Jump to content


2

how to change ASA 5520 enable mode password


17 replies to this topic

#1 tkp89

tkp89

    Junior Member

  • Members
  • PipPip
  • 7 posts
  • 0 thanks

Posted 07 November 2009 - 06:46 AM

Hi Bro and experts out there,

I new in Cisco ASA 5520, recently I had configure and setup a new Cisco ASA5520.

By default, the cisco asa 5520 had no password

Since then I had configure the below into the ASA5520
Configure a privileged level password (enable password)
ASA5520(config)# enable password abcde

Since then I can no longer change this enable password.

Do anyone know how to go about to change the enable password again.

Or is it simply no way to change again except to do password recovery.

I had post the thread to many others forums till date the feedback I getting back is that it is due to bug problem.

Appreciate all sorts of help.

Thank you.

#2 Big Evil

Big Evil

    Space Cowboy

  • Veteran
  • PipPipPip
  • 220 posts
  • 456 thanks

Posted 07 November 2009 - 08:07 AM

Sounds like somehow it is a once change issue. What i mean is you have to change the default from factory setting and once changed you are unable to change it again, like the function has been disabled.

You would have to alter this in rommon i would have though, but i would know how to do this. I'm at home now, but when i'm back at work in a few day i will try and work it out on one.

#3 tkp89

tkp89

    Junior Member

  • Members
  • PipPip
  • 7 posts
  • 0 thanks

Posted 09 November 2009 - 03:32 PM

cool, finally there is somebody who understand my ASA problem.

Hope to hear from you soon.

#4 Big Evil

Big Evil

    Space Cowboy

  • Veteran
  • PipPipPip
  • 220 posts
  • 456 thanks

Posted 09 November 2009 - 03:47 PM

Just so i have all the info bro'.

What level priv mode are you in.
Are you console on or SSH.

Could you put up a sh ve, sh run?

#5 Big Evil

Big Evil

    Space Cowboy

  • Veteran
  • PipPipPip
  • 220 posts
  • 456 thanks

Posted 09 November 2009 - 04:10 PM

Also can you change the hostname or anything simular?

#6 Cosmus

Cosmus

    Member

  • Members
  • PipPip
  • 28 posts
  • 34 thanks

Posted 11 November 2009 - 11:30 AM

This is indeed a strange problem. After you enter enable mode, (by writing "enable") at the ciscoasa> prompt, you should have level 15 priviledge which allows you to change the enable password.

We definately need to know how you log in to the asa...

#7 tkp89

tkp89

    Junior Member

  • Members
  • PipPip
  • 7 posts
  • 0 thanks

Posted 11 November 2009 - 12:39 PM

Hi All,

Please refer to below for the sh version

pri/act/ServerFW# sh version

Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.1(1)

Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Config file at boot was "startup-config"

ServerFW up 31 days 20 hours
failover cluster up 31 days 20 hours

Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0  : address is 001c.58a2.e7ac, irq 9
1: Ext: GigabitEthernet0/1  : address is 001c.58a2.e7ad, irq 9
2: Ext: GigabitEthernet0/2  : address is 001c.58a2.e7ae, irq 9
3: Ext: GigabitEthernet0/3  : address is 001c.58a2.e7af, irq 9
4: Ext: Management0/0       : address is 001c.58a2.e7ab, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 750
WebVPN Peers                 : 2
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1133L0N4
Running Activation Key: 0x51196640 0xc88bfb8d 0x5011b95c 0xb4885438 0x8b00848b
Configuration register is 0x1
Configuration last modified by netadmin at 09:58:23.003 SGT Mon Oct 26 2009

=================================================================

Partial sh run of the ASA due to confidential
------------------------------------------
hostname ServerFW
domain-name isecurep.net
enable password 8Ry2YjIyt7RRXU24 encrypted
names

aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL

username netadmin password EG8HsOf/ChinAwMA encrypted privilege 15

I can login to this ASA by ASDM or through SSH from linux server.

Cisco ASA Firewall-Active
netadmin@192.168.161.1's password:
Type help or '?' for a list of available commands.
pri/act/ServerFW> en
Password: ********
pri/act/ServerFW# config t
pri/act/ServerFW(config)#

Really appreciate all bros and expert out there to contribute ideas and advice.

#8 Cosmus

Cosmus

    Member

  • Members
  • PipPip
  • 28 posts
  • 34 thanks

Posted 11 November 2009 - 02:45 PM

Do you get an error message when you try to change the enable password? Could you show us this message?

#9 Big Evil

Big Evil

    Space Cowboy

  • Veteran
  • PipPipPip
  • 220 posts
  • 456 thanks

Posted 12 November 2009 - 12:55 PM

Are you logging in via LAN or WAN?

#10 tkp89

tkp89

    Junior Member

  • Members
  • PipPip
  • 7 posts
  • 0 thanks

Posted 12 November 2009 - 01:11 PM

Hi Bros,

I had try accessing via LAN,WAN and console into the ASA result same.

I try to make the change in CLI mode no instances of error.

Except I try to change the enable mode password via ASDM I will had problem.

Refer to below
============
Under Enable Password

I had put a tick onto the change the privileged mode password

Old Password: ******
New Password: ******
Confirm Password: ******

Then a pop up will appear saying Error. Error message as below

The Old Enable Password does not match the current Enable password on the
ASA. Please try again

#11 Cosmus

Cosmus

    Member

  • Members
  • PipPip
  • 28 posts
  • 34 thanks

Posted 13 November 2009 - 08:18 AM

Since you have no error message i CLI, it is working.

When you log in to ASDM, enable password is not required. This is why you need to input the old enable password before changing it to a new one. You must be making a typo when writing the old enable password in ASDM.

#12 undercover_bro

undercover_bro

    Member

  • Members
  • PipPip
  • 24 posts
  • 2 thanks

Posted 16 November 2009 - 01:27 PM

Hi
The enable password which u have already is the OLD PASSWORD asdm expecting but if u getting this error it meant that the OLD PASSWORD u provided is indeed wrong. check your enable password and try it again. or use CLI to configure. in this way u should be on priv level 15 or directly console to the unit with in priv mode. so if u cant access the priv mode from CLI with this password u provide as OLD PASSWORD its the password u provide is definately wrong. check your OLD PASSWORD and try again.
brgds


Quote

Hi Bros,

I had try accessing via LAN,WAN and console into the ASA result same.

I try to make the change in CLI mode no instances of error.

Except I try to change the enable mode password via ASDM I will had problem.

Refer to below
============
Under Enable Password

I had put a tick onto the change the privileged mode password

Old Password: ******
New Password: ******
Confirm Password: ******

Then a pop up will appear saying Error. Error message as below

The Old Enable Password does not match the current Enable password on the
ASA. Please try again

Cisco Certified Security Professional / Cisco IPS Specialist / Cisco ASA Specialist / Cisco IOS Security Specialist / Cisco Information Security Specialist

AND YE SHALL KNOW THE TRUTH AND THE TRUTH SHALL MAKE YOU FREE
undercover_bro, proud to be a member of IT Certification Forum since Feb 2009.

#13 tkp89

tkp89

    Junior Member

  • Members
  • PipPip
  • 7 posts
  • 0 thanks

Posted 24 November 2009 - 02:05 PM

Hi All,

After further checking,

pri/act/ServerFW# config t
pri/act/ServerFW(config)# no enable password level 15
Passwords can be removed only for levels <0-14>

I believe as long as I can find way to remove the enable password for level 15. I should be able to solve my problem.

Anyone had experience before?

Thank you.

#14 undercover_bro

undercover_bro

    Member

  • Members
  • PipPip
  • 24 posts
  • 2 thanks

Posted 25 November 2009 - 04:54 AM

Do password recovery, change the config registry(bypass startup-config) .... bootup the fw and load the startup to running-config and then set a new enable password. save the running-config to startup. it should slove your problem.
brgds


Quote

Hi All,

After further checking,

pri/act/ServerFW# config t
pri/act/ServerFW(config)# no enable password level 15
Passwords can be removed only for levels <0-14>

I believe as long as I can find way to remove the enable password for level 15. I should be able to solve my problem.

Anyone had experience before?

Thank you.

Cisco Certified Security Professional / Cisco IPS Specialist / Cisco ASA Specialist / Cisco IOS Security Specialist / Cisco Information Security Specialist

AND YE SHALL KNOW THE TRUTH AND THE TRUTH SHALL MAKE YOU FREE
undercover_bro, proud to be a member of IT Certification Forum since Feb 2009.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Organization

Community

Downloads

Test Providers

Site Info


Go to top