ASA 5500X Password Recovery
One day I want to reimage our ASA 5516X box in our office labs from ASA software to FTD software. Unfortunately, due to pandemics, it’s been a quite long time since we use this box, so no one remembers the password, and password recovery must be done before we can continue to reimage.
Perform the following steps:
- Connect to the ASA via console port.
You can use putty or any tools you want, I’m using SecureCRT here. - Reboot the ASA, press ESC when you’re prompted to enter the ROMMON mode.
- Update the configuration register value
123456789rommon 1 > confregConfiguration Register: 0x00000001Configuration Summary[ 0 ] password recovery[ 1 ] display break prompt[ 2 ] auto-boot image in disks[ 3 ] console baud: 9600boot: ...... auto-boot index 1 image in disks - Record the current configuration register value, so you can restore it later.
- Answer the questions as follows
1234567do you wish to change the configuration? y/n [n]: y >> this onedisable "password recovery"? y/n [n]: ndisable "display break prompt"? y/n [n]: nenable "ignore system configuration"? y/n [n]: y >> and this one alsodisable "auto-boot image in disks"? y/n [n]: nchange console baud rate? y/n [n]: nselect specific image in disks to boot? y/n [n]: - Then, the confreg value will change to 0x00000041
1234567Configuration Register: 0x00000041Configuration Summary[ 0 ] password recovery[ 1 ] display break prompt[ 2 ] ignore system configuration[ 3 ] auto-boot image in disks[ 4 ] console baud: 9600 - Boot the firewall with the “boot” command
123You must reset or power cycle for new config to take effectrommon 2 > bootLocated '.boot_string' @ cluster 59867. - ASA will boot with blank password and default hostname (ciscoasa)
- Copy start-up config to running-config with command.
1copy startup-config running-config - After we restore the config, we can change the password and don’t forget to change back the config register value to the value we record earlier or simply type the “no config-register” command.
Disabling Password Recovery
If you want to disable the password recovery feature, use the “no service password-recovery” command to prevent any user from entering ROMMON mode with the configuration intact.
This command will ask the user to erase all flash file systems when the user attempts to enter ROMMON. The ASA will reload if the user opted to cancel the process.