5-6. Firewall Password Recovery If the first-level (Telnet) and privileged user (enable) passwords on a functioning Cisco firewall are unknown or have been forgotten, it is possible to recover control of the device. Basically, a password recovery utility is downloaded to the firewall from a TFTP server. This procedure is very similar to upgrading the OS image from the PIX monitor prompt. Recovering a PIX or ASA Password Follow these steps to reload and erase the PIX passwords: 1. | Make sure a TFTP server is available.
The TFTP server should have a copy of the correct PIX Password Lockout Utility software. You can find this utility on Cisco.com at
http://www.cisco.com/warp/customer/110/npXX.bin
where XX is the PIX OS software release. For example, the utility for PIX OS 6.3 is called np63.bin.
| 2. | Boot the firewall to the monitor prompt.
Just after booting the firewall, press the Esc key to break the normal bootup sequence.
| 3. | Identify the TFTP server.
- a. Identify the firewall interface where the TFTP server is located:
monitor> interface number
TFTP uses the interface with index number (0 to n 1, where n is the number of interfaces installed). During the bootup sequence, the firewall lists the physical interfaces and their MAC addresses.
- b. Assign an IP address to that interface:
monitor> address ip-address
Here, the firewall needs just enough information to be able to contact the TFTP server. Only one physical interface can be used, so this IP address is applied to it. Because a subnet mask can't be given, the firewall assumes a regular classful network mask (172.17.69.41 yields a Class B mask of 255.255.0.0, for example).
If your TFTP server is located on a different classful subnet, you can also specify a gateway address that can route between the firewall and the server. Use the following monitor command:
monitor> gateway ip-address
- c. Make sure the firewall can reach the TFTP server.
The firewall must be able to reach the server with a minimal amount of routing. You can use the following monitor command to test reachability:
monitor> ping ip-address
- d. Define the TFTP server's IP address:
monitor> server ip-address
- e. Define the utility filename to fetch:
monitor> file npXX.bin
The utility file named npXX.bin (replace XX with the release number) is located in the TFTP server's root directory. This is often called the /tftpboot directory, but it depends on how your TFTP server is configured.
| 4. | Copy the utility from the TFTP server:
monitor> tftp
When the download is complete, the utility runs and prompts you to clear the PIX passwords. If you answer y to the prompt, the firewall reloads, and the passwords are reset to their default values (enable_1 is cisco; enable_15 is blank).
|
Recovering an FWSM Password Follow these steps to reload and erase the FWSM passwords: 1. | Boot the FWSM into the maintenance partition:
Router# hw-module module slot-number reset cf:1 Router# session slot slot-number processor 1
From the Catalyst 6500 Supervisor IOS EXEC prompt, the FWSM in slot slot-number can be reset so that it reboots into its maintenance partition. Log in as the user root. The default root password is cisco.
| 2. | Reset the passwords in the compact Flash configuration file:
root@localhost# clear passwd cf:partition_number root@localhost# exit
The FWSM compact Flash is organized into the five partitions listed in Table 5-4.
Table 5-4. FWSM Compact Flash PartitionsPartition | Function | Description |
|---|
cf:1 | Maintenance | Used for module file maintenance and upgrades | cf:2 | Network configuration | Maintenance image network configuration | cf:3 | Crash dump | Crashinfo contents | cf:4 | Application | Firewall image and configuration | cf:5 | Application | Alternative image and configuration |
To clear the passwords in the application partition, where the normal firewall image is executed, use partition-number 4 or 5, depending on which one contains the bootable image. For example, the clear passwd cf:4 command clears the passwords in the application partition 4 configuration file.
You are prompted to delete the password configuration commands (enable_1 becomes cisco; enable_15 becomes blank) and any AAA commands.
| 3. | Reload the FWSM into the application partition:
Router# hw-module module slot-number reset cf:partition-number
Specify the partition number that contains the bootable firewall image.
The application partition image is booted. You can log in to the FWSM using the default passwords.
|
TIP The FWSM contains two types of partitions you can boot: the maintenance partition and the application partition. You can reset the passwords in either partition by first booting into the opposite partition. For example, as the preceding sequence of steps illustrates, you can reset the application partition passwords by booting into the maintenance partition. You also can reset the maintenance partition passwords by booting into the application partition. You can't clear the passwords in the configuration of the partition that is booted, however. You can clear them only in a partition that is not currently in use.
|
