Solved

Cisco ASA5510 Enable password doesn't work

Posted on 2011-03-16
20
1,167 Views
Last Modified: 2012-08-13
Experts -

i did some changes on my ASA5510 (i barley remember them, please don't ask) and now my enable password doesn't work anymore. However I am sill able to connect with my Raidus account in read only mode.  Also everything like: Radius for the VPN users, Firewall Rules, etc seems to work with no issues.

I created a backup of the running-config before i did the changed but i assume i wont be able to reload the configuration without full access?

The changes i made i  believe where that i  removed the management interface settings (interface is not connected) and a object group service that what i believe shouldn't impact the enable password?

Another strange thing is i was able to connect to the ASA with only putting in the password, now its asking me also for a username which i don't know.

I attached the running config from before i made the changes. If you could give me any pointer of what i might have deleted that is causing this problem i would be very thankfull. I know for sure i didn't change the password.

Thank you


 EE-Runninig-Config.txt
0
Comment
Question by:Martin Gerlach
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 7
  • 2
  • +1
20 Comments
 
LVL 3

Accepted Solution

by:
pitchford earned 500 total points
ID: 35153401
Follow these instructions to recover the password. We won't ask. =)

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/trouble.html#wp1058131
0
 

Author Comment

by:Martin Gerlach
ID: 35153417
I was actually trying to avoid that since i am not at that office for a while and need a solution that can be done remotely. That will be hard if the ASA is down. Any other suggestions?
0
 
LVL 3

Expert Comment

by:pitchford
ID: 35153429
Brute force attacks...

Wouldn't be a good security device if you could crack it now would it? I have nothing better to tell you. Maybe someone else can provide further input.
0
Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

 

Author Comment

by:Martin Gerlach
ID: 35153439
Is there a default username for the ASA? When i connect over the serial port it wont let me leave it blank? Is there a key i can hit to leave the username blank?

0
 
LVL 3

Expert Comment

by:pitchford
ID: 35153449
I think the default is admin/cisco or cisco/cisco... But generally those are reset during normal setup procedures.
0
 

Author Comment

by:Martin Gerlach
ID: 35153461
i tried those already. what about using a blank username? How can i leave the username blank using a serial port connection? Does the running config show any local usernames for the device?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35154892
Did you try username: pix and password cisco ?
0
 

Author Comment

by:Martin Gerlach
ID: 35161636
If i use the password recovering option, will it keep my current configuration?
0
 
LVL 3

Expert Comment

by:pitchford
ID: 35161645
Yes. It will just erase your account username/passwords...

*BUT IF YOU CAN SHOW YOUR CONFIG DO SAVE IT!!!! (just the disclaimer).

I've done this reset a time or two and it saves the config; which from a security standpoint I have an issue with.

I did it for a friend of mine and I was surprise that all I had to do was walk in (unannounced) plug in and reset. I could have taken over his network in a matter of seconds... =)
0
 

Author Comment

by:Martin Gerlach
ID: 35161668
I can't do a "show configuration" command, i get a authorization failed. Does the ASA work the same as the Cisco router and switches, if you don't save the configuration after changing it and you power cycle the device the configuration wont be saved?
0
 
LVL 3

Expert Comment

by:pitchford
ID: 35161696
You are correct; all configurations are entered into running config until you 'write mem' or 'copy run start'. Running config is in RAM. If you power off without writing then you'll lose everything and at boot you'll be running with whatever is in startup...
0
 

Author Comment

by:Martin Gerlach
ID: 35161711
Hmm.. Maybe i didn't save the mess i made, maybe if i power cycle the device i'll have my old configuration back. Or i make it worse anyhow be rebooting it?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 35161726
Unless I am really missing something the config you posted seems to use the LOCAL security database for authorization and not radius.

There are two local user-ids jmoore and mgar.

Are you one of these?  Do you know the password?
0
 

Author Comment

by:Martin Gerlach
ID: 35161740
Those where the previous administrators, so those are LOCAL accounts? i thought these where AD accounts. Let me see if i can find their old password and check if one of them works.

0
 

Author Comment

by:Martin Gerlach
ID: 35161776
Nope, doesn't work either. Well i guess i'll start the procedure to reset the password. Any last advise, if i mess this up probably wont be online for some hours ;)
0
 
LVL 3

Expert Comment

by:pitchford
ID: 35161826
It's painfully simple. I always tell everyone to be cautious, but don't worry about screwing something up. You learn by doing. But, this isn't my equipment. =) The first time I did it I shared some of the same concerns, but ultimately I did it anyway and it worked out very well.

Best of luck to you!
0
 

Author Comment

by:Martin Gerlach
ID: 35161857
I rebooted that thing and i am able to login now. Either I made a bad change and thank god didn't save it or something else was going on. Thank you guys for all your advise!

One more quick question, what would you recommend to get better security on the ASA. The IPS module or the content filter, anti virus module?
0
 
LVL 3

Expert Comment

by:pitchford
ID: 35161868
That's a loaded question. IPS sounds pretty cool, I don't have much experience with IPS. I highly recommend some sort of content filter, I've used both Barracuda and Websense. I personally liked Websense better, but that was almost 10 years ago. I'm of the mindset that most attacks will come from the inside, if you restrict what people access on the Internet you have much better control.... Just in my humble opinion...
0
 

Author Comment

by:Martin Gerlach
ID: 35161904
Thanks Pitchford. I was actually referring to the ASA5500 modules you can add on to the device:

AIP SSM: Advanced Inspection and Prevention Security Services Module
CSC SSM: Content Security and Control Security Services Module
SSC: Security Services Card
SSM: Security Services Module

I am not sure which one would be fit best for my purposes, but maybe i should open a new question for this.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 35165506
Obviouly you may want to review your config.  I have not reviewed it in detail, but at a minumum you have local userid from prior admins still in there and, again based on my understanding, you are using local security for ssh and telnet:

     aaa authentication ssh console LOCAL
     aaa authentication telnet console LOCAL

You do have radius servers defeind, but you seem to be using these for doing VPN authentication.

aaa-server radius_grp protocol radius
aaa-server radius_grp (inside) host
 key r@d!XXXXXXXX
aaa-server radius_grp (inside) host
 key r@XXXXXXX

tunnel-group softwarevpn general-attributes
 address-pool vpnpool
 authentication-server-group radius_grp
 authorization-server-group radius_grp
 default-group-policy softwarevpn


and, again based on my understaning, you are allpowing ssh in from your outside interface:

ssh  outside
ssh 9 outside
ssh 14 outside

I'm not sure what the second two ssh commands do, but I am fairly sure the 1st one allows any IP address to ssh into the outside interface.

If I am correct, your two old admins could ssh in from the outside and use their old user-ids and passwords to get in and mess within things.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question