Menu
▾
▴
Accidentally set Password Recovery Functionality to Disabled for Cisco ASA 5506-X Firewall After Following Guide with Conflicting Instructions
|
From: Turritopsis D. T. En M. <tdt...@gm...> - 2024-01-21 16:04:56
|
Subject: Accidentally set Password Recovery Functionality to Disabled for Cisco ASA 5506-X Firewall After Following Guide with Conflicting Instructions Good day from Singapore, On 12 Jan 2024 Friday, my colleague Danial Robinson asked me to go to our customer office at Paya Lebar Square, Singapore to reset the password for Cisco ASA 5506-X firewall. When I putty into the console of Cisco ASA 5506-X firewall, I knew I was able to reset the password. But alas! I had followed a guide with conflicting instructions. The following is the guide with conflicting instructions. Reference Guide: Password Recovery for the Cisco ASA 5500 Firewall (5505,5510,5520 etc) Link: https://www.networkstraining.com/password-recovery-for-the-cisco-asa-5500-firewall/ When I came to Step 7 in the guide, it gave conflicting instructions. Step 7 says: "Accept the default values for all settings (at the prompt enter Y)", which is apparently contradictory. Step 7 asks you to accept the default values for all settings and yet it contradicts itself by asking you to enter Y at the prompt. Due to my carelessness and lack of careful thought, I had accidentally entered Y when I was asked about setting password recovery to disabled. I had never thought my action would be permanent and irreversible. This was a complete disaster. After the reboot, I could no longer reset the password for Cisco ASA 5506-X firewall. The change was permanent and irreversible. Every time I try to break into ROMMON mode, I was asked to permanently erase disk0, which is the flash. <CODE> Rom image verified correctly Cisco Systems ROMMON, Version 1.1.14, RELEASE SOFTWARE Copyright (c) 1994-2018 by Cisco Systems, Inc. Compiled Tue 06/05/2018 22:45:19.61 by builder Current image running: Boot ROM0 Last reset cause: PowerOn DIMM Slot 0 : Present Platform ASA5506 with 4096 Mbytes of main memory MAC Address: 74:88:bb:c8:72:bf INFO: PASSWORD RECOVERY functionality is disabled. WARNING: Password recovery and ROMMON command line access has been disabled by your security policy. Answering YES below will cause ALL configurations, passwords, images in 'disk0:' to be erased. ROMMON command line access will be re-enabled, and a new image must be downloaded via ROMMON. Permanently erase 'disk0:'? no </CODE> Dear Cisco TAC support, Is there any way to recover the startup-config without forcing me to permanently erase the flash? Which will erase everything? The following console output shows that I could not enter ROMMON mode at all, after accidentally setting password recovery to disabled. <CODE> securevpn> reload ^ ERROR: % Invalid input detected at '^' marker. securevpn> Rom image verified correctly Cisco Systems ROMMON, Version 1.1.14, RELEASE SOFTWARE Copyright (c) 1994-2018 by Cisco Systems, Inc. Compiled Tue 06/05/2018 22:45:19.61 by builder Current image running: Boot ROM0 Last reset cause: PowerOn DIMM Slot 0 : Present Platform ASA5506 with 4096 Mbytes of main memory MAC Address: 74:88:bb:c8:72:bf INFO: PASSWORD RECOVERY functionality is disabled. WARNING: Password recovery and ROMMON command line access has been disabled by your security policy. Answering YES below will cause ALL configurations, passwords, images in 'disk0:' to be erased. ROMMON command line access will be re-enabled, and a new image must be downloaded via ROMMON. Permanently erase 'disk0:'? no Located '.boot_string' @ cluster 997554. # Attempt autoboot: "boot disk0:/asa984-22-lfbff-k8.SPA" Located 'asa984-22-lfbff-k8.SPA' @ cluster 969854. ############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################### LFBFF signature verified. INIT: version 2.88 booting Starting udev Configuring network interfaces... done. Populating dev cache ^[^[^[^[^[^[dosfsck 2.11, 12 Mar 2005, FAT32, LFN There are differences between boot sector and its backup. Differences: (offset:original/backup) 65:01/00 Not automatically fixing this. Starting check/repair pass. Starting verification pass. /dev/sdb1: 138 files, 947320/1919830 clusters dosfsck(/dev/sdb1) returned 0 Mounting /dev/sdb1 IO Memory Nodes: 1 IO Memory Per Node: 387973120 bytes Global Reserve Memory Per Node: 314572800 bytes Nodes=1 LCMB: got 387973120 bytes on numa-id=0, phys=0x38800000, virt=0x2aaaaae00000 LCMB: HEAP-CACHE POOL got 312475648 bytes on numa-id=0, virt=0x2aaac2000000 LCMB: HEAP-CACHE POOL got 2097152 bytes on numa-id=0, virt=0x2aaad4a00000 Processor memory: 1638667399 M_MMAP_THRESHOLD 65536, M_MMAP_MAX 25004 M_MMAP_THRESHOLD 65536, M_MMAP_MAX 25004 POST started... POST finished, result is 0 (hint: 1 means it failed) Compiled on Fri 29-May-20 00:37 PDT by builders Total NICs found: 14 i354 rev03 Gigabit Ethernet @ irq255 dev 20 index 08 MAC: 7488.bbc8.72bf ivshmem rev03 Backplane Data Interface @ index 09 MAC: 0000.0001.0002 en_vtun rev00 Backplane Control Interface @ index 10 MAC: 0000.0001.0001 en_vtun rev00 Backplane Int-Mgmt Interface @ index 11 MAC: 0000.0001.0003 en_vtun rev00 Backplane Ext-Mgmt Interface @ index 12 MAC: 0000.0000.0000 en_vtun rev00 Backplane Tap Interface @ index 13 MAC: 0000.0100.0001 WARNING: Attribute already exists in the dictionary. WARNING: Attribute already exists in the dictionary. Verify the activation-key, it might take a while... Running Permanent Activation Key: Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 5 perpetual Inside Hosts : Unlimited perpetual Failover : Disabled perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Carrier : Disabled perpetual AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 10 perpetual Total VPN Peers : 12 perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual Shared License : Disabled perpetual Total TLS Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual Cluster : Disabled perpetual This platform has a Base license. ^[^[Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1) Cisco Adaptive Security Appliance Software Version 9.8(4)22 ****************************** Warning ******************************* This product contains cryptographic features and is subject to United States and local country laws governing, import, export, transfer, and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute, or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return the enclosed items immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to ex...@ci.... ******************************* Warning ******************************* Cisco Adaptive Security Appliance Software, version 9.8 Copyright (c) 1996-2019 by Cisco Systems, Inc. For licenses and notices for open source software used in this product, please visit http://www.cisco.com/go/asa-opensource Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Reading from flash... !!!!!........... Cryptochecksum (unchanged): a44c49c9 4217b655 7de33b81 70c47440 INFO: Power-On Self-Test in process. ....................................................................... INFO: Power-On Self-Test complete. INFO: Starting HW-DRBG health test... INFO: HW-DRBG health test passed. INFO: Starting SW-DRBG health test... INFO: SW-DRBG health test passed. User enable_1 logged in to securevpn Logins over the last 1 days: 1. Failed logins since the last login: 0. Type help or '?' for a list of available commands. securevpn> </CODE> The following is the "show version" console output. <CODE> securevpn> show version Cisco Adaptive Security Appliance Software Version 9.8(4)22 Firepower Extensible Operating System Version 2.2(2.124) Device Manager Version 7.8(2)151 Compiled on Fri 29-May-20 00:37 PDT by builders System image file is "disk0:/asa984-22-lfbff-k8.SPA" Config file at boot was "startup-config" securevpn up 126 days 8 hours Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) Internal ATA Compact Flash, 8000MB BIOS Flash M25P64 @ 0xfed01000, 16384KB Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1) Number of accelerators: 1 1: Ext: GigabitEthernet1/1 : address is 7488.bbc8.72c0, irq 255 2: Ext: GigabitEthernet1/2 : address is 7488.bbc8.72c1, irq 255 3: Ext: GigabitEthernet1/3 : address is 7488.bbc8.72c2, irq 255 4: Ext: GigabitEthernet1/4 : address is 7488.bbc8.72c3, irq 255 5: Ext: GigabitEthernet1/5 : address is 7488.bbc8.72c4, irq 255 6: Ext: GigabitEthernet1/6 : address is 7488.bbc8.72c5, irq 255 7: Ext: GigabitEthernet1/7 : address is 7488.bbc8.72c6, irq 255 8: Ext: GigabitEthernet1/8 : address is 7488.bbc8.72c7, irq 255 9: Int: Internal-Data1/1 : address is 7488.bbc8.72bf, irq 255 10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0 11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0 12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0 13: Ext: Management1/1 : address is 7488.bbc8.72bf, irq 0 14: Int: Internal-Data1/4 : address is 0000.0100.0001, irq 0 Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 5 perpetual Inside Hosts : Unlimited perpetual Failover : Disabled perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Carrier : Disabled perpetual AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 10 perpetual Total VPN Peers : 12 perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual Shared License : Disabled perpetual Total TLS Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual Cluster : Disabled perpetual This platform has a Base license. Serial Number: Running Permanent Activation Key: Configuration register is 0x1 Image type : Release Key Version : A Configuration has not been modified since last system restart. </CODE> ************************************************************* Technical specifications of Cisco ASA 5506-X firewall ************************************************************* Processor: CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) Memory: 4 GB RAM Storage: 8 GB Internal ATA Compact Flash ************************************************************* The following is the "show flash" console output. <CODE> securevpn> show flash --#-- --length-- -----date/time------ path 122 108563072 Jan 25 2019 22:53:16 asa982-lfbff-k8.SPA 123 26970456 Jan 25 2019 22:53:46 asdm-782.bin 124 93 Jun 17 2020 18:50:42 .boot_string 11 4096 Jan 25 2019 22:56:56 log 144 1375 Mar 09 2020 12:54:10 log/asa-appagent.log 19 4096 Jan 25 2019 22:57:48 crypto_archive 20 4096 Jan 25 2019 22:57:50 coredumpinfo 21 59 Jan 25 2019 22:57:50 coredumpinfo/coredump.cfg 125 26916144 Mar 09 2020 16:39:48 asdm-781-150.bin 126 28672 Jan 01 1980 08:00:00 FSCK0000.REC 127 45961535 Mar 05 2020 20:34:28 anyconnect-win-4.7.01076-webdeploy-k9.pkg 128 53129667 Mar 05 2020 20:34:48 anyconnect-macos-4.7.01076-webdeploy-k9.pkg 129 12511 Mar 05 2020 23:07:36 oldconfig_2020Mar05_1451.cfg 130 34033084 Mar 05 2020 23:09:02 asdm-7131.bin 131 111281312 Mar 05 2020 23:29:58 asa984-8-lfbff-k8.SPA 132 12851 Mar 05 2020 23:30:06 oldconfig_2020Mar05_1513.cfg 133 26975568 Mar 05 2020 23:35:10 asdm-782-151_2.bin 134 111290512 Jun 17 2020 14:46:10 asa984-10-lfbff-k8.SPA 135 23506 Jun 17 2020 14:46:22 oldconfig_2020Jun17_0631.cfg 136 23509 Jun 17 2020 15:07:42 backup_170620.cfg 137 111383904 Jun 17 2020 18:25:30 asa984-22-lfbff-k8.SPA 138 23674 Jun 17 2020 18:25:38 oldconfig_2020Jun17_1010.cfg 139 4096 Jan 01 1980 08:00:00 FSCK0001.REC 7863623680 bytes total (3983400960 bytes free) </CODE> Looks like Cisco ASA 5506-X firewall operating system is also based on Linux and open source software. Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individual in Singapore Blogs: https://tdtemcerts.blogspot.com https://tdtemcerts.wordpress.com GIMP also stands for Government-Induced Medical Problems. |