I needed to perform a password recovery on a used Cisco ASA 5515-X firewall and do a factory reset afterwards. This is to prepare the ASA in converting to Firepower Threat Defense (FTD). This is my "new" lab rack with a Cisco 1921 ISR G2 router.
I had inserted an SSD module on the ASA to store the FTD boot image and package file (OS).
Booting
from ROMMON
Cisco
Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011
Use BREAK or ESC to interrupt boot. // HIT ESC
Use SPACE
to begin boot immediately.
Boot
interrupted.
Management0/0
Link is
DOWN
MAC
Address: b0fa.eb97.7abc
Use ? for
help.
rommon #0> confreg 0x41 // BYPASS STARTUP-CONFIG
Update
Config Register (0x41) in NVRAM...
rommon
#1> confreg
Current
Configuration Register: 0x00000041
Configuration
Summary:
boot default image from Flash
ignore system configuration
Do you
wish to change this configuration? y/n [n]: <ENTER>
rommon
#2> boot
Launching
BootLoader...
Boot
configuration file contains 2 entries.
Loading
disk0:/asa952-2-smp-k8.bin... Booting...
Platform
ASA5515
Loading...
IO memory
blocks requested from bigphys 32bit: 36825
INIT:
version 2.88 booting
Starting
udev
Configuring
network interfaces... done.
<SNIP>
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Ignoring startup configuration as instructed by
configuration register.
INFO:
Power-On Self-Test in process.
.......................................................................
INFO:
Power-On Self-Test complete.
INFO:
Starting HW-DRBG health test...
INFO:
HW-DRBG health test passed.
INFO:
Starting SW-DRBG health test...
INFO:
SW-DRBG health test passed.
Type help
or '?' for a list of available commands.
ciscoasa>
enable
Password:
<ENTER>
ciscoasa#
write erase
Erase
configuration in flash memory? [confirm]
[OK]
ciscoasa#
configure terminal
ciscoasa(config)#
*****************************
NOTICE *****************************
Help to
improve the ASA platform by enabling anonymous reporting,
which
allows Cisco to securely receive minimal error and health
information
from the device. To learn more about this feature,
please
visit: http://www.cisco.com/go/smartcall
Would you
like to enable anonymous error reporting to help improve
the
product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)#
no config-register // REVERT BACK ORIGINAL CONFIG REGISTER TO 0x1
ciscoasa(config)#
show version
Cisco
Adaptive Security Appliance Software Version 9.5(2)2
Device
Manager Version 7.1(1)52
Compiled
on Tue 22-Dec-15 10:06 PST by builders
System
image file is "disk0:/asa952-2-smp-k8.bin"
Config
file at boot was "startup-config"
ciscoasa
up 1 min 3 secs
Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3059
MHz, 1 CPU (4 cores)
ASA: 3598 MB RAM, 1 CPU (1 core)
Internal
ATA Compact Flash, 8192MB
BIOS
Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption
hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot
microcode : CNPx-MC-BOOT-2.00
SSL/IKE
microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec
microcode : CNPx-MC-IPSEC-MAIN-0026
Number of
accelerators: 1
Baseboard
Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is b0fa.eb97.72c8, irq 11
1: Ext: GigabitEthernet0/0 : address is b0fa.eb97.72cc, irq 10
2: Ext: GigabitEthernet0/1 : address is b0fa.eb97.72c9, irq 10
3: Ext: GigabitEthernet0/2 : address is b0fa.eb97.72cd, irq 5
4: Ext: GigabitEthernet0/3 : address is b0fa.eb97.72ca, irq 5
5: Ext: GigabitEthernet0/4 : address is b0fa.eb97.72ce, irq 10
6: Ext: GigabitEthernet0/5 : address is b0fa.eb97.72cb, irq 10
7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
8: Int: Internal-Control0/0 : address is
0000.0001.0001, irq 0
9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
10: Ext:
Management0/0 : address is
b0fa.eb97.72c8, irq 0
Licensed
features for this platform:
Maximum
Physical Interfaces :
Unlimited perpetual
Maximum
VLANs : 100 perpetual
Inside
Hosts :
Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security
Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect
Premium Peers : 2 perpetual
AnyConnect
Essentials : Disabled perpetual
Other VPN
Peers : 250 perpetual
Total VPN
Peers : 250 perpetual
AnyConnect
for Mobile : Disabled perpetual
AnyConnect
for Cisco VPN Phone : Disabled perpetual
Advanced
Endpoint Assessment : Disabled perpetual
Shared
License :
Disabled perpetual
Total UC
Proxy Sessions : 2 perpetual
Botnet
Traffic Filter :
Disabled perpetual
IPS
Module :
Disabled perpetual
Cluster : Enabled perpetual
Cluster
Members : 2 perpetual
This
platform has an ASA 5515 Security Plus license.
Serial
Number: FCH1704JABC
Running
Permanent Activation Key: 0x022ceb6a 0x98a0f168 0x0160d178 0xe22c1123
0xc213d456
Configuration register is 0x41 (will be 0x1 at next
reload)
Image
type : Release
Key
version : A
Configuration
last modified by enable_15 at 16:25:30.869 UTC Sat Jul 13 2019
ciscoasa(config)#
write memory
Building
configuration...
Cryptochecksum:
80058db4 55493994 722aeddf 194087d3
2465
bytes copied in 0.750 secs
[OK]
ciscoasa(config)#
reload
Proceed
with reload? [confirm]
ciscoasa(config)#
***
*** ---
START GRACEFUL SHUTDOWN ---
Shutting
down isakmp
Shutting
down sw-module
Shutting
down License Controller
Shutting
down File system
***
*** ---
SHUTDOWN NOW ---
Process
shutdown finished
Rebooting.....
INIT:
Sending processes the TERM signal
Deconfiguring
network interfaces... done.
Sending
all processes the TERM signal...
Sending
all processes the KILL signal...
Deactivating
swap...
Unmounting
local filesystems...
Rebooting...
<SNIP>
Reading
from flash...
!.
Cryptochecksum
(unchanged): 80058db4 55493994 722aeddf 194087d3
INFO:
Power-On Self-Test in process.
.......................................................................
INFO:
Power-On Self-Test complete.
INFO:
Starting HW-DRBG health test...
INFO:
HW-DRBG health test passed.
INFO:
Starting SW-DRBG health test...
INFO:
SW-DRBG health test passed.
Type help
or '?' for a list of available commands.
ciscoasa>
enable
Password:
<ENTER>
ciscoasa#
show version
Cisco
Adaptive Security Appliance Software Version 9.5(2)2
Device
Manager Version 7.1(1)52
Compiled
on Tue 22-Dec-15 10:06 PST by builders
System
image file is "disk0:/asa952-2-smp-k8.bin"
Config
file at boot was "startup-config"
ciscoasa
up 12 secs
Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3059
MHz, 1 CPU (4 cores)
ASA: 3598 MB RAM, 1 CPU (1 core)
Internal
ATA Compact Flash, 8192MB
BIOS
Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption
hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot
microcode : CNPx-MC-BOOT-2.00
SSL/IKE
microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec
microcode : CNPx-MC-IPSEC-MAIN-0026
Number of
accelerators: 1
0: Int: Internal-Data0/0 : address is b0fa.eb97.72c8, irq 11
1: Ext: GigabitEthernet0/0 : address is b0fa.eb97.72cc, irq 10
2: Ext: GigabitEthernet0/1 : address is b0fa.eb97.72c9, irq 10
3: Ext: GigabitEthernet0/2 : address is b0fa.eb97.72cd, irq 5
4: Ext: GigabitEthernet0/3 : address is b0fa.eb97.72ca, irq 5
5: Ext: GigabitEthernet0/4 : address is b0fa.eb97.72ce, irq 10
6: Ext: GigabitEthernet0/5 : address is b0fa.eb97.72cb, irq 10
7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
8: Int: Internal-Control0/0 : address is
0000.0001.0001, irq 0
9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
10: Ext:
Management0/0 : address is
b0fa.eb97.72c8, irq 0
Licensed
features for this platform:
Maximum
Physical Interfaces :
Unlimited perpetual
Maximum
VLANs : 100 perpetual
Inside
Hosts :
Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security
Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect
Premium Peers : 2 perpetual
AnyConnect
Essentials : Disabled perpetual
Other VPN
Peers : 250 perpetual
Total VPN
Peers : 250 perpetual
AnyConnect
for Mobile : Disabled perpetual
AnyConnect
for Cisco VPN Phone : Disabled perpetual
Advanced
Endpoint Assessment : Disabled perpetual
Shared
License :
Disabled perpetual
Total UC
Proxy Sessions : 2 perpetual
Botnet
Traffic Filter :
Disabled perpetual
IPS
Module :
Disabled perpetual
Cluster : Enabled perpetual
Cluster
Members : 2 perpetual
This
platform has an ASA 5515 Security Plus license.
Serial
Number: FCH1704JABC
Running
Permanent Activation Key: 0x022ceb6a 0x98a0f168 0x0160d178 0xe22c1123
0xc213d456
Configuration register is 0x1
Image
type : Release
Key
version : A
Configuration
has not been modified since last system restart.
ciscoasa#
show module
Mod Card Type Model Serial No.
----
-------------------------------------------- ------------------ -----------
0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt,
AC ASA5515 FCH1704JABC
ips Unknown N/A FCH1704JABC
cxsc
Unknown
N/A FCH1704JABC
sfr Unknown N/A FCH1704JABC
Mod MAC Address Range Hw Version Fw Version
Sw Version
----
--------------------------------- ------------ ------------ ---------------
0 b0fa.eb97.72c8 to b0fa.eb97.72cf 1.0
2.1(9)8 9.5(2)2 // NEED ROMMON 1.1.8 OR ABOVE TO CONVERT ASA TO FTD
ips b0fa.eb97.72c6 to b0fa.eb97.72c6 N/A
N/A
cxsc
b0fa.eb97.72c6 to b0fa.eb97.72c6
N/A N/A
sfr b0fa.eb97.72c6 to b0fa.eb97.72c6 N/A
N/A
Mod SSM Application Name Status SSM Application Version
----
------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not
Applicable
cxsc
Unknown No Image
Present Not Applicable
sfr Unknown No Image Present Not
Applicable
Mod Status Data Plane Status Compatibility
----
------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc
Unresponsive Not Applicable
sfr Unresponsive Not Applicable
Mod License Name
License Status Time Remaining
----
-------------- --------------- ---------------
ips IPS Module Disabled perpetual
I had inserted an SSD module on the ASA to store the FTD boot image and package file (OS).
ciscoasa#
show inventory
Name:
"Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt,
AC"
PID:
ASA5515 , VID: V01 , SN: FGL1707ABC
Name: "Storage Device 1", DESCR:
"Micron 128 GB SSD MLC, Model Number: C400-MTFDDAC128MAM"
PID:
N/A , VID: N/A , SN: MSA18230XYZ
