username and password

Posted on 2008-10-02
Last Modified: 2012-05-05
Hi Experts,

By default, cisco ASA 5505 has blank username and password when you connect to it either by console or through IE https.

Is a good idea to place a username and password in global mode level, enable level and in e0/0 (outside interface). What is the best practice to put the username and password and how you will go about put one in (eg CLI command).

Appreciate any help
Question by:mcse2007
  • 5
  • 3
LVL 24

Assisted Solution

DMTechGrooup earned 50 total points
ID: 22631119
enable password myEnableSecret encrypted

 Set the enable password (displays encrypted). Displays in encrypted form, with the word "encrypted" at the end. Note that when entering the command leave off  "encrypted" keyword or the PIX will assume that the string you are putting in is the encryption of the actual password.  

passwd myLoginSecret encrypted

 Set the user mode password, the first password challenge when using Telnet.  Note that when executing the command leave off the "encrypted" keyword or the PIX will assume that the string you are putting in is the encryption of the actual password.
LVL 12

Accepted Solution

Pugglewuggle earned 250 total points
ID: 22631340
Hi mcse2007 - good to see you again!
The standard for securing Cisco devices with username and password info is to use AAA - Authentication, Authorization, and Accounting.
While it is still advisable to leave the password and enable password commands in the config in case something comes up, the proper way to do it is to use AAA. Cisco will tell you the same thing.
Here are the commands you need to activate AAA as well as the password and enable password:
! This sets up AAA to use the local AAA database to authenticate all connection methods
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization exec authentication-server
! This sets up the non-AAA management passwords. You MUST remember the enable
! password to use the enable command with
enable password  <Your Enable Here>
passwd <Your Regular Password Here>
! This sets up a username to manage the device
username <Your Username Here> password <Your Password Here> privilege 15
! This sets up a username to connect via VPN or something else
username <Your Username Here> password <Your Password Here> privilege  0
Replace everything in brackets with your values.
Please note that you MUST remember the enable password to make changes to your device. If you already have one you don't need to run this command.
Also, you don't need to make the privilege 0 user - I was just using that as an example - however, you MUST have at least one privilege 15 user to manage the device.
From now on, when connecting to the console or command line, use the username and password combo to login and then use the enable password to enable.
When connecting via ASDM, just use the username/password combo.
Do note that you create VPN users with the database command as well - just with privilege 0.
Cheers! I hope that helps!
LVL 12

Expert Comment

ID: 22631347
Forgot to mention - one other feature is that in a big company that has centralized password management - AAA is used to connect to an AAA server - that way every device in the organization can be managed with a username and password that is only set once on the AAA server! Very cool.
AAA servers include RADIUS servers and TACACS+ servers. However, for a small setup, using one of these servers is uncessary and a pain to manage. It's best to use the LOCAL database as the commands I sent you do.
Cheers again!

Author Closing Comment

ID: 31502658
Again, appreciated your input. BTW, Pugglewuggle how many cisco asa do you manage @ work?
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

LVL 12

Expert Comment

ID: 22639930
Hi mcse2007 - actually manage 3 ASA 5505s, 1 ASA 5520 and 1 ASA 5510 at work. On the side I run my own networking design and consulting company. At client sites I've installed over 20 ASAs. Pretty shoddy I only make $10 an hour at my real job though... I guess it's because I'm only 20. It does seem like I can roll with the pros on here with no problem though... I just don't know how to get paid more! :-P

Author Comment

ID: 22642781
Good for you Pugglewuggle.

Here in Sydney, Australia, Cisco engineers are in hot demand perhaps you should consider moving  for better pay :-)

BTW, does Cisco offers certification in PIX firewall?
LVL 12

Expert Comment

ID: 22642923
Cisco does offer a professional level security cert called a CCSP and of course there's the Security CCIE.
I actually have always wanted to visit AU... what is the salary there? I'm in Texas in the United States and TX currently has the hottest economy in the country.
Just curious!

Author Comment

ID: 22643171
It varies depending particularly on the company (e.g private, publicly listed etc) but usually, the following are close indication of what the market offers in AUD currency.
CCNA =<65K
CCNP =>75K
CCIE =>110K
LVL 12

Expert Comment

ID: 22643218
That's about what they are here (except CCIE is more like $100,000+ USD). I just need to figure out how to get in on it.
Thanks and cheers!

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now