Disabling password recovery – Cisco ASA 5505 User Manual

82-10

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 82 Troubleshooting

Performing Password Recovery

Step 14

Change the passwords, as required, in the default configuration by entering the following commands:

hostname(config)# password password

hostname(config)# enable password password

hostname(config)# username name password password

Step 15

Load the default configuration by entering the following command:

hostname(config)# no config-register

The default configuration register value is 0x1. For more information about the configuration register,
see the command reference.

Step 16

Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config

Disabling Password Recovery

To disable password recovery to ensure that unauthorized users cannot use the password recovery
mechanism to compromise the ASA, enter the following command:

On the ASA, the no service password-recovery command prevents you from entering ROMMON mode
with the configuration intact. When you enter ROMMON mode, the ASA prompts you to erase all Flash
file systems. You cannot enter ROMMON mode without first performing this erasure. If you choose not
to erase the Flash file system, the ASA reloads. Because password recovery depends on using ROMMON
mode and maintaining the existing configuration, this erasure prevents you from recovering a password.
However, disabling password recovery prevents unauthorized users from viewing the configuration or
inserting different passwords. In this case, to restore the system to an operating state, load a new image
and a backup configuration file, if available.

The service password-recovery command appears in the configuration file for information only. When
you enter the command at the CLI prompt, the setting is saved in NVRAM. The only way to change the
setting is to enter the command at the CLI prompt. Loading a new configuration with a different version
of the command does not change the setting. If you disable password recovery when the ASA is
configured to ignore the startup configuration at startup (in preparation for password recovery), then the
ASA changes the setting to load the startup configuration as usual. If you use failover, and the standby
unit is configured to ignore the startup configuration, then the same change is made to the configuration
register when the no service password recovery command replicates to the standby unit.

Command

Purpose

no service password-recovery

Example:

hostname (config)# no service

password-recovery

Disables password recovery.