Solved

asa password

Posted on 2013-12-18
16
682 Views
Last Modified: 2014-01-06
I want to change the enable password on an ASA, but I realized there is no option for "enable secret"

ASA-Floor4(config)# enable secret ?
ERROR: % Unrecognized command


I see in the config that the enable password has:

enable password PasSwordHere encrypted
passwd PasSwordHere encrypted


I want only to change the enable password and keep it secret\encrypted like it is now but there is no enable secret command. There is a local username 15 and
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL

can someone explain and help me change the password. Thanks.
0
Comment
Question by:tolinrome
  • 8
  • 6
16 Comments
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
The command you need is

enable password <your password> encrypted
0
 
LVL 7

Author Comment

by:tolinrome
Comment Utility
when I tried that it says it says it is too short (paraprashing), but when I look at another firewall setup exactly as this one, it uses the same password and didn't give that error.
Both firewalls have the same setup and the hashing characters in the passwords are exactly the same, but the two passwords are actually different.
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Half asleep here...sorry

Leave out the 'encrypted' bit I mentioned above...by default all enable passwords on the ASA are encrypted by default

Try it again and see...

enable password <your password>
0
 
LVL 7

Author Comment

by:tolinrome
Comment Utility
it wont take the new password, it still retains the old one. It looks like it takes it, but when I log out and back in, it's still old password. Could this have anything to do with the local aaa authentication?

cisco(config)#enable password <my password>
cisco(config)#
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
When you say 'log out and back in' what do you mean? From console or telnet? How are you logging in exactly?
0
 
LVL 7

Author Comment

by:tolinrome
Comment Utility
ssh
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Right, well ssh and enable are 2 different passwords...so want to be sure there is no confusion here

To set password for ssh you use

passwd <your password>

That sets the ssh password...is that what you are getting confused on?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 7

Author Comment

by:tolinrome
Comment Utility
no, I can login fine using ssh, that's no problem. The only problem is that when I change the enable password, it doesn't take it, I still have to use the old enable password. But whats confusing is that when I type the new enable password it acts like it's taking it. For example:

1. I login using ssh
2. I change the enable password
    cisco(config)#enable password <my password>
    cisco(config)#
3. I exit the device without saving (wr mem)
4. I login back in using ssh
5. I go into enable mode and its the old password again, not the new one I just created.

Thanks for helping.
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Ok, well either its a bug(what version IOS are you on?) or this line is possibly causing your issue

aaa authentication enable console LOCAL

Remove that and test again...

no aaa authentication enable console LOCAL

I think that means 'each user has a seperate enable password different from the global one'...

To confirm - does your new enable password work? Even though the older one does as well?
0
 
LVL 7

Author Comment

by:tolinrome
Comment Utility
I know its not a bug since others on same version are fine. So it probably has something to do with the local authentication but I want to fully understand first before cancelling out that line.
0
 
LVL 7

Author Comment

by:tolinrome
Comment Utility
Anyone?
0
 
LVL 7

Author Comment

by:tolinrome
Comment Utility
anyone?
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 500 total points
Comment Utility
From my understanding this is by design...

Do this as a test please...connect a console cable to the ASA and connect to the console...I would guess that the NEW enable password will work now

2nd test - when SSH'd in and you enter enable mode - enter the current ssh password and does it take?

The line

aaa authentication enable console LOCAL

means 'you switch to enable mode using the USERS password'...which is why I said remove that line to confirm/test this...
0
 
LVL 7

Author Comment

by:tolinrome
Comment Utility
problem is the asa is in a remote site and cant console in.
0
 
LVL 27

Expert Comment

by:serialband
Comment Utility
Get yourself a remote console, such as a Lantronix Spider, Duo, or SLC, depending on how many console connections you need.  You can set up your firewall to only allow connections from your location and you can have remote console access to all your systems.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now