PIX525 - ASA Firewall
Password recovery howto step-by-step
This platform has an Unrestricted (UR) license.
--------------------------------------------------------------------------
. .
| |
||| |||
.|| ||. .|| ||.
.:||| | |||:..:||| | |||:.
C i s c o S y s t e m s
--------------------------------------------------------------------------
--------------------------------------------------------------------------
. .
| |
||| |||
.|| ||. .|| ||.
.:||| | |||:..:||| | |||:.
C i s c o S y s t e m s
--------------------------------------------------------------------------
Turn on just ONE of the devices - choose which is going to be primary.
When logged in issue command:
write erase
reload
When boot up again, let's configure it!
As one of the devices still had a configuration i had to perform a Password Recovery - if you are used from other Cisco devices like Switches and Routers -- not so easy.
Special file is needed with Password Tool and also connection to TFTP server.
Special file is needed with Password Tool and also connection to TFTP server.
So first, let's run our TFTP server from C2811 router:
tftp-server file usbflash0:8529-np70.bin
When you have TFTP ready, prepare interface for connection to PIX. I set-up 172.17.17.17 as IP address and connected Fa0/1 to Ethernet 0 on PIX.
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Flash boot interrupted.
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)
Ethernet auto negotiation timed out.
Ethernet port 1 could not be initialized.
Use ? for help.
monitor>
monitor>
monitor> ?
? this help message
address [addr] set IP address of the PIX interface on which
the TFTP server resides
file [name] set boot file name
gateway [addr] set IP gateway
help this help message
interface [num] select TFTP interface
ping <addr> send ICMP echo
reload halt and reload system
server [addr] set server IP address
tftp TFTP download
timeout TFTP timeout
trace toggle packet tracing
monitor>
monitor> address ?
address 0.0.0.0
monitor>
monitor> interface 0
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)
Using 0: i82557 @ PCI(bus:0 dev:14 irq:10), MAC: 0013.60e2.bbb6
monitor>
monitor> address 172.17.17.18 255.255.0.0
address 0.0.0.0
Use SPACE to begin flash boot immediately.
Flash boot interrupted.
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)
Ethernet auto negotiation timed out.
Ethernet port 1 could not be initialized.
Use ? for help.
monitor>
monitor>
monitor> ?
? this help message
address [addr] set IP address of the PIX interface on which
the TFTP server resides
file [name] set boot file name
gateway [addr] set IP gateway
help this help message
interface [num] select TFTP interface
ping <addr> send ICMP echo
reload halt and reload system
server [addr] set server IP address
tftp TFTP download
timeout TFTP timeout
trace toggle packet tracing
monitor>
monitor> address ?
address 0.0.0.0
monitor>
monitor> interface 0
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)
Using 0: i82557 @ PCI(bus:0 dev:14 irq:10), MAC: 0013.60e2.bbb6
monitor>
monitor> address 172.17.17.18 255.255.0.0
address 0.0.0.0
monitor> address 172.17.17.18
address 172.17.17.18
monitor>
monitor> gateway 172.17.17.17
gateway 172.17.17.17
monitor>
monitor>
monitor> ping 172.17.17.17 --- for testing purposes, no ping / no tftp;)
Sending 5, 100-byte 0xe1ab ICMP Echoes to 172.17.17.17, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor>
monitor>
monitor> server 172.17.17.17
server 172.17.17.17
monitor>
monitor> file 8529-np70.bin
file 8529-np70.bin
monitor>
monitor>
monitor> tftp
tftp 8529-np70.bin@172.17.17.17 via 172.17.17.17.............................................................................................................................................................................................................................................................
Received 129024 bytes
Cisco PIX Security Appliance password tool (3.0) #0: Thu Jun 9 21:45:44 PDT 2005
Initializing flashfs...
flashfs[0]: 7 files, 3 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 16128000
flashfs[0]: Bytes used: 14300160
flashfs[0]: Bytes available: 1827840
flashfs[0]: Initialization complete.
Using the default startup configuration
Do you wish to erase the passwords? y/n [n]: y
The following lines will be removed from the configuration:
enable password H75KO93BH/Ur8Ksg encrypted
passwd H75KO93BH/Ur8Ksg encrypted
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
Do you want to remove the commands listed above from the configuration? y/n [n] y
Passwords and aaa commands have been erased.
And so that's it - we have an access to enable mode and into config terminal on PIX-525 ASA Firewall.
New issue:
- one device is with Active/Active license and second with Active/Standby
No comments:
Post a Comment
Thank you for your comment. Will try to react as soon as possible.
Regards,
Networ King