a boot of the password reset image and then power cycles the module. For the CSC module, this command sends the session 1 do reset-password command to the module.
ciscoasa(config)#hw-module module 1 password-reset
Reset the password on module in slot 1? [confirm]
Sample Procedure
This procedure shows how to recover the password with the Cisco Adaptive Security Device Manager (ASDM).
1. For the AIP-SSM, click Tools on the main menu, and select IPS Password Reset.
2. For the CSC-SSM, click Tools on the main menu, and select CSC Password Reset.
This step is necessary in order to complete the password recovery.