Accidentally set Password Recovery Functionality to Disabled for Cisco ASA 5506-X Firewall After Following Guide with Conflicting Instructions

Subject: Accidentally set Password Recovery Functionality to Disabled for Cisco ASA 5506-X Firewall After Following Guide with Conflicting Instructions


Good day from Singapore,


On 12 Jan 2024 Friday, my colleague Danial Robinson asked me to go to our customer office at Paya Lebar Square, Singapore to reset the password for Cisco ASA 5506-X firewall.


When I putty into the console of Cisco ASA 5506-X firewall, I knew I was able to reset the password.


But alas! I had followed a guide with conflicting instructions.


The following is the guide with conflicting instructions.


Reference Guide: Password Recovery for the Cisco ASA 5500 Firewall (5505,5510,5520 etc)


Link: https://www.networkstraining.com/password-recovery-for-the-cisco-asa-5500-firewall/


When I came to Step 7 in the guide, it gave conflicting instructions.


Step 7 says: "Accept the default values for all settings (at the prompt enter Y)", which is apparently contradictory.


Step 7 asks you to accept the default values for all settings and yet it contradicts itself by asking you to enter Y at the prompt.


Due to my carelessness and lack of careful thought, I had accidentally entered Y when I was asked about setting password recovery to disabled. I had never thought my action would be permanent and irreversible. 


This was a complete disaster. After the reboot, I could no longer reset the password for Cisco ASA 5506-X firewall. The change was permanent and irreversible.


Every time I try to break into ROMMON mode, I was asked to permanently erase disk0, which is the flash.


<CODE>


Rom image verified correctly



Cisco Systems ROMMON, Version 1.1.14, RELEASE SOFTWARE

Copyright (c) 1994-2018  by Cisco Systems, Inc.

Compiled Tue 06/05/2018 22:45:19.61 by builder



Current image running: Boot ROM0

Last reset cause: PowerOn

DIMM Slot 0 : Present


Platform ASA5506 with 4096 Mbytes of main memory

MAC Address: 74:88:bb:c8:72:bf



INFO: PASSWORD RECOVERY functionality is disabled.

WARNING: Password recovery and ROMMON command line access has been

disabled by your security policy. Answering YES below will cause ALL

configurations, passwords, images in 'disk0:' to be erased.

ROMMON command line access will be re-enabled, and a new image must be

downloaded via ROMMON.


Permanently erase 'disk0:'? no


</CODE>


Dear Cisco TAC support,


Is there any way to recover the startup-config without forcing me to permanently erase the flash? Which will erase everything?


The following console output shows that I could not enter ROMMON mode at all, after accidentally setting password recovery to disabled.


<CODE>


securevpn> reload

           ^

ERROR: % Invalid input detected at '^' marker.

securevpn>

Rom image verified correctly



Cisco Systems ROMMON, Version 1.1.14, RELEASE SOFTWARE

Copyright (c) 1994-2018  by Cisco Systems, Inc.

Compiled Tue 06/05/2018 22:45:19.61 by builder



Current image running: Boot ROM0

Last reset cause: PowerOn

DIMM Slot 0 : Present


Platform ASA5506 with 4096 Mbytes of main memory

MAC Address: 74:88:bb:c8:72:bf



INFO: PASSWORD RECOVERY functionality is disabled.

WARNING: Password recovery and ROMMON command line access has been

disabled by your security policy. Answering YES below will cause ALL

configurations, passwords, images in 'disk0:' to be erased.

ROMMON command line access will be re-enabled, and a new image must be

downloaded via ROMMON.


Permanently erase 'disk0:'? no

Located '.boot_string' @ cluster 997554.


#

Attempt autoboot: "boot disk0:/asa984-22-lfbff-k8.SPA"

Located 'asa984-22-lfbff-k8.SPA' @ cluster 969854.


###############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################

LFBFF signature verified.

INIT: version 2.88 booting

Starting udev

Configuring network interfaces... done.

Populating dev cache

^[^[^[^[^[^[dosfsck 2.11, 12 Mar 2005, FAT32, LFN

There are differences between boot sector and its backup.

Differences: (offset:original/backup)

  65:01/00

  Not automatically fixing this.

Starting check/repair pass.

Starting verification pass.

/dev/sdb1: 138 files, 947320/1919830 clusters

dosfsck(/dev/sdb1) returned 0

Mounting /dev/sdb1

IO Memory Nodes: 1

IO Memory Per Node: 387973120 bytes


Global Reserve Memory Per Node: 314572800 bytes Nodes=1


LCMB: got 387973120 bytes on numa-id=0, phys=0x38800000, virt=0x2aaaaae00000

LCMB: HEAP-CACHE POOL got 312475648 bytes on numa-id=0, virt=0x2aaac2000000

LCMB: HEAP-CACHE POOL got 2097152 bytes on numa-id=0, virt=0x2aaad4a00000

Processor memory:   1638667399

M_MMAP_THRESHOLD 65536, M_MMAP_MAX 25004

M_MMAP_THRESHOLD 65536, M_MMAP_MAX 25004

POST started...

POST finished, result is 0 (hint: 1 means it failed)


Compiled on Fri 29-May-20 00:37 PDT by builders


Total NICs found: 14

i354 rev03 Gigabit Ethernet @ irq255 dev 20 index 08 MAC: 7488.bbc8.72bf

ivshmem rev03 Backplane Data Interface     @ index 09 MAC: 0000.0001.0002

en_vtun rev00 Backplane Control Interface  @ index 10 MAC: 0000.0001.0001

en_vtun rev00 Backplane Int-Mgmt Interface     @ index 11 MAC: 0000.0001.0003

en_vtun rev00 Backplane Ext-Mgmt Interface     @ index 12 MAC: 0000.0000.0000

en_vtun rev00 Backplane Tap Interface     @ index 13 MAC: 0000.0100.0001

WARNING: Attribute already exists in the dictionary.

WARNING: Attribute already exists in the dictionary.

Verify the activation-key, it might take a while...

Running Permanent Activation Key: 


Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 5              perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Disabled       perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

Carrier                           : Disabled       perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 10             perpetual

Total VPN Peers                   : 12             perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

Shared License                    : Disabled       perpetual

Total TLS Proxy Sessions          : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Cluster                           : Disabled       perpetual


This platform has a Base license.


^[^[Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)


Cisco Adaptive Security Appliance Software Version 9.8(4)22


  ****************************** Warning *******************************

  This product contains cryptographic features and is

  subject to United States and local country laws

  governing, import, export, transfer, and use.

  Delivery of Cisco cryptographic products does not

  imply third-party authority to import, export,

  distribute, or use encryption. Importers, exporters,

  distributors and users are responsible for compliance

  with U.S. and local country laws. By using this

  product you agree to comply with applicable laws and

  regulations. If you are unable to comply with U.S.

  and local laws, return the enclosed items immediately.


  A summary of U.S. laws governing Cisco cryptographic

  products may be found at:

  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html


  If you require further assistance please contact us by

  sending email to export@cisco.com.

  ******************************* Warning *******************************

Cisco Adaptive Security Appliance Software, version 9.8

Copyright (c) 1996-2019 by Cisco Systems, Inc.

For licenses and notices for open source software used in this product, please visit

http://www.cisco.com/go/asa-opensource


                Restricted Rights Legend

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software - Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.


                Cisco Systems, Inc.

                170 West Tasman Drive

                San Jose, California 95134-1706


Reading from flash...

!!!!!...........

Cryptochecksum (unchanged): a44c49c9 4217b655 7de33b81 70c47440


INFO: Power-On Self-Test in process.

.......................................................................

INFO: Power-On Self-Test complete.


INFO: Starting HW-DRBG health test...

INFO: HW-DRBG health test passed.


INFO: Starting SW-DRBG health test...

INFO: SW-DRBG health test passed.

User enable_1 logged in to securevpn

Logins over the last 1 days: 1.

Failed logins since the last login: 0.

Type help or '?' for a list of available commands.

securevpn>


</CODE>


The following is the "show version" console output.


<CODE>


securevpn> show version


Cisco Adaptive Security Appliance Software Version 9.8(4)22

Firepower Extensible Operating System Version 2.2(2.124)

Device Manager Version 7.8(2)151


Compiled on Fri 29-May-20 00:37 PDT by builders

System image file is "disk0:/asa984-22-lfbff-k8.SPA"

Config file at boot was "startup-config"


securevpn up 126 days 8 hours


Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

Internal ATA Compact Flash, 8000MB

BIOS Flash M25P64 @ 0xfed01000, 16384KB


Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)

                             Number of accelerators: 1


 1: Ext: GigabitEthernet1/1  : address is 7488.bbc8.72c0, irq 255

 2: Ext: GigabitEthernet1/2  : address is 7488.bbc8.72c1, irq 255

 3: Ext: GigabitEthernet1/3  : address is 7488.bbc8.72c2, irq 255

 4: Ext: GigabitEthernet1/4  : address is 7488.bbc8.72c3, irq 255

 5: Ext: GigabitEthernet1/5  : address is 7488.bbc8.72c4, irq 255

 6: Ext: GigabitEthernet1/6  : address is 7488.bbc8.72c5, irq 255

 7: Ext: GigabitEthernet1/7  : address is 7488.bbc8.72c6, irq 255

 8: Ext: GigabitEthernet1/8  : address is 7488.bbc8.72c7, irq 255

 9: Int: Internal-Data1/1    : address is 7488.bbc8.72bf, irq 255

10: Int: Internal-Data1/2    : address is 0000.0001.0002, irq 0

11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0

12: Int: Internal-Data1/3    : address is 0000.0001.0003, irq 0

13: Ext: Management1/1       : address is 7488.bbc8.72bf, irq 0

14: Int: Internal-Data1/4    : address is 0000.0100.0001, irq 0


Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 5              perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Disabled       perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

Carrier                           : Disabled       perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 10             perpetual

Total VPN Peers                   : 12             perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

Shared License                    : Disabled       perpetual

Total TLS Proxy Sessions          : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Cluster                           : Disabled       perpetual


This platform has a Base license.


Serial Number: 

Running Permanent Activation Key: 

Configuration register is 0x1

Image type                : Release

Key Version               : A

Configuration has not been modified since last system restart.


</CODE>


*************************************************************

Technical specifications of Cisco ASA 5506-X firewall

*************************************************************


Processor: CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

Memory: 4 GB RAM

Storage: 8 GB Internal ATA Compact Flash


*************************************************************


The following is the "show flash" console output.


<CODE>


securevpn> show flash

--#--  --length--  -----date/time------  path

  122  108563072   Jan 25 2019 22:53:16  asa982-lfbff-k8.SPA

  123  26970456    Jan 25 2019 22:53:46  asdm-782.bin

  124  93          Jun 17 2020 18:50:42  .boot_string

   11  4096        Jan 25 2019 22:56:56  log

  144  1375        Mar 09 2020 12:54:10  log/asa-appagent.log

   19  4096        Jan 25 2019 22:57:48  crypto_archive

   20  4096        Jan 25 2019 22:57:50  coredumpinfo

   21  59          Jan 25 2019 22:57:50  coredumpinfo/coredump.cfg

  125  26916144    Mar 09 2020 16:39:48  asdm-781-150.bin

  126  28672       Jan 01 1980 08:00:00  FSCK0000.REC

  127  45961535    Mar 05 2020 20:34:28  anyconnect-win-4.7.01076-webdeploy-k9.pkg

  128  53129667    Mar 05 2020 20:34:48  anyconnect-macos-4.7.01076-webdeploy-k9.pkg

  129  12511       Mar 05 2020 23:07:36  oldconfig_2020Mar05_1451.cfg

  130  34033084    Mar 05 2020 23:09:02  asdm-7131.bin

  131  111281312   Mar 05 2020 23:29:58  asa984-8-lfbff-k8.SPA

  132  12851       Mar 05 2020 23:30:06  oldconfig_2020Mar05_1513.cfg

  133  26975568    Mar 05 2020 23:35:10  asdm-782-151_2.bin

  134  111290512   Jun 17 2020 14:46:10  asa984-10-lfbff-k8.SPA

  135  23506       Jun 17 2020 14:46:22  oldconfig_2020Jun17_0631.cfg

  136  23509       Jun 17 2020 15:07:42  backup_170620.cfg

  137  111383904   Jun 17 2020 18:25:30  asa984-22-lfbff-k8.SPA

  138  23674       Jun 17 2020 18:25:38  oldconfig_2020Jun17_1010.cfg

  139  4096        Jan 01 1980 08:00:00  FSCK0001.REC


7863623680 bytes total (3983400960 bytes free)


</CODE>


Looks like Cisco ASA 5506-X firewall operating system is also based on Linux and open source software.


Regards,


Mr. Turritopsis Dohrnii Teo En Ming

Targeted Individual in Singapore

Blogs:

https://tdtemcerts.blogspot.com

https://tdtemcerts.wordpress.com

GIMP also stands for Government-Induced Medical Problems.





REFERENCES

=============


[1] https://sourceforge.net/p/net-snmp/mailman/message/58726906/


[2] https://community.cisco.com/t5/cisco-software-discussions/accidentally-set-password-recovery-to-disabled-for-cisco-asa/m-p/5001940#M8615


[3] https://lore.kernel.org/netdev/JOhkKNLAc4s78ndVx8fG5cjGyh-Gc3XA4csUXYJuv4wk56cuZcff2t2gbtvAtkujWkL3nTOKdBirMvSIyc0OZWFKW2zZwWogvHI0kusQ5C4=@protonmail.com/


[4] https://marc.info/?l=linux-netdev&m=170587828004108&w=2


[5] https://yhbt.net/lore/all/JOhkKNLAc4s78ndVx8fG5cjGyh-Gc3XA4csUXYJuv4wk56cuZcff2t2gbtvAtkujWkL3nTOKdBirMvSIyc0OZWFKW2zZwWogvHI0kusQ5C4=@protonmail.com/


Comments

Popular posts from this blog

How the Singapore Government cheated my family of a HDB flat (Draft 22 Aug 2023)

[DRAFT 26 SEP 2022] HDB refuses to reduce monthly rental fees of my rental flat despite many appeals