Most of us know that Cisco can be a bit complicated and sometimes things happen that are not so forgiving. One of those is losing a password on a Cisco device. The downside to this is if you did not know that you could reset the password using a console cable you might be freaking out thinking you might have to reset to factory defaults. Well thank you Cisco for providing a backdoor to their devices. Now for each device the commands and procedures can be slightly different, so you will want to look up from Cisco the password recovery steps for you specific device. In the example I will show you the steps on how to reset the password on a Cisco ASA 5505 using Terminal from a Macbook.
First thing you will need to have on all the Cisco devices is Console port access. For this reason it is important to ensure there are strict physical security measures in place. Access to the device allows someone to have access to the procedures that I am about to list, which can give them unwanted entry to your device.
1.Connect to the device using the console port\cable. The cable is usually an RJ45 to Serial so on my Macbook I don’t have a serial port so I use a serial to USB adapter. All my configurations are than done in terminal. If you’re on a PC you can use your telnet application or the MS-DOS CMD window.
Using a Macbook with the serial to USB adapter requires I use the “Screen /dev/tty.KeySerial1 9600” command to be able to use terminal as my telnet window. This will allow you to view the bootup of the device as soon as it has power.
2. Now shutdown the ASA, and power it back up. During the startup messages, press and hold the “Escape” key when prompted to enter ROMMON.
3. To update the configuration register value, enter the following command:
rommon #1> confreg 0x41
4. To have the ASA ignore the startup configuration during its startup, enter the following command
rommon #1> confreg
The ASA will display the current configurations register value, and will prompt you to change the value:
Current Configuration Register: 0x00000011
boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]:
5. Take note of the current configuration register value (it will be used to restore later). At the prompt enter “Y” for yes and hit enter.
The ASA will prompt you for new values.
6. Accept all the defaults, except for the “disable system configuration?” value; at that prompt, enter “Y” for yes and hit enter.
7. Reload the ASA by using entering:
rommon #2> boot
The ASA loads a default configuration instead of the startup configuration.
8. Enter privileged EXEC mode by entering:
9. When prompted for the password press “Enter” so the password will be blank.
10. Next Load the startup config by entering:
hostname# copy startup-config running-config
11. Enter global configuration mode by using this command:
hostname# config t
12. Change the passwords in the configuration by using these commands, as necessary:
hostname(config)# password newpassword
hostname(config)# enable password newpassword
hostname(config)# username newusername password newpassword
13. Change the configuration register to load the startup configuration at the next reload by entering:
hostname(config)# config-register 0x00000011
* Note- 0×00000011 is the current configurations register you noted in step 4.
13. Save the new passwords to the startup configuration by entering:
hostname(config)# wr mem
**REMEMBER DIFFERENT CISCO DEVICES HAVE DIFFERENT STEPS; YOU CAN LOOK UP THE STEPS EASILY FROM CISCO DIRECTLY**
The commands used in the example above were referenced from Cisco article http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/trouble.html