Solved

asa password

Posted on 2013-12-18
16
684 Views
Last Modified: 2014-01-06
I want to change the enable password on an ASA, but I realized there is no option for "enable secret"

ASA-Floor4(config)# enable secret ?
ERROR: % Unrecognized command


I see in the config that the enable password has:

enable password PasSwordHere encrypted
passwd PasSwordHere encrypted


I want only to change the enable password and keep it secret\encrypted like it is now but there is no enable secret command. There is a local username 15 and
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL

can someone explain and help me change the password. Thanks.
0
Comment
Question by:tolinrome
  • 8
  • 6
16 Comments
 
LVL 24

Expert Comment

by:smckeown777
ID: 39727877
The command you need is

enable password <your password> encrypted
0
 
LVL 7

Author Comment

by:tolinrome
ID: 39727962
when I tried that it says it says it is too short (paraprashing), but when I look at another firewall setup exactly as this one, it uses the same password and didn't give that error.
Both firewalls have the same setup and the hashing characters in the passwords are exactly the same, but the two passwords are actually different.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39728004
Half asleep here...sorry

Leave out the 'encrypted' bit I mentioned above...by default all enable passwords on the ASA are encrypted by default

Try it again and see...

enable password <your password>
0
 
LVL 7

Author Comment

by:tolinrome
ID: 39729110
it wont take the new password, it still retains the old one. It looks like it takes it, but when I log out and back in, it's still old password. Could this have anything to do with the local aaa authentication?

cisco(config)#enable password <my password>
cisco(config)#
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39729114
When you say 'log out and back in' what do you mean? From console or telnet? How are you logging in exactly?
0
 
LVL 7

Author Comment

by:tolinrome
ID: 39729305
ssh
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39729322
Right, well ssh and enable are 2 different passwords...so want to be sure there is no confusion here

To set password for ssh you use

passwd <your password>

That sets the ssh password...is that what you are getting confused on?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 7

Author Comment

by:tolinrome
ID: 39729389
no, I can login fine using ssh, that's no problem. The only problem is that when I change the enable password, it doesn't take it, I still have to use the old enable password. But whats confusing is that when I type the new enable password it acts like it's taking it. For example:

1. I login using ssh
2. I change the enable password
    cisco(config)#enable password <my password>
    cisco(config)#
3. I exit the device without saving (wr mem)
4. I login back in using ssh
5. I go into enable mode and its the old password again, not the new one I just created.

Thanks for helping.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39729511
Ok, well either its a bug(what version IOS are you on?) or this line is possibly causing your issue

aaa authentication enable console LOCAL

Remove that and test again...

no aaa authentication enable console LOCAL

I think that means 'each user has a seperate enable password different from the global one'...

To confirm - does your new enable password work? Even though the older one does as well?
0
 
LVL 7

Author Comment

by:tolinrome
ID: 39729573
I know its not a bug since others on same version are fine. So it probably has something to do with the local authentication but I want to fully understand first before cancelling out that line.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 39732912
Anyone?
0
 
LVL 7

Author Comment

by:tolinrome
ID: 39740258
anyone?
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 500 total points
ID: 39743548
From my understanding this is by design...

Do this as a test please...connect a console cable to the ASA and connect to the console...I would guess that the NEW enable password will work now

2nd test - when SSH'd in and you enter enable mode - enter the current ssh password and does it take?

The line

aaa authentication enable console LOCAL

means 'you switch to enable mode using the USERS password'...which is why I said remove that line to confirm/test this...
0
 
LVL 7

Author Comment

by:tolinrome
ID: 39749947
problem is the asa is in a remote site and cant console in.
0
 
LVL 28

Expert Comment

by:serialband
ID: 39751748
Get yourself a remote console, such as a Lantronix Spider, Duo, or SLC, depending on how many console connections you need.  You can set up your firewall to only allow connections from your location and you can have remote console access to all your systems.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now