You have a Cisco ASA 5505 for which you no longer have the correct enable password.
To reset the enable password, you need a serial cable to connect to the Cisco. You can’t do this via SSH, telnet, or ADSM.
- Power off the ASA by unplugging it from power
- Connect to the ASA via the console port; PuTTY is great for this
- Power the ASA back on. After a momen, you will a prompt like the following:
Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately.
- Hit ESC to interrupt the boot process; you should see something like this:
Boot interrupted. Ethernet0/0 MAC Address: 2894.0f20.a947 Link is DOWN Use ? for help. rommon #0>
- Use the confreg to show the current configuration register; you’ll need this later so save the output some place safe (in a Notepad window is fine).
rommon #0> confreg Current Configuration Register: 0x00000001 Configuration Summary: boot default image from Flash Do you wish to change this configuration? y/n [n]:
- Answer ‘y’ to the “Do you wish to change this configuration” and “disable system configuration” prompts; accept the defaults for the rest.
rommon #0> confreg Current Configuration Register: 0x00000001 Configuration Summary: boot default image from Flash Do you wish to change this configuration? y/n [n]: y enable boot to ROMMON prompt? y/n [n]: n enable TFTP netboot? y/n [n]: n enable Flash boot? y/n [n]: n select specific Flash image index? y/n [n]: n disable system configuration? y/n [n]: n go to ROMMON prompt if netboot fails? y/n [n]: n enable passing NVRAM file specs in auto-boot mode? y/n [n]: n disable display of BREAK or ESC key prompt during auto-boot? y/n [n]: n Current Configuration Register: 0x00000001 Configuration Summary: boot ROMMON Update Config Register (0x0) in NVRAM... rommon #1>
- Use the bootcommand to finish booting the ASA using default settings
rommon #1> boot Launching BootLoader... Default configuration file contains 1 entry. Searching / for images to boot. Loading /asa911-k8.bin... Booting... Platform ASA5505 Loading... IO memory blocks requested from bigphys 32bit: 9928 Ãosfsck 2.11, 12 Mar 2005, FAT32, LFN Starting check/repair pass. ...
- You can now switch to priviledged mode as the enable password is now blank
Type help or '?' for a list of available commands. ciscoasa> enable Password: ciscoasa#
- Load the ASA’s normal configuration so that you can change it; since you’re already in privileged mode, you can change the configuration settings as needed.
ciscoasa# copy startup-config running-config Destination filename [running-config]? . Cryptochecksum (unchanged): 4e408444 7fc8556f 936a0216 8a012d76 2557 bytes copied in 3.220 secs (852 bytes/sec)
- Edit the configuration
ciscoasa# conf term ciscoasa(config)#
- Use the password and enable passwordcommands to change the passwords to something you do know.
ciscoasa(config)# password SuperSecretPassword ciscoasa(config)# enable password AnotherSecretPassword
- Reset the configuration register to the value you saved above so that the ASA will reboot normally instead of into ROMMON
ciscoasa(config)# config-register 0x1
- Save the updated configuration so that it is loaded on next boot and reboot
ciscoasa(config)# copy running-config startup-config Source filename [running-config]? Cryptochecksum: 51e1e4c3 36c9e3b5 b895d772 43227af6 3045 bytes copied in 1.50 secs (3045 bytes/sec) ciscoasa(config)# reload noconfirm
- After the ASA reboots, make sure the new enable password works
ciscoasa> enable Password: ******** ciscoasa#