Here's the link for doing a password recovery procedure on different Cisco ASA firewall platform. There's a slight difference between the ASA5500 first-gen firewall and ASA5500-X series (where you type Yes). This is the password recovery which I performed on a Cisco ASA55555-X in Multiple Context mode.
ciscoasa/pri/act(config)# changeto context admin
ciscoasa/pri/act/admin(config)# show run
Command authorization failed
You need to disable failover under the system context on each firewall to prevent the configuration from being synchronized and just focus troubleshooting on the Primary unit.
ciscoasa/sec/stby(config)# no failover
ciscoasa/pri/act(config)# no failover
ciscoasa/pri/actNoFailover(config)# write memory // SAVE CONFIG
Reboot the ASA either by issuing reload under system context or press and hold the power button on the appliance. Press Escape (Esc beside F1 key) to go into ROMMON mode.
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 10 seconds.
Boot interrupted.
Management0/0
Link is UP
MAC Address: 84b2.6191.1234
Use ? for help.
rommon #0> confreg
Current Configuration Register: 0x00000001 // THIS THE NORMAL CONFIG REGISTER SETTING; WILL LOAD THE START UP CONFIG
Configuration Summary:
boot default image from Flash
Do you wish to change this configuration? y/n [n]: n // TYPE n FOR NO OR JUST PRESS ENTER TO ACCEPT DEFAULT VALUE
rommon #1> confreg 0x41 // THIS WILL BYPASS THE STARTUP-CONFIG
Update Config Register (0x41) in NVRAM...
rommon #2> confreg
Current Configuration Register: 0x00000041
Configuration Summary:
boot default image from Flash
ignore system configuration
Do you wish to change this configuration? y/n [n]: y // TAKE NOTE OF THE YES
enable boot to ROMMON prompt? y/n [n]: <PRESS ENTER TO ACCEPT DEFAULT VALUE>
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]:
disable system configuration? y/n [n]: y
go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:
Current Configuration Register: 0x00000041
Configuration Summary:
boot ROMMON
ignore system configuration
Update Config Register (0x41) in NVRAM...
rommon #4> boot // REBOOT APPLIANCE
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa982-35-smp-k8.bin... Booting...
Platform ASA5555
Loading...
<SNIP>
This platform has an ASA5555 VPN Premium license.
Creating context 'system'... Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Done. (0)
Creating context 'null'... Done. (507)
Cisco Adaptive Security Appliance Software Version 9.8(2)35 <system>
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 9.8
Copyright (c) 1996-2018 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Ignoring the rest of the file
Ignoring startup configuration as instructed by configuration register.
INFO: Power-On Self-Test in process.
.......................................................................
INFO: Power-On Self-Test complete.
INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.
INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
ciscoasa> enable // ASA WILL LOAD A BLANK OR DEFAULT CONFIG
Password: <ENTER>
ciscoasa# show run
: Saved
:
: Serial Number: FCH19391234
: Hardware: ASA5555, 16384 MB RAM, CPU Lynnfield 2792 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)35 <system> // YOU'LL BE IN SYSTEM CONTEXT
!
hostname ciscoasa
enable password $sha512$5000$4WmfnCPFaydT+Fowjif0Cg==$ORJElavY7LebyP0cYjYmhQ== pbkdf2
no mac-address auto
!
interface GigabitEthernet0/0
shutdown
!
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface GigabitEthernet0/3
shutdown
!
interface GigabitEthernet0/4
shutdown
!
interface GigabitEthernet0/5
shutdown
!
interface GigabitEthernet0/6
shutdown
!
interface GigabitEthernet0/7
shutdown
!
interface Management0/0
shutdown
!
class default
limit-resource All 0
limit-resource Mac-addresses 65536
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
ssh stricthostkeycheck
console timeout 0
!
tls-proxy maximum-session 1000
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:00000000000000000000000000000000
: end
ciscoasa# copy startup-config running-config // LOAD THE STARTUP-CONFIG
Destination filename [running-config]?
.INFO: Non-failover interface config is cleared on GigabitEthernet0/7 and its sub-interfaces
INFO: Admin context is required to get the interfaces
INFO: Admin context is required to get the interfaces
INFO: Admin context is required to get the interfaces
Creating context 'admin'... Done. (1)
...
Cryptochecksum (unchanged): 3e88bc1b fd82b3a9 6ee910d2 343ce7ef
INFO: Context admin was created with URL disk0:/admin.cfg
INFO: Admin context will take some time to come up .... please wait. // ASA WILL LOAD THE admin AND OTHER CONFIGURED CONTEXTS
ciscoasa/pri/act# .
No Active mate detected
ciscoasa/pri/act# configure terminal
ciscoasa/pri/act(config)# no failover // DISABLE FAILOVER AND OVERWRITE PASSWORDS
ciscoasa/pri/actNoFailover(config)#
ciscoasa/pri/actNoFailover(config)# aaa-server ISE protocol tacacs+
ciscoasa/pri/actNoFailover(config)# aaa-server ISE (management) host 192.168.1.100
ciscoasa/pri/actNoFailover(config)# key cisco123
ciscoasa/pri/actNoFailover(config)# username enable_15 password cisco privilege 15 // THIS IS A LOCAL USER FALLBACK WHEN GETTING THE ERROR:
Username 'enable_15' not in LOCAL database
Command authorization failed
ciscoasa/pri/actNoFailover(config)# aaa authentication ssh console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa authentication enable console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa authentication http console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa authentication serial console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa accounting command ISE
ciscoasa/pri/actNoFailover(config)# aaa authorization exec authentication-server auto-enable // THIS WILL BYPASS TYPING enable AND GO DIRECTLY TO PRIVILEGE EXEC MODE
ciscoasa/pri/actNoFailover(config)# aaa authorization command ISE LOCAL
ciscoasa/pri/actNoFailover/admin(config)# sh run aaa
Command authorization failed // TACACS+/AAA KICKED IN
admin@ciscoasa's password: // SSH TO THE ASA
User admin logged in to ciscoasa
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
ciscoasa/pri/actNoFailover/admin# // PROMPT GOES DIRECTLY TO PRIVILEGE EXEC
ciscoasa/pri/actNoFailover/admin# changeto system
ciscoasa/pri/actNoFailover# configure terminal
ciscoasa/pri/actNoFailover(config)# no config-register // REVERT TO ORIGINAL CONFIG REGISTER (0x1)
ciscoasa/pri/actNoFailover(config)# failover
ciscoasa/pri/act(config)# write memory // SAVE CONFIFG
ciscoasa/pri/act(config)# show version
<SNIP>
Configuration register is 0x41 (will be 0x1 at next reload)
Image type : Release
Key version : A
Configuration last modified by enable_15 at 04:12:09.307 UTC Fri Mar 22 2019
<REBOOT ASA>
ciscoasa/pri/act/admin# show version
<SNIP>
This platform has an ASA5555 VPN Premium license.
Serial Number: FCH19391234
Running Permanent Activation Key: 0xca3de65c 0x28092655 0xa10195b8 0xd4887824 0x801b1234
Configuration register is 0x1
ciscoasa/pri/act(config)# changeto context admin
ciscoasa/pri/act/admin(config)# show run
Command authorization failed
You need to disable failover under the system context on each firewall to prevent the configuration from being synchronized and just focus troubleshooting on the Primary unit.
ciscoasa/sec/stby(config)# no failover
ciscoasa/pri/act(config)# no failover
ciscoasa/pri/actNoFailover(config)# write memory // SAVE CONFIG
Reboot the ASA either by issuing reload under system context or press and hold the power button on the appliance. Press Escape (Esc beside F1 key) to go into ROMMON mode.
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 10 seconds.
Boot interrupted.
Management0/0
Link is UP
MAC Address: 84b2.6191.1234
Use ? for help.
rommon #0> confreg
Current Configuration Register: 0x00000001 // THIS THE NORMAL CONFIG REGISTER SETTING; WILL LOAD THE START UP CONFIG
Configuration Summary:
boot default image from Flash
Do you wish to change this configuration? y/n [n]: n // TYPE n FOR NO OR JUST PRESS ENTER TO ACCEPT DEFAULT VALUE
rommon #1> confreg 0x41 // THIS WILL BYPASS THE STARTUP-CONFIG
Update Config Register (0x41) in NVRAM...
rommon #2> confreg
Current Configuration Register: 0x00000041
Configuration Summary:
boot default image from Flash
ignore system configuration
Do you wish to change this configuration? y/n [n]: y // TAKE NOTE OF THE YES
enable boot to ROMMON prompt? y/n [n]: <PRESS ENTER TO ACCEPT DEFAULT VALUE>
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]:
disable system configuration? y/n [n]: y
go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:
Current Configuration Register: 0x00000041
Configuration Summary:
boot ROMMON
ignore system configuration
Update Config Register (0x41) in NVRAM...
rommon #4> boot // REBOOT APPLIANCE
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa982-35-smp-k8.bin... Booting...
Platform ASA5555
Loading...
<SNIP>
This platform has an ASA5555 VPN Premium license.
Creating context 'system'... Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Done. (0)
Creating context 'null'... Done. (507)
Cisco Adaptive Security Appliance Software Version 9.8(2)35 <system>
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 9.8
Copyright (c) 1996-2018 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Ignoring the rest of the file
Ignoring startup configuration as instructed by configuration register.
INFO: Power-On Self-Test in process.
.......................................................................
INFO: Power-On Self-Test complete.
INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.
INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
ciscoasa> enable // ASA WILL LOAD A BLANK OR DEFAULT CONFIG
Password: <ENTER>
ciscoasa# show run
: Saved
:
: Serial Number: FCH19391234
: Hardware: ASA5555, 16384 MB RAM, CPU Lynnfield 2792 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)35 <system> // YOU'LL BE IN SYSTEM CONTEXT
!
hostname ciscoasa
enable password $sha512$5000$4WmfnCPFaydT+Fowjif0Cg==$ORJElavY7LebyP0cYjYmhQ== pbkdf2
no mac-address auto
!
interface GigabitEthernet0/0
shutdown
!
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface GigabitEthernet0/3
shutdown
!
interface GigabitEthernet0/4
shutdown
!
interface GigabitEthernet0/5
shutdown
!
interface GigabitEthernet0/6
shutdown
!
interface GigabitEthernet0/7
shutdown
!
interface Management0/0
shutdown
!
class default
limit-resource All 0
limit-resource Mac-addresses 65536
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
ssh stricthostkeycheck
console timeout 0
!
tls-proxy maximum-session 1000
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:00000000000000000000000000000000
: end
ciscoasa# copy startup-config running-config // LOAD THE STARTUP-CONFIG
Destination filename [running-config]?
.INFO: Non-failover interface config is cleared on GigabitEthernet0/7 and its sub-interfaces
INFO: Admin context is required to get the interfaces
INFO: Admin context is required to get the interfaces
INFO: Admin context is required to get the interfaces
Creating context 'admin'... Done. (1)
...
Cryptochecksum (unchanged): 3e88bc1b fd82b3a9 6ee910d2 343ce7ef
INFO: Context admin was created with URL disk0:/admin.cfg
INFO: Admin context will take some time to come up .... please wait. // ASA WILL LOAD THE admin AND OTHER CONFIGURED CONTEXTS
ciscoasa/pri/act# .
No Active mate detected
ciscoasa/pri/act# configure terminal
ciscoasa/pri/act(config)# no failover // DISABLE FAILOVER AND OVERWRITE PASSWORDS
ciscoasa/pri/actNoFailover(config)#
ciscoasa/pri/actNoFailover(config)# aaa-server ISE protocol tacacs+
ciscoasa/pri/actNoFailover(config)# aaa-server ISE (management) host 192.168.1.100
ciscoasa/pri/actNoFailover(config)# key cisco123
ciscoasa/pri/actNoFailover(config)# username enable_15 password cisco privilege 15 // THIS IS A LOCAL USER FALLBACK WHEN GETTING THE ERROR:
Username 'enable_15' not in LOCAL database
Command authorization failed
ciscoasa/pri/actNoFailover(config)# aaa authentication ssh console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa authentication enable console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa authentication http console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa authentication serial console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa accounting command ISE
ciscoasa/pri/actNoFailover(config)# aaa authorization exec authentication-server auto-enable // THIS WILL BYPASS TYPING enable AND GO DIRECTLY TO PRIVILEGE EXEC MODE
ciscoasa/pri/actNoFailover(config)# aaa authorization command ISE LOCAL
ciscoasa/pri/actNoFailover/admin(config)# sh run aaa
Command authorization failed // TACACS+/AAA KICKED IN
admin@ciscoasa's password: // SSH TO THE ASA
User admin logged in to ciscoasa
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
ciscoasa/pri/actNoFailover/admin# // PROMPT GOES DIRECTLY TO PRIVILEGE EXEC
ciscoasa/pri/actNoFailover/admin# changeto system
ciscoasa/pri/actNoFailover# configure terminal
ciscoasa/pri/actNoFailover(config)# no config-register // REVERT TO ORIGINAL CONFIG REGISTER (0x1)
ciscoasa/pri/actNoFailover(config)# failover
ciscoasa/pri/act(config)# write memory // SAVE CONFIFG
ciscoasa/pri/act(config)# show version
<SNIP>
Configuration register is 0x41 (will be 0x1 at next reload)
Image type : Release
Key version : A
Configuration last modified by enable_15 at 04:12:09.307 UTC Fri Mar 22 2019
<REBOOT ASA>
ciscoasa/pri/act/admin# show version
<SNIP>
This platform has an ASA5555 VPN Premium license.
Serial Number: FCH19391234
Running Permanent Activation Key: 0xca3de65c 0x28092655 0xa10195b8 0xd4887824 0x801b1234
Configuration register is 0x1
