Binary Royale is an IT consultancy company based in the East Midlands. We spend all of our time with clients, helping them to make good decisions about their IT. When we come across issues that would be useful to others we “try” to post the answers on our website – www.binaryroyale.com . We cover Derby and Derbyshire, Nottingham and Nottinghamshire mainly, but do also have clients further afield. Please browse our website to see what we offer – thanks, and enjoy the blog
This post is part of a series on configuring Cisco ASA 5510 firewalls
This process is very similar to that used to entirely reset the firewall, but it can be used in the case where login details have been lost, but the appliance configuration remains valid and useful.
The scenario: I am unable to log into a Cisco ASA 5510 that has been in place in an office for several years. The appliance was working just fine, but I needed to amend the configuration. The login details have been lost along the way. So I have a perfectly functional firewall, but no way to log into it. So, we need a way to get into the ASA, and reset the password.
In brief, this process involves booting the appliance, and then interrupting the boot process part way through. We then change the configuration register, to force the appliance to ignore it’s saved config. The appliance then boots with a minimal basic configuration, and crucially for our needs, bypasses the unknown passwords allowing us in to reconfigure it. Once in we can load saved config and reset the passwords. We then reset the configuration register to it’s original value, and reboot the appliance – simple!
- Connect your console cable and make sure you can see the command prompt for the ASA – even if you can’t log in. You will need to stop the boot process early on, so you don’t want to be messing about trying to get the console to work while it’s booting, or you’ll miss your prompt, and have to start again.
- Power cycle the appliance – flick the power switch on the front off and on again.
- Watch the boot progress, and when prompted, press Esc to interrupt the boot and enter ROM Monitor mode. you should now see the rommon prompt:
- Enter the confreg command to view the current Configuration Register setting:
rommon #0> confreg
- The appliance will most probably have the default Configuration Register setting of 0x01. Answer no when it asks you if you want to change the Configuration Register setting.
- Change the Configuration Register to 0x41, which causes the appliance to bypass its saved config at boot:
rommon #1> confreg 0x41
- Reboot the appliance with the boot command:
rommon #2> boot
- The appliance bypasses its startup configuration. When it finishes booting, you should see the default prompt:
- Enter the enable command to enter Privileged Mode. The default password is blank, so when the appliance prompts you for a password, simply press return:
- Copy the startup configuration file into the running configuration with the following command:
ciscoasa# copy startup-config running-config
- You now have the saved config running, but as you are already in Privilieged mode, you are not required to enter the unknown passwords, and you are free to reset user and enable passwords as necessary.
- Enter Configuration Mode to make changes to passwords:
ciscoasa# configure terminal
- To reset the enable password to hatstand enter the command: ciscoasa(config)#enable password hatstand
- Review the configuration, looking for users with unknown passwords, updating them as necessary: ciscoasa(config)#show running-config
- Once you’ve made all the necessary changes, reset the Configuration Register to the default of 0x01:
ciscoasa(config)# config-register 0x01
- Exit from Configuration mode:
- Verify the Configuration Register settings by issuing the Show Version command:
ciscoasa# show version
- At the bottom of the output, you should see the Configuration Register settings: Configuration register is 0x41 (will be 0x1 at next reload)
- Save the settings by issuing the write command:
- Reboot the appliance:
- When the appliance reboots, it will be running the original config, but with the new password that you set.
You can now log in to configure the firewall as necessary.