On the Adaptive Security Appliance, if the password is forgotten,
the ASA can be booted into ROMMON by pressing the Escape key on the terminal
keyboard when prompted during startup. Then set the ASA to ignore the startup
configuration by changing the configuration register using the
config-register command. For example, if the configuration
register is the default 0x1, then change the value to 0x41 by entering the
config-register 0x41 command. After reloading, the ASA
loads a default configuration, and privileged EXEC mode can be entered using
the default passwords. Then load the startup configuration by copying it to the
running configuration and reset the passwords. Finally, set the ASA to boot as
before by setting the configuration register to the original setting. For
example, enter the config-register 0x1 command in global
configuration mode.
On the Adaptive Security Appliance, the
no version of this command prevents a user from entering
ROMMON with the configuration intact. When a user enters ROMMON, the ASA
prompts the user to erase all Flash file systems. The user cannot enter ROMMON
without first performing this erasure. If a user chooses not to erase the Flash
file system, the ASA reloads. Because password recovery depends on using ROMMON
and maintaining the existing configuration, this erasure prevents the password
from being recovered. However, disabling password recovery prevents
unauthorized users from viewing the configuration or inserting different
passwords. In this case, to recover the system to an operating state, load a
new image and a backup configuration file, if available. The service
password-recovery command appears in the configuration file for
informational purposes only. When the command is entered at the CLI prompt, the
setting is saved in NVRAM
. The only way to
change the setting is to enter the command at the CLI prompt. Loading a new
configuration with a different version of the command does not change the
setting. If password recovery is disabled when the ASA is configured to ignore
the startup configuration at startup, in preparation for password recovery,
then the ASA changes the setting to boot the startup configuration as usual. If
failover is used, and the standby unit is configured to ignore the startup
configuration, then the same change is made to the configuration register when
the no service password recovery command replicates to the
standby unit.
The example in Figure
shows
when to enter ROMMON at startup and how to complete a password recovery
operation.