Recover Enable and Telnet Passwords
If you forget the enable or Telnet passwords, you can recover them for ASA virtual and ISA 3000 models. You must perform the task using the CLI.
Note |
For other platforms, you cannot recover lost passwords. You can only restore the factory default configuration, and reset the passwords to the default. For Firepower 4100/9300, see the FXOS configuration guide. For other models, see the FXOS troubleshooting guide. |
Recover Passwords on the ISA 3000
To recover passwords for the ISA 3000 perform the following steps:
Procedure
Step 1 |
Connect to the ASA console port. |
Step 2 |
Power off the ASA, then power it on. |
Step 3 |
After startup, press the Escape key when you are prompted to enter ROMMON mode. |
Step 4 |
To update the configuration register value, enter the following command:
The ASA displays the current configuration register value and a list of configuration options. Record the current configuration register value, so you can restore it later.
|
Step 5 |
Reload the ASA by entering the following command:
The ASA loads the default configuration instead of the startup configuration. |
Step 6 |
Access the privileged EXEC mode by entering the following command:
|
Step 7 |
When prompted for the password, press Enter. The password is blank. |
Step 8 |
Load the startup configuration by entering the following command:
|
Step 9 |
Access the global configuration mode by entering the following command:
|
Step 10 |
Change the passwords, as required, in the default configuration by entering the following commands:
|
Step 11 |
Load the default configuration by entering the following command:
The default configuration register value is 0x1. See the command reference for more information about the configuration register. |
Step 12 |
Save the new passwords to the startup configuration by entering the following command:
|
Recover Passwords or Images on the ASA Virtual
To recover passwords or images on the ASA virtual, perform the following steps:
Procedure
Step 1 |
Copy the running configuration to a backup file on the ASA virtual: copy running-config filename Example:
|
Step 2 |
Restart the ASA virtual: reload |
Step 3 |
From the GNU GRUB menu, press the down arrow, choose the <filename> with no configuration load option, then press Enter. The filename is the default boot image filename on the ASA virtual. The default boot image is never automatically booted through the fallback command. Then load the selected boot image.
Example:
|
Step 4 |
Copy the backup configuration file to the running configuration. copy filename running-config Example:
|
Step 5 |
Reset the password. enable password password Example:
|
Step 6 |
Save the new configuration. write memory Example:
|
Disable Password Recovery for ISA 3000 Hardware
Note |
You cannot disable password recovery on the ASA virtual, Secure Firewall models. |
To disable password recovery to ensure that unauthorized users cannot use the password recovery mechanism to compromise the ASA, perform the following steps.
Before you begin
On the ASA, the no service password-recovery command prevents you from entering ROMMON mode with the configuration intact. When you enter ROMMON mode, the ASA prompts you to erase all Flash file systems. You cannot enter ROMMON mode without first performing this erasure. If you choose not to erase the Flash file system, the ASA reloads. Because password recovery depends on using ROMMON mode and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to restore the system to an operating state, load a new image and a backup configuration file, if available.
The service password-recovery command appears in the configuration file for information only. When you enter the command at the CLI prompt, the setting is saved in NVRAM. The only way to change the setting is to enter the command at the CLI prompt. Loading a new configuration with a different version of the command does not change the setting. If you disable password recovery when the ASA is configured to ignore the startup configuration at startup (in preparation for password recovery), then the ASA changes the setting to load the startup configuration as usual. If you use failover, and the standby unit is configured to ignore the startup configuration, then the same change is made to the configuration register when the no service password- recovery command replicates to the standby unit.
Procedure
Disable password recovery. no service password-recovery Example:
|