Questions

Cisco ASA 5505: resetting to factory defaults

+
0 Votes
Locked

Cisco ASA 5505: resetting to factory defaults

asullivan
I'm having problems getting this ASA 5505 device to actually reset to factory defaults. I did the:

devicename>en
devicename#conf t
devicename(config)#config factory-default

Once I do this, it goes through the entire process, and most of it looks like it's been reset to default... except that I still have a password configured?!?! I try to do a:

devicename(config)#no enable password

But it's requesting a specific level and will not allow a delete of level 15 password. Anyone have any thoughts? I'm trying to figure this thing out, am running out of time for playing/learning and need to reset it to start from scratch once more.

Any thoughts/assistance are sincerely appreciated!!!
  • +
    0 Votes
    siliconsen

    I had a similar issue. You need to do a password reset. I pulled the info from here: http://www.submityourarticle.com/articles/Don%20R.-Crawley-2264/cisco-pix-firewall-17868.php
    Heres the document.
    Password Recovery on the Cisco ASA Security Appliance

    Copyright ? 2007 Don R. Crawley

    In this article, I'll explain how to perform a password "reset" on your Cisco ASA security appliance. The more commonly used term for this procedure is "password recovery" which is left over from the days when you could actually view passwords in configuration files in plain text. Today, such passwords are encrypted and not actually recoverable. Instead, you will gain access to the appliance via the console port and reset the password(s) to known values.

    This procedure requires physical access to the device. You will power-cycle your appliance by unplugging it at the power strip and plugging it back in. You will then interrupt the boot process and change the configuration register value to prevent the appliance from reading its stored configuration at boot. Since the device ignores its saved configuration on boot, you are able to access its configuration modes without passwords. Once you're in configuration mode, you will load the saved configuration from flash memory, change the passwords to a known value, change the configuration register value to tell the device to load its saved configuration on boot, and reload the device.

    Caution: As with all configuration procedures, these procedures should be tested in a laboratory environment prior to usage in a production environment to ensure suitability for your situation.

    The following steps were designed using a Cisco ASA 5505 Security Appliance. They are not appropriate for a Cisco PIX Firewall appliance.

    1. Power-cycle your security appliance by removing and re-inserting the power plug at the power strip.

    2. When prompted, press Esc to interrupt the boot process and enter ROM Monitor mode. You should immediately see a rommon prompt (rommon #0>).

    3. At the rommon prompt, enter the confreg command to view the current configuration register setting: rommon #0>confreg

    4. The current configuration register should be the default of 0x01 (it will actually display as 0x00000001). The security appliance will ask if you want to make changes to the configuration register. Answer no when prompted.

    5. You must change the configuration register to 0x41, which tells the appliance to ignore its saved (startup) configuration upon boot: rommon #1>confreg 0x41

    6. Reset the appliance with the boot command: rommon #2>boot

    7. Notice that the security appliance ignores its startup configuration during the boot process. When it finishes booting, you should see a generic User Mode prompt: ciscoasa>

    8. Enter the enable command to enter Privileged Mode. When the appliance prompts you for a password, simply press (at this point, the password is blank): ciscoasa>enable Password: ciscoasa#

    9. Copy the startup configuration file into the running configuration with the following command: ciscoasa#copy startup-config running-config Destination filename [running-config]?

    10. The previously saved configuration is now the active configuration, but since the security appliance is already in Privileged Mode, privileged access is not disabled. Next, in configuration mode, enter the following command to change the Privileged Mode password to a known value (in this case, we'll use the password system): asa#conf t asa(config)#enable password system

    11. While still in Configuration Mode, reset the configuration register to the default of 0x01 to force the security appliance to read its startup configuration on boot: asa(config)#config-register 0x01

    12. Use the following commands to view the configuration register setting: asa(config)#exit asa#show version

    13. At bottom of the output of the show version command, you should see the following statement: Configuration register is 0x41 (will be 0x1 at next reload)

    14. Save the current configuration with the copy run start command to make the above changes persistent: asa#copy run start Source filename [running-config]

    15. Reload the security appliance: asa# reload System config has been modified. Save? [Y]es/[N]o:yes

    Cryptochecksum: e87f1433 54896e6b 4e21d072 d71a9cbf

    2149 bytes copied in 1.480 secs (2149 bytes/sec) Proceed with reload? [confirm]

    When your security appliance reloads, you should be able to use your newly reset password to enter privileged mode.

    +
    0 Votes
    jeff

    Neither this article, nor the referenced one, explain the hardware configuration for communicating with the Cisco ASA Security Appliance in "CLI mode". I'm not a newbie to computer communications, but I am to Cisco, so I needed to know the details. I take it from googling (link below) that one needs a "console cable" (a Cisco-specific serial-to-RJ45 cable) to connect the Cisco console port to a computer's serial port running at 9600,8,1,none. One then needs to run a terminal emulator on the computer and start at step 1 above.

    http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/install.html

    +
    0 Votes
    anm607

    Yes this is the setup that you would need, but, if you don't have a supplied Cisco console cable, don't worry. All you really need is a CAT-5 cable that's wired as a roll-over, as seen here:
    https://secure.cecn.mtu.edu/cecndocs/index.php/Serial_Console_Wiring

    Just plug that into any standard RJ-45 to Serial adapter and you're ready to go with the previously mentioned terminal settings.

  • +
    0 Votes
    siliconsen

    I had a similar issue. You need to do a password reset. I pulled the info from here: http://www.submityourarticle.com/articles/Don%20R.-Crawley-2264/cisco-pix-firewall-17868.php
    Heres the document.
    Password Recovery on the Cisco ASA Security Appliance

    Copyright ? 2007 Don R. Crawley

    In this article, I'll explain how to perform a password "reset" on your Cisco ASA security appliance. The more commonly used term for this procedure is "password recovery" which is left over from the days when you could actually view passwords in configuration files in plain text. Today, such passwords are encrypted and not actually recoverable. Instead, you will gain access to the appliance via the console port and reset the password(s) to known values.

    This procedure requires physical access to the device. You will power-cycle your appliance by unplugging it at the power strip and plugging it back in. You will then interrupt the boot process and change the configuration register value to prevent the appliance from reading its stored configuration at boot. Since the device ignores its saved configuration on boot, you are able to access its configuration modes without passwords. Once you're in configuration mode, you will load the saved configuration from flash memory, change the passwords to a known value, change the configuration register value to tell the device to load its saved configuration on boot, and reload the device.

    Caution: As with all configuration procedures, these procedures should be tested in a laboratory environment prior to usage in a production environment to ensure suitability for your situation.

    The following steps were designed using a Cisco ASA 5505 Security Appliance. They are not appropriate for a Cisco PIX Firewall appliance.

    1. Power-cycle your security appliance by removing and re-inserting the power plug at the power strip.

    2. When prompted, press Esc to interrupt the boot process and enter ROM Monitor mode. You should immediately see a rommon prompt (rommon #0>).

    3. At the rommon prompt, enter the confreg command to view the current configuration register setting: rommon #0>confreg

    4. The current configuration register should be the default of 0x01 (it will actually display as 0x00000001). The security appliance will ask if you want to make changes to the configuration register. Answer no when prompted.

    5. You must change the configuration register to 0x41, which tells the appliance to ignore its saved (startup) configuration upon boot: rommon #1>confreg 0x41

    6. Reset the appliance with the boot command: rommon #2>boot

    7. Notice that the security appliance ignores its startup configuration during the boot process. When it finishes booting, you should see a generic User Mode prompt: ciscoasa>

    8. Enter the enable command to enter Privileged Mode. When the appliance prompts you for a password, simply press (at this point, the password is blank): ciscoasa>enable Password: ciscoasa#

    9. Copy the startup configuration file into the running configuration with the following command: ciscoasa#copy startup-config running-config Destination filename [running-config]?

    10. The previously saved configuration is now the active configuration, but since the security appliance is already in Privileged Mode, privileged access is not disabled. Next, in configuration mode, enter the following command to change the Privileged Mode password to a known value (in this case, we'll use the password system): asa#conf t asa(config)#enable password system

    11. While still in Configuration Mode, reset the configuration register to the default of 0x01 to force the security appliance to read its startup configuration on boot: asa(config)#config-register 0x01

    12. Use the following commands to view the configuration register setting: asa(config)#exit asa#show version

    13. At bottom of the output of the show version command, you should see the following statement: Configuration register is 0x41 (will be 0x1 at next reload)

    14. Save the current configuration with the copy run start command to make the above changes persistent: asa#copy run start Source filename [running-config]

    15. Reload the security appliance: asa# reload System config has been modified. Save? [Y]es/[N]o:yes

    Cryptochecksum: e87f1433 54896e6b 4e21d072 d71a9cbf

    2149 bytes copied in 1.480 secs (2149 bytes/sec) Proceed with reload? [confirm]

    When your security appliance reloads, you should be able to use your newly reset password to enter privileged mode.

    +
    0 Votes
    jeff

    Neither this article, nor the referenced one, explain the hardware configuration for communicating with the Cisco ASA Security Appliance in "CLI mode". I'm not a newbie to computer communications, but I am to Cisco, so I needed to know the details. I take it from googling (link below) that one needs a "console cable" (a Cisco-specific serial-to-RJ45 cable) to connect the Cisco console port to a computer's serial port running at 9600,8,1,none. One then needs to run a terminal emulator on the computer and start at step 1 above.

    http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/install.html

    +
    0 Votes
    anm607

    Yes this is the setup that you would need, but, if you don't have a supplied Cisco console cable, don't worry. All you really need is a CAT-5 cable that's wired as a roll-over, as seen here:
    https://secure.cecn.mtu.edu/cecndocs/index.php/Serial_Console_Wiring

    Just plug that into any standard RJ-45 to Serial adapter and you're ready to go with the previously mentioned terminal settings.