PIX Security Appliance Management
Adaptive Security Appliance password recovery

On the Adaptive Security Appliance, if the password is forgotten, the ASA can be booted into ROMMON by pressing the Escape key on the terminal keyboard when prompted during startup. Then set the ASA to ignore the startup configuration by changing the configuration register using the config-register command. For example, if the configuration register is the default 0x1, then change the value to 0x41 by entering the config-register 0x41 command. After reloading, the ASA loads a default configuration, and privileged EXEC mode can be entered using the default passwords. Then load the startup configuration by copying it to the running configuration and reset the passwords. Finally, set the ASA to boot as before by setting the configuration register to the original setting. For example, enter the config-register 0x1 command in global configuration mode.

On the Adaptive Security Appliance, the no version of this command prevents a user from entering ROMMON with the configuration intact. When a user enters ROMMON, the ASA prompts the user to erase all Flash file systems. The user cannot enter ROMMON without first performing this erasure. If a user chooses not to erase the Flash file system, the ASA reloads. Because password recovery depends on using ROMMON and maintaining the existing configuration, this erasure prevents the password from being recovered. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available. The service password-recovery command appears in the configuration file for informational purposes only. When the command is entered at the CLI prompt, the setting is saved in NVRAM . The only way to change the setting is to enter the command at the CLI prompt. Loading a new configuration with a different version of the command does not change the setting. If password recovery is disabled when the ASA is configured to ignore the startup configuration at startup, in preparation for password recovery, then the ASA changes the setting to boot the startup configuration as usual. If failover is used, and the standby unit is configured to ignore the startup configuration, then the same change is made to the configuration register when the no service password recovery command replicates to the standby unit.

The example in Figure shows when to enter ROMMON at startup and how to complete a password recovery operation.