82-10
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter82 Troubleshooting
Performing Password Recovery
Step14 Change the passwords, as required, in the default configuration by entering the following commands:
hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password
Step15 Load the default configuration by entering the following command:
hostname(config)# no config-register
The default configuration register value is 0x1. For more information about the configuration register,
see the command reference.
Step16 Save the new passwords to the startup configuration by entering the following command:
hostname(config)# copy running-config startup-config
Disabling Password Recovery
To disable password recovery to ensure that unauthorized users cannot use the password recovery
mechanism to compromise the ASA, enter the following command:
On the ASA, the no service password-recovery command prevents you from entering ROMMON mode
with the configuration intact. When you enter ROMMON mode, the ASA prompts you to erase all Flash
file systems. You cannot enter ROMMON mode without first performing this erasure. If you choose not
to erase the Flash file system, the ASA reloads. Because password recovery depends on using ROMMON
mode and maintaining the existing configuration, this erasure prevents you from recovering a password.
However, disabling password recovery prevents unauthorized users from viewing the configuration or
inserting different passwords. In this case, to restore the system to an operating state, load a new image
and a backup configuration file, if available.
The service password-recovery command appears in the configuration file for information only. When
you enter the command at the CLI prompt, the setting is saved in NVRAM. The only way to change the
setting is to enter the command at the CLI prompt. Loading a new configuration with a different version
of the command does not change the setting. If you disable password recovery when the ASA is
configured to ignore the startup configuration at startup (in preparation for password recovery), then the
ASA changes the setting to load the startup configuration as usual. If you use failover, and the standby
unit is configured to ignore the startup configuration, then the same change is made to the configuration
register when the no service password recovery command replicates to the standby unit.
Command Purpose
no service password-recovery
Example:
hostname (config)# no service
password-recovery
Disables password recovery.