I recently ran into a situation with a new Cisco ASA 5512-X IPS where I needed to fully reset it back to its factory default settings (ok, I entered a password incorrectly, twice. Thankfully it wasn’t in production yet). After some searching and reading, I came up with the following (get out of jail) process.

Note 1: I’m not a Cisco expert or engineer of any sort, so please proceed with absolute care. You can’t really destroy anything with this process, but misuse of this guide could cause undesired results.

Note 2: I’m not a Cisco export or engineer of any sort, however, I don’t see any reason why the following guide couldn’t be used at the very least, on any 5500 series Cisco ASA device. It may even apply to more devices than I am aware of. Again, please proceed with absolute care if you are using this guide on anything that is not a Cisco ASA 5512-X IPS.

Note 3: If you just want to reset the configuration and you haven’t lost access to the device, follow steps 1 and 2, and then skip down to the bottom.

Step 1.

Connect to the Cisco ASA 5512-X IPS with the serial over ethernet cable. This is otherwise known as the console cable. In most cases, it’s long, thin and light blue in colour. Connect the RJ45 end to the console port of the Cisco ASA 5512-X IPS and the other end to a computer or laptop with a serial port. You can’t just use a network cable. It won’t work.

Step 2.

Use PuTTY (download here), to connect to the Cisco ASA 5512-X IPS console. Change the Connection Type to Serial. In most cases, the Serial Line value will be COM1 with a Speed (aka baud rate) of 9600. Click the [Open] button to connect. If you have other devices connected via serial, you may need to substitute COM1 for COM2, or COM3, or COM4, etc. You’ll know when you’ve struck gold, because you’ll be able to see the Cisco ASA 5512-X IPS prompt.

(click here to skip to the bottom if you’re just factory resetting the configuration)

Step 3.

Immediately restart the Cisco ASA 5512-X IPS. You can either use the # reload command (after using # enable first, if you’re locked out this won’t be possibleor physically switch the Cisco ASA 5512-X IPS off, and then on again (handy if you’re locked out).

Step 4.

Pay attention! When you see the Booting from ROMMON prompt in the console window (there’ll be a 10 second count down timer), press the ESC key to interrupt. You’ll be quickly dropped to a rommon #1> prompt.

Step 5.

Enter the command: confreg. You’ll see a value that follows the text: Current Configuration Register: 0x00000001. Note yours down. This specific value (0x00000001) tells the Cisco ASA 5512-X IPS to boot normally, reading the previously saved configuration into memory.

Step 6.

You’ll be prompted to change the configuration now. Type a Y.

Step 7.

Answer the prompts as follows:

enable boot to ROMMON prompt? y/n [n]: n
enable TFTP netboot? y/n [n]: n
enable Flash boot? y/n [n]: y
select specific Flash image index? y/n [n]: n
disable system configuration? y/n [n]: y (this it the value that's most important to us at this step)
go to ROMMON prompt if netboot fails? y/n [n]: n
enable passing NVRAM file specs in auto-boot mode? y/n [n]: n
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]: n

Step 8.

After the last prompt above, you’ll see a summary as follows:

Current Configuration Register: 0x00000041
Configuration Summary:
boot default image from Flash
ignore system configuration
Update Config Register (0x41) in NVRAM...
rommon #2>

Step 9.

We can now boot the Cisco ASA 5512-X IPS with the command: # boot

Step 10.

Any system configuration previously saved will be skipped, and a factory default configuration will be loaded. Now it’s time to reset the global (cisco) password.

Step 11.

At the ciscoasa> prompt, type: enable (press enter). The password will be nothing (just press enter again).

Step 12.

Copy the current startup configuration to the running configuration using the following command: # copy startup-config running-config (press enter).

Step 13.

Enter global configuration mode by running the following command: # configure terminal

Step 14.

Set the global password back to blank (nothing) with the following commands:

# password password
# enable password password
# username name password password

Step 15.

Copy the current running configuration to the startup configuration using the following command: # copy running-config startup-config (press enter).

Step 16.

Restart the Cisco ASA 5512-X IPS. You can either use the # reload command (after using enable firstor physically switch the Cisco ASA 5512-X IPS off, and then on again.

Step 17.

Pay attention! When you see the Booting from ROMMON prompt (there’ll be a 10 second count down timer), press the ESC key to interrupt. You’ll be quickly dropped to a rommon #1> prompt.

Step 18.

Enter the command: confreg. You’ll see a value that follows the text: Current Configuration Register: 0x00000041. Note yours down. This specific value tells the Cisco ASA 5512-X IPS to boot normally, skipping any previously saved configuration, loading a factory default configuration into memory.

Step 19.

You’ll be prompted to change the configuration now. Type a Y.

Step 20.

Answer the prompts as follows:

enable boot to ROMMON prompt? y/n [n]: n
enable TFTP netboot? y/n [n]: n
enable Flash boot? y/n [n]: y
select specific Flash image index? y/n [n]: n
disable system configuration? y/n [n]: n (this it the value that's most important to us at this step)
go to ROMMON prompt if netboot fails? y/n [n]: n
enable passing NVRAM file specs in auto-boot mode? y/n [n]: n
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]: n

Step 21.

After the last prompt above, you’ll see a summary as follows:

Current Configuration Register: 0x00000001
Configuration Summary:
boot default image from Flash
Update Config Register (0x1) in NVRAM...
rommon #2>

Step 22.

We can now boot the Cisco ASA 5512-X IPS with the command: # boot

Step 23.

The system configuration previously saved will be loaded, with a factory default configuration. You can now proceed to configure your Cisco ASA 5512-X IPS as new again!

 

Factory Reset the Configuration Only

  1. At the console prompt ciscoasa> type enable (press enter)
  2. If prompted, enter your password and press enter (the default password is nothing, just press enter).
  3. Type: # configure terminal (press enter)
  4. Type: # configure factory-default (press enter)
  5. Type: # reload save-config noconfirm (press enter)

Credits

The following links made this guide possible:

ASA Password Recovery

Restoring Factory Defaults to the Cisco ASA5505  Firewall via the Console

Howto reset factory defaults Cisco ASA Series 5500 series 5505 5510 5520

Cisco ASA 5500-X Series Quick Start Guide

Cisco ASA 5512-X Adaptive Security Appliance

Leave a Reply

Post Navigation