ASA 5500X Password Recovery

One day I want to reimage our ASA 5516X box in our office labs from ASA software to FTD software. Unfortunately, due to pandemics, it’s been a quite long time since we use this box, so no one remembers the password, and password recovery must be done before we can continue to reimage.

Perform the following steps:

1. Connect to the ASA via console port.
   You can use putty or any tools you want, I’m using SecureCRT here.
2. Reboot the ASA, press ESC when you’re prompted to enter the ROMMON mode.
3. Update the configuration register value
   
   1 2 3 4 5 6 7 8 9

   rommon 1 > confreg   Configuration Register: 0x00000001 Configuration Summary [ 0 ] password recovery [ 1 ] display break prompt [ 2 ] auto-boot image in disks [ 3 ] console baud: 9600 boot: ...... auto-boot index 1 image in disks

4. Record the current configuration register value, so you can restore it later.
5. Answer the questions as follows
   
   1 2 3 4 5 6 7

   do you wish to change the configuration? y/n [n]: y >> this one disable "password recovery"? y/n [n]: n disable "display break prompt"? y/n [n]: n enable "ignore system configuration"? y/n [n]: y >> and this one also disable "auto-boot image in disks"? y/n [n]: n change console baud rate? y/n [n]: n select specific image in disks to boot? y/n [n]:

6. Then, the confreg value will change to 0x00000041
   
   1 2 3 4 5 6 7

   Configuration Register: 0x00000041 Configuration Summary [ 0 ] password recovery [ 1 ] display break prompt [ 2 ] ignore system configuration [ 3 ] auto-boot image in disks [ 4 ] console baud: 9600

7. Boot the firewall with the “boot” command
   
   1 2 3

   You must reset or power cycle for new config to take effect rommon 2 > boot Located '.boot_string' @ cluster 59867.

8. ASA will boot with blank password and default hostname (ciscoasa)
9. Copy start-up config to running-config with command.
   
   1	copy startup-config running-config

10. After we restore the config, we can change the password and don’t forget to change back the config register value to the value we record earlier or simply type the “no config-register” command.

Disabling Password Recovery

If you want to disable the password recovery feature, use the “no service password-recovery” command to prevent any user from entering ROMMON mode with the configuration intact.

This command will ask the user to erase all flash file systems when the user attempts to enter ROMMON. The ASA will reload if the user opted to cancel the process.