[Last Call] Learn how to a build a cloud-first strategyRegister Now


Cisco ASA 5505 problem resetting the enable password - how to bypass the security policy

Posted on 2014-08-13
Medium Priority
Last Modified: 2014-10-01

I am trying to access & control a Cisco ASA 5505 firewall via console access. The problem is that I do not have a working enable password and I need to reset it. I've checked the Cisco manual and other various posts online and these are the instructions I was going to use:

1.      Power cycle ASA
2.      As it boots keep pressing ESC so that the ronmon> prompt shows up
3.      Type confreg
4.      Type n for each item except for: “disable system configuration” (push y)
5.      Type “boot” -> prompt will then become “ciscoasa>”
6.      Type “enable” and leave password blank, push enter, now it will change to ciscoasa#
7.      Type “copy start run”
8.      Now type “config t”
9.      Type “enable password cisco” (this sets pw to cisco)
10.      Type “config-register 0x10011”
11.      Type “exit”
12.      Type “copy run start”
13.      Type “reload” to reboot

The problem is that on Step #2 when I try to interrupt the boot up sequence, I get the following error:

WARNING:  Password recovery and ROMMON command line access has been
disabled by your security policy.  Choosing YES below will cause ALL
configurations, passwords, images, and files systems to be erased.
ROMMON command line access will be re-enabled, and a new image must be
downloaded via ROMMON.

It sounds like at this point the only way to get past this will be a factory reset. This is problematic since I want to retrieve the current running config. This is a live firewall being used daily by a small company.

Any ideas what I should take as the next step? Does anyone know if Cisco has a way to get past this if we purchase a service contract for this ASA to get the support?
Question by:Samir Saber
  • 4
  • 4
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40265227
If you have no access to the CLI/ASDM then you cannot retrieve the configuration and you need to reset the unit and configure it from scratch.

Can you access the ASDM?
LVL 31

Expert Comment

ID: 40266960
Before step 7 type
Show start
This will show you the startup-config, which is what it normally boots from. Step 7 will over write what is currently the running-config (the factory state) with the startup-config (that you don't know the pw for) which will put things back to normal, then the rest of the steps just update the enable password and then save it.  You should make a backup copy of the config using tftp or copy and paste into notepad one screen at a time (the whole config is probably too big for your clipboard) if you don't know how to tftp.

Author Comment

by:Samir Saber
ID: 40267694
Henk: no I do not have access to the ASDM - I actually wanted to enable SSH/ASDM until realizing this client's old tech locked down CLI

Paranormastic: I don't get past step 2 as mentioned.
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40267702
Then you have no other option than reset en rebuild from scratch. A good time to update the software ;-).

Author Comment

by:Samir Saber
ID: 40267721
I am also 95% convinced that I have no option but to reset, but the goal of this post was to get the extra 5% that let me know there is absolutely nothing that can get past what I described (like a "magic" Cisco backdoor).
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40267776
You can remove the flash from the ASA5505 (remove the screws), mount it in a reader/other ASA and see what is on it. maybe there is an old config.

Author Comment

by:Samir Saber
ID: 40350480
I am closing this one - so far we are dealing with a legal battle with the old admin that locked down the ASAs... thanks for the input guys, looks like there is no way to reset that lock.

Author Comment

by:Samir Saber
ID: 40351636
I've requested that this question be closed as follows:

Accepted answer: 0 points for Samir Saber's comment #a40350480

for the following reason:

I'm only picking my own comment because just like I suspected there was no solution to this problem. The solution is there is way to get past the lock.
LVL 12

Accepted Solution

Henk van Achterberg earned 2000 total points
ID: 40351637
The solution is that there is no way without saving the config.. even if it is not a satisfying answer, it still the right answer.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question