To recover passwords for the ASA,
perform the following steps:
Step: 1 Connect to the ASA
console port according to the instructions in "Accessing the Command-Line
Interface" section.
Step: 2 Power off the ASA, and
then power it on.
Step: 3 After startup, press the
Escape key when you are prompted to enter ROMMON mode.
Step: 4 To update the
configuration register value, enter the following command:
rommon #1> confreg 0x41
Update Config Register
(0x41) in NVRAM...
rommon #1> confreg
The ASA displays the current
configuration register value, and asks whether you want to change it:
Current Configuration
Register: 0x00000041
Configuration Summary:
boot default image from
Flash
ignore system configuration
Do you wish to change this configuration? y/n [n]: y
Step: 6 Record the current
configuration register value, so you can restore it later.
Step: 7 At the prompt, enter Y to
change the value. The ASA prompts you for new values.
Step: 8 Accept the default values
for all settings. At the prompt, enter Y.
Step: 9 Reload the ASA by
entering the following command:
rommon #2> boot
Launching BootLoader...
Boot configuration file
contains 1 entry.
Loading disk0:/asa800-226-k8.bin... Booting...Loading...
The ASA loads the default
configuration instead of the startup configuration.
Step: 10 Access the privileged
EXEC mode by entering the following command:
hostname> enable
Step: 11 When prompted for the
password, press Enter.
The password is blank.
Step: 12 Load the startup
configuration by entering the following command:
hostname# copy startup-config running-config
Step: 13 Access the global
configuration mode by entering the following command:
hostname# configure terminal
Step: 14 Change the passwords, as
required, in the default configuration by entering the following commands:
hostname(config)# password
password
hostname(config)# enable
password password
hostname(config)# username name password password
Step: 15 Load the default
configuration by entering the following command:
hostname(config)# no config-register
The default configuration register
value is 0x1.
Step: 16 Save the new passwords to
the startup configuration by entering the following command:
hostname(config)# copy running-config startup-config
Disabling Password Recovery
You might want to disable password
recovery to ensure that unauthorized users cannot use the password recovery
mechanism to compromise the ASA.
On the ASA, the no service
password-recovery command prevents a user from entering ROMMON mode with the
configuration intact. When a user enters ROMMON mode, the ASA prompts the user
to erase all Flash file systems. The user cannot enter ROMMON mode without
first performing this erasure. If a user chooses not to erase the Flash file system,
the ASA reloads. Because password recovery depends on using ROMMON mode and
maintaining the existing configuration, this erasure prevents you from
recovering a password. However, disabling password recovery prevents
unauthorized users from viewing the configuration or inserting different
passwords. In this case, to restore the system to an operating state, load a
new image and a backup configuration file, if available.
----
No comments:
Post a Comment