My Network Security Journal: August 2013

Sunday, August 18, 2013

Routing with OSPF in ASA

OSPF is a link-state routing protocol that can partition a network into a hierarchy of distinct numbered areas. Area 0 is always considered the backbone area of an OSPF domain or autonomous system, which must connect to all other areas.

When an OSPF router connects to two or more different areas, it is called an Area Border Router (ABR). When an OSPF router connects an area to a non-OSPF domain and it imports routing information from other sources into OSPF, it is called an Autonomous System Boundary Router (ASBR).

OSPF routers build a common database of the status of all links in the area by exchanging link-state advertisements (LSA). The routers build their routing tables by computing the shortest path first (SPF) algorithm based on that database. OSPF uses a path cost value, which is based on link bandwidth, as a routing metric. An ASA can support at most two different OSPF process.

For this scenario, we configured the ASA to use OSPF in exchanging routes with routers in Area 0.

ASA(config)# interface gigabitethernet0
ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA(config-if)# ip address 192.168.1.2 255.255.255.0
ASA(config-if)# no shutdown
ASA(config-if)# ospf ?

interface mode commands/options:
authentication       Enable authentication
authentication-key   Authentication password (key)
cost                 Interface cost
database-filter      Filter OSPF LSA during synchronization and flooding
dead-interval        Interval after which a neighbor is declared dead
hello-interval       Time between HELLO packets
message-digest-key   Message digest authentication password (key)
mtu-ignore           Ignores the MTU in DBD packets
network              Network type
priority             Router priority
retransmit-interval Time between retransmitting lost link state
                       advertisements
transmit-delay       Link state transmit delay
ASA(config-if)# ospf cost ?

interface mode commands/options:
<1-65535> Cost
ASA(config-if)# ospf cost 10
ASA(config-if)# interface gigabitethernet1
ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA(config-if)# ip address 172.16.1.1 255.255.255.0
ASA(config-if)# ospf cost 10
ASA(config-if)# ospf authentication ?

interface mode commands/options:
message-digest Use message-digest authentication
null            Use no authentication
<cr>
ASA(config-if)# ospf authentication message-digest
ASA(config-if)# ospf message-digest-key ?

interface mode commands/options:
<1-255> Key ID
ASA(config-if)# ospf message-digest-key 1 ?

interface mode commands/options:
md5 Use MD5 algorithm
ASA(config-if)# ospf message-digest-key 1 md5 cisco
ASA(config-if)#exit
ASA(config)# router ?

configure mode commands/options:
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
ospf   Open Shortest Path First (OSPF)
rip    Routing Information Protocol (RIP)
ASA(config)# router ospf ?

configure mode commands/options:
<1-65535> Process ID
ASA(config)# router ospf 1
ASA(config-router)# ?

Router configuration commands:
area                 OSPF area parameters
compatible           OSPF compatibility list
default-information Control distribution of default information
distance             Define an administrative distance
exit                 Exit from router configuration mode
help                 Interactive help for router subcommands
ignore               Do not complain about specific event
log-adj-changes      Log changes in adjacency state
neighbor             Specify a neighbor router
network              Add/remove interfaces to/from routing process
no                   Negate a command
redistribute         Redistribute information from another routing process
router-id            router-id for this OSPF process
summary-address      Configure IP address summaries
timers               Adjust routing timers
ASA(config-router)# network ?

router mode commands/options:
Hostname or A.B.C.D Network address
ASA(config-router)# network 172.16.1.0 ?

router mode commands/options:
A.B.C.D Mask for network address
ASA(config-router)# network 172.16.1.0 255.255.255.0 ?

router mode commands/options:
area Set the OSPF area ID
ASA(config-router)# network 172.16.1.0 255.255.255.0 area ?

router mode commands/options:
<0-18446744073709551615> OSPF area ID as a decimal value
Hostname or A.B.C.D       OSPF area ID
ASA(config-router)# network 172.16.1.0 255.255.255.0 area 0
ASA(config-router)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.1.0 255.255.255.0 is directly connected, outside
ASA(config-router)# exit
ASA(config)# route outside 0 0 192.168.1.1
ASA(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

C    192.168.1.0 255.255.255.0 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside

ASA# debug ospf ?

adj
database-timer
events
flood
lsa-generation
packet
retransmission
spf
tree
<cr>
ASA# debug ospf adj
OSPF adjacency events debugging is on
ASA# debug ospf events
OSPF events debugging is on
ASA# configure terminal
ASA(config)# interface gigabitethernet1
ASA(config-if)# no shutdown
ASA(config-if)#
OSPF: Interface inside going Up
OSPF: Send with youngest Key 1
OSPF: Build router LSA for area 0, router ID 192.168.1.2, seq 0x80000002
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: End of hello processing
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: End of hello processing
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: End of hello processing
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: End of hello processing
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: End of hello processing
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: End of hello processing
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: End of hello processing
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: End of hello processing
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: End of hello processing
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: End of hello processing
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: End of hello processing
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: End of hello processing
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: End of hello processing
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: End of hello processing
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: 2 Way Communication to 172.16.1.2 on inside, state 2WAY
OSPF: Backup seen Event before WAIT timer on inside
OSPF: DR/BDR election on inside
OSPF: Elect BDR 192.168.1.2
OSPF: Elect DR 172.16.1.2
OSPF: Elect BDR 192.168.1.2
OSPF: Elect DR 172.16.1.2
       DR: 172.16.1.2 (Id)   BDR: 192.168.1.2 (Id)
OSPF: Send DBD to 172.16.1.2 on inside seq 0x1237 opt 0x2 flag 0x7 len 32
OSPF: Send with youngest Key 1
OSPF: End of hello processing
OSPF: Rcv DBD from 172.16.1.2 on inside seq 0x2283 opt 0x52 flag 0x7 len 32 mtu 1500 state EXSTART
OSPF: First DBD and we are not SLAVE
OSPF: Rcv DBD from 172.16.1.2 on inside seq 0x1237 opt 0x52 flag 0x2 len 92 mtu 1500 state EXSTART
OSPF: NBR Negotiation Done. We are the MASTER
OSPF: Send DBD to 172.16.1.2 on inside seq 0x1238 opt 0x2 flag 0x3 len 52
OSPF: Send with youngest Key 1
OSPF: Send with youngest Key 1
OSPF: Database request to 172.16.1.2
OSPF: sent LS REQ packet to 172.16.1.2, length 36
OSPF: Rcv DBD from 172.16.1.2 on inside seq 0x1238 opt 0x52 flag 0x0 len 32 mtu 1500 state EXCHANGE
OSPF: Send DBD to 172.16.1.2 on inside seq 0x1239 opt 0x2 flag 0x1 len 32
OSPF: Send with youngest Key 1
OSPF: Send with youngest Key 1
OSPF: Rcv DBD from 172.16.1.2 on inside seq 0x1239 opt 0x52 flag 0x0 len 32 mtu 1500 state EXCHANGE
OSPF: Exchange Done with 172.16.1.2 on inside
OSPF: Synchronized with 172.16.1.2 on inside, state FULL
OSPF: Send with youngest Key 1
OSPF: Build router LSA for area 0, router ID 192.168.1.2, seq 0x80000003
OSPF: Send with youngest Key 1
OSPF: Send with youngest Key 1
OSPF: Send with youngest Key 1
OSPF: Rcv hello from 172.16.1.2 area 0 from inside 172.16.1.2
OSPF: Neighbor change Event on interface inside
OSPF: DR/BDR election on inside
OSPF: Elect BDR 192.168.1.2
OSPF: Elect DR 172.16.1.2
       DR: 172.16.1.2 (Id)   BDR: 192.168.1.2 (Id)
OSPF: End of hello processing
ASA(config-if)# no debug ospf
ASA(config-if)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

C    172.16.1.0 255.255.255.0 is directly connected, inside
O    10.1.10.1 255.255.255.255 [110/75] via 172.16.1.2, 0:00:36, inside
O    10.1.2.0 255.255.255.0 [110/74] via 172.16.1.2, 0:00:36, inside
O    10.1.1.0 255.255.255.0 [110/74] via 172.16.1.2, 0:00:36, inside
O    10.1.5.1 255.255.255.255 [110/75] via 172.16.1.2, 0:00:36, inside
C    192.168.1.0 255.255.255.0 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside

ASA# show ospf ?

<1-65535>            OSPF process id
border-routers       Show OSPF border routers
database             Show OSPF database
flood-list           Show OSPF link state flood lists
interface            Show OSPF information for a specific interface
neighbor             Show OSPF neighbors
request-list         Show OSPF link state request-lists
retransmission-list Show OSPF link state retransmission-lists
summary-address      Show OSPF summary addresses
virtual-links        Show OSPF virtual links
|                    Output modifiers
<cr>

ASA# show ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
172.16.1.2        1   FULL/DR         0:00:31     172.16.1.2      inside

ASA# show ospf database

       OSPF Router with ID (192.168.1.2) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
10.1.5.1        10.1.5.1        949         0x80000002 0x1a6b 3
10.1.10.1       10.1.10.1       898         0x80000002 0x274d 3
172.16.1.2      172.16.1.2      90          0x80000006 0x1776 5
192.168.1.2     192.168.1.2     88          0x80000003 0x3898 1

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
172.16.1.2      172.16.1.2      89          0x80000001 0x 589

ASA# ping 10.1.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/80/220 ms
ASA# ping 10.1.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/38/100 ms

Saturday, August 10, 2013

Network Time Protocol (NTP) on an ASA

To ensure precise synchonization of the ASA's clock to the rest of your network, you should configure the ASA to obtain time information from a trusted NTP server. To do so, navigate to Configuration > Device Setup > System Time > NTP. The NTP settings window opens. To define a new NTP time source, click Add to open the Add NTP Server Configuration dialog box. Define the IP address of the new NTP time source, the ASA interface through which this NTP server can be reached, whether this is a preferred time source, and any information relevant to the use of authenticated NTP communication.

You can configure additional NTP servers (a minimum of three associations is recommended for optimal accuracy and redundancy) and can only enter IP addresses when defining NTP servers, not logical names (FQDN) to be resolved to IP addresses via DNS. Note that an ASA can act only as an NTP client, not as an NTP server. Using an NTP server reachable through the outside interface, and not using authentication, is inherently subject to potential compromise, so it should be done only as a backup to an internal NTP server, if available.

The ASA will choose the NTP server with the lowest stratum number and synchronize to that server. A stratum number indicates the distance from the reference clock, so a lower stratum number implies that a server is more reliable than others with a higher stratum number. If several servers have similar accuracy, the preferred server is used.

ciscoasa# show clock detail
15:58:33.269 UTC Tue Jul 2 2013
Time source is hardware calendar

ciscoasa# ping sg.pool.ntp.org
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.123.48.219, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/128/150 ms
ciscoasa# configure terminal
ciscoasa(config)# ntp server 203.123.48.219 source outside prefer
ciscoasa(config)# show clock detail
16:01:36.546 UTC Tue Jul 2 2013
Time source is NTP

ciscoasa(config)# show ntp association
      address         ref clock     st when poll reach delay offset    disp
*~203.123.48.219   118.143.17.82     2     6    64    1    76.6   39.08 15890.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
ciscoasa(config)# show ntp association detail
203.123.48.219 configured, our_master, sane, valid, stratum 2
ref ID 118.143.17.82, time d57d7291.6422c85d (15:38:57.391 UTC Tue Jul 2 2013)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 42.53 msec, root disp 63.16, reach 1, sync dist 16013.336
delay 76.58 msec, offset 39.0848 msec, dispersion 15890.63
precision 2**21, version 3
org time d57d77fc.da7ce622 (16:02:04.853 UTC Tue Jul 2 2013)
rcv time d57d77fc.da494f2d (16:02:04.852 UTC Tue Jul 2 2013)
xmt time d57d77fc.c6ac08bd (16:02:04.776 UTC Tue Jul 2 2013)
filtdelay =    76.58    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =   39.08    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =    15.63 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

Sunday, August 4, 2013

Performing Password Recovery on an ASA

To perform a password recovery, connect a PC to the console port of the ASA. Power-cycle the ASA and watch the messages while booting up. Two important messages will appear, as follows:

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

A 10-second countdown appears directly below these messages. Press the Esc key to interrupt the boot process and enter ROM Monitor (ROMMON) mode. From ROMMON mode, you set the configuration register value to instruct the ASA to bypass its startup-config (where passwords and AAA commands are stored), and reboot it.

FIREWALL> enable
Password: ****
Invalid password

// POWER-CYCLE THE ASA

CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008

Platform ASA5505

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 8 seconds.   // HIT ESC KEY

Ethernet0/0
MAC Address: c84c.7596.e7c6
Link is DOWN

Use ? for help.
rommon #0> confreg 0x41

Update Config Register (0x41) in NVRAM...

rommon #1> boot
Launching BootLoader...
Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa901-k8.bin... Booting...
Platform ASA5505

Loading...
IO memory blocks requested from bigphys 32bit: 9928
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 392 files, 26848/31033 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 343932928, Reserved memory: 62914560

Total SSMs found: 0

Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: c84c.7596.e7c5
88E6095 rev 2 Ethernet @ index 07 MAC: c84c.7596.e7c4
88E6095 rev 2 Ethernet @ index 06 MAC: c84c.7596.e7c3
88E6095 rev 2 Ethernet @ index 05 MAC: c84c.7596.e7c2
88E6095 rev 2 Ethernet @ index 04 MAC: c84c.7596.e7c1
88E6095 rev 2 Ethernet @ index 03 MAC: c84c.7596.e7c0
88E6095 rev 2 Ethernet @ index 02 MAC: c84c.7596.e7bf
88E6095 rev 2 Ethernet @ index 01 MAC: c84c.7596.e7be
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: c84c.7596.e7c6
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0x3021cd54 0x20efac90 0xc852410c 0xb95cd094 0xc108009a

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 10             perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.08

Cisco Adaptive Security Appliance Software Version 9.0(1)

****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************

This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/)
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
All rights reserved.
Copyright (c) 1998-2011 The OpenSSL Project.
All rights reserved.

This product includes software developed at the University of
California, Irvine for use in the DAV Explorer project
(http://www.ics.uci.edu/~webdav/)
Copyright (c) 1999-2005 Regents of the University of California.
All rights reserved.

Cisco Adapative Security Appliance Software, version 9.0,
Copyright (c) 1996-2012 by Cisco Systems, Inc.
Certain components of Cisco ASA Software, Version 9.0 are licensed under the GNU
Lesser Public License (LGPL) Version 2.1. The software code licensed under LGPL
Version 2.1 is free software that comes with ABSOLUTELY NO WARRANTY. Yoredistribute and/or modify such LGPL code under the terms of LGPL Version 2.1
(http://www.gnu.org/licenses/lgpl-2.1.html). See User Manual for licensing
details.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Ignoring startup configuration as instructed by configuration register.   // BYPASS STARTUP CONFIG

INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201306300550.log'
Type help or '?' for a list of available commands.
ciscoasa> enable
Password:
ciscoasa# copy startup-config running-config

Destination filename [running-config]?

.
Cryptochecksum (unchanged): 99027073 b0c5f405 3d9e3aa6 8817dd65

2856 bytes copied in 3.540 secs (952 bytes/sec)
FIREWALL# configure terminal
FIREWALL(config)# password NEWPASSWORD
FIREWALL(config)# enable password NEWPASSWORD
FIREWALL(config)# username Admin password NEWPASSWORD
FIREWALL(config)# config-register ?

configure mode commands/options:
<0x0-0xffffffff> Configuration register value
FIREWALL(config)# config-register 0x1
FIREWALL(config)# exit
FIREWALL# copy running-config startup-config

Source filename [running-config]?
Cryptochecksum: fbb8dac4 825b7442 c1620ab6 fa9788e9

2907 bytes copied in 1.70 secs (2907 bytes/sec)
FIREWALL# reload noconfirm
FIREWALL#

***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down License Controller
Shutting down File system

***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting.....

<OUTPUT TRUNCATED>

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Reading from flash...
!.
Cryptochecksum (unchanged): fbb8dac4 825b7442 c1620ab6 fa9788e9
Type help or '?' for a list of available commands.
FIREWALL> enable
Password: <NEWPASSWORD>
FIREWALL#

Below is a picture of my lovely daughter Sophia and my ASA 5505 firewall (my other baby ^_^).