Saturday, March 30, 2019

Cisco ASA 5500-X Password Recovery in Multiple Context Mode

Here's the link for doing a password recovery procedure on different Cisco ASA firewall platform. There's a slight difference between the ASA5500 first-gen firewall and ASA5500-X series (where you type Yes). This is the password recovery which I performed on a Cisco ASA55555-X in Multiple Context mode.

ciscoasa/pri/act(config)# changeto context admin
ciscoasa/pri/act/admin(config)# show run
Command authorization failed


You need to disable failover under the system context on each firewall to prevent the configuration from being synchronized and just focus troubleshooting on the Primary unit.

ciscoasa/sec/stby(config)# no failover

ciscoasa/pri/act(config)# no failover
ciscoasa/pri/actNoFailover(config)# write memory      // SAVE CONFIG


Reboot the ASA either by issuing reload under system context or press and hold the power button on the appliance. Press Escape (Esc beside F1 key) to go into ROMMON mode.

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Boot in 10 seconds.
                                          

Boot interrupted.

Management0/0
Link is UP
MAC Address: 84b2.6191.1234


Use ? for help.
rommon #0> confreg

Current Configuration Register: 0x00000001     // THIS THE NORMAL CONFIG REGISTER SETTING; WILL LOAD THE START UP CONFIG
Configuration Summary:
  boot default image from Flash

Do you wish to change this configuration? y/n [n]: n    // TYPE n FOR NO OR JUST PRESS ENTER TO ACCEPT DEFAULT VALUE

rommon #1> confreg 0x41      // THIS WILL BYPASS THE STARTUP-CONFIG

Update Config Register (0x41) in NVRAM...

rommon #2> confreg

Current Configuration Register: 0x00000041
Configuration Summary:
  boot default image from Flash
  ignore system configuration

Do you wish to change this configuration? y/n [n]: y     // TAKE NOTE OF THE YES
enable boot to ROMMON prompt? y/n [n]:  <PRESS ENTER TO ACCEPT DEFAULT VALUE>
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]:
disable system configuration? y/n [n]: y
go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:

Current Configuration Register: 0x00000041
Configuration Summary:
  boot ROMMON
  ignore system configuration

Update Config Register (0x41) in NVRAM...

rommon #4> boot     // REBOOT APPLIANCE
Launching BootLoader...
Boot configuration file contains 1 entry.


Loading disk0:/asa982-35-smp-k8.bin... Booting...
Platform ASA5555

Loading...

<SNIP>


This platform has an ASA5555 VPN Premium license.

Creating context 'system'... Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-SB-PLUS-0005
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
Done. (0)
Creating context 'null'... Done. (507)

Cisco Adaptive Security Appliance Software Version 9.8(2)35 <system>

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 9.8
Copyright (c) 1996-2018 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource

                Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Ignoring the rest of the file
Ignoring startup configuration as instructed by configuration register.

INFO: Power-On Self-Test in process.
.......................................................................
INFO: Power-On Self-Test complete.

INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.

INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1. 
Failed logins since the last login: 0. 
Type help or '?' for a list of available commands.

ciscoasa> enable      // ASA WILL LOAD A BLANK OR DEFAULT CONFIG
Password: <ENTER>

ciscoasa# show run
: Saved

:
: Serial Number: FCH19391234
: Hardware:   ASA5555, 16384 MB RAM, CPU Lynnfield 2792 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)35 <system>    // YOU'LL BE IN SYSTEM CONTEXT
!
hostname ciscoasa
enable password $sha512$5000$4WmfnCPFaydT+Fowjif0Cg==$ORJElavY7LebyP0cYjYmhQ== pbkdf2
no mac-address auto
!
interface GigabitEthernet0/0
 shutdown
!
interface GigabitEthernet0/1
 shutdown
!
interface GigabitEthernet0/2
 shutdown
!
interface GigabitEthernet0/3
 shutdown
!
interface GigabitEthernet0/4
 shutdown
!
interface GigabitEthernet0/5
 shutdown
!
interface GigabitEthernet0/6
 shutdown
!
interface GigabitEthernet0/7
 shutdown
!
interface Management0/0
 shutdown
!
class default
  limit-resource All 0
  limit-resource Mac-addresses 65536
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
ssh stricthostkeycheck
console timeout 0
!
tls-proxy maximum-session 1000
!
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:00000000000000000000000000000000
: end


ciscoasa# copy startup-config running-config      // LOAD THE STARTUP-CONFIG
Destination filename [running-config]?

.INFO: Non-failover interface config is cleared on GigabitEthernet0/7 and its sub-interfaces
INFO: Admin context is required to get the interfaces
INFO: Admin context is required to get the interfaces
INFO: Admin context is required to get the interfaces
Creating context 'admin'... Done. (1)
...
Cryptochecksum (unchanged): 3e88bc1b fd82b3a9 6ee910d2 343ce7ef
INFO: Context admin was created with URL disk0:/admin.cfg        
INFO: Admin context will take some time to come up .... please wait.    // ASA WILL LOAD THE admin AND OTHER CONFIGURED CONTEXTS

ciscoasa/pri/act# .

    No Active mate detected

ciscoasa/pri/act# configure terminal
ciscoasa/pri/act(config)# no failover     // DISABLE FAILOVER AND OVERWRITE PASSWORDS
ciscoasa/pri/actNoFailover(config)#
ciscoasa/pri/actNoFailover(config)# aaa-server ISE protocol tacacs+
ciscoasa/pri/actNoFailover(config)# aaa-server ISE (management) host 192.168.1.100
ciscoasa/pri/actNoFailover(config)# key cisco123
ciscoasa/pri/actNoFailover(config)# username enable_15 password cisco privilege 15   // THIS IS A LOCAL USER FALLBACK WHEN GETTING THE ERROR:  
Username 'enable_15' not in LOCAL database
Command authorization failed
ciscoasa/pri/actNoFailover(config)# aaa authentication ssh console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa authentication enable console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa authentication http console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa authentication serial console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa accounting command ISE
ciscoasa/pri/actNoFailover(config)# aaa authorization exec authentication-server auto-enable   // THIS WILL BYPASS TYPING enable AND GO DIRECTLY TO  PRIVILEGE EXEC MODE
ciscoasa/pri/actNoFailover(config)# aaa authorization command ISE LOCAL
ciscoasa/pri/actNoFailover/admin(config)# sh run aaa
Command authorization failed      // TACACS+/AAA KICKED IN


admin@ciscoasa's password:      // SSH TO THE ASA
User admin logged in to ciscoasa
Logins over the last 1 days: 1. 
Failed logins since the last login: 0. 
Type help or '?' for a list of available commands.

ciscoasa/pri/actNoFailover/admin#     // PROMPT GOES DIRECTLY TO PRIVILEGE EXEC
ciscoasa/pri/actNoFailover/admin# changeto system
ciscoasa/pri/actNoFailover# configure terminal     
ciscoasa/pri/actNoFailover(config)# no config-register    // REVERT TO ORIGINAL CONFIG REGISTER (0x1)
ciscoasa/pri/actNoFailover(config)# failover
ciscoasa/pri/act(config)# write memory     // SAVE CONFIFG
ciscoasa/pri/act(config)# show version

<SNIP>

Configuration register is 0x41 (will be 0x1 at next reload)

Image type          : Release
Key version         : A

Configuration last modified by enable_15 at 04:12:09.307 UTC Fri Mar 22 2019


<REBOOT ASA>


ciscoasa/pri/act/admin# show version

<SNIP>


This platform has an ASA5555 VPN Premium license.

Serial Number: FCH19391234
Running Permanent Activation Key: 0xca3de65c 0x28092655 0xa10195b8 0xd4887824 0x801b1234
Configuration register is 0x1