Cisco PIX: Password Recovery/Reset

Posted August 30, 2004 by Quinn McHenry in Cisco firewall

The password paradox is a commonplace condition. Make your passwords strong and difficult to guess, change them frequently, and do not write them down. It is a formula for forgetfulness. Eventually, many organizations find themselves locked out of their PIX. This tech-recipe describes the process for resetting the PIX password.


This information describes resetting the password on a PIX without a floppy drive. You must first have a TFTP server running. Most UNIX operating systems install with a TFTP server installed, but possibly not running. Windows systems are at a disadvantage because Microsoft no longer ships Windows with a TFTP server. This recipe describes installing and configuring a third-party TFTP server on a Windows system.

You need a console connection to your PIX from some system that is capable of sending a BREAK signal. (The HyperTerminal communications application that ships with Windows does not do this. Again, Windows users are at a disadvantage.) The Private Edition of HyperTerminal does do breaks (if you press the keyboard combination on your keyboard that corresponds to the BREAK key).

Next, if you do not know what version of software is running on your PIX, (If you are not sure, do this anyway. You forgot the password, after all.) connect to the PIX with the terminal emulator of your choice (HyperTerminal, tip, minicom, etc.). Make sure you see reasonable responses to pressing ENTER (such as a password prompt or the name of the router as a nonprivileged prompt). Reboot the router by turning it off and back on, and watch the output. It will tell you the software version number running.

Download the corresponding file from Cisco that matches your PIX software version. (For example, PIX software version 6.1 would correspond to the file np61.bin.) Save it in your TFTP root directory. Now, you are ready for the fun stuff.

Reboot your PIX again, and send it a BREAK signal (~# in tip, CTRL-A f in minicom) while it is starting to boot. You will get a prompt such as monitor>.

Determine (by number) which ethernet interface will be used to connect to the TFTP server. The easiest way to know is to unplug an interface and connect directly to the TFTP server host through a crossover ethernet cable. The TFTP server can be on another subnet since the PIX can be configured to use a gateway during this process.

The rest of this tutorial will be based on the assumption that the interface is number 0. (If it is not, only the interface command below needs to be changed.) We will also assume that the software version is 6.3 and that we have downloaded np63.bin. The IP address of the TFTP server will be 192.168.2.69, for this example. An IP address that can be used on the PIX is 192.168.1.2, on a different subnet from that of the TFTP server which is accessible through the gateway at 192.18.1.1. The IP addresses entered during this procedure will not affect the configuration of the PIX after the procedure is completed.

The following commands will cause the PIX to get the password reset image from the TFTP server and use it to reset the password:

monitor> interface 0
monitor> address 192.168.1.1
monitor> server 192.168.2.69
monitor> gateway 192.168.1.1
monitor> file np63.bin
monitor> tftp

The TFTP download should be quick (on the order of a few seconds). If it fails, it will timeout and give an error message. Verify your network cabling. (Ensure that there are link lights, if available, on both sides.) You can ping the TFTP server (ping 192.168.2.69), although this may fail if the host running the TFTP service blocks pings, so it may not be helpful. If everything looks right, double check your settings as a typo in an IP address will cause problems.

Once the image is downloaded to the PIX, the password reset code will ask you if you are sure you want to reset the password. Press the y key to continue. In a moment, the password will be reset, and the PIX will automatically reboot. The PIX will now have the default telnet password cisco and no enable password.

 

About Quinn McHenry

Quinn was one of the original co-founders of Tech-Recipes. He is currently crafting iOS applications as a senior developer at Small Planet Digital in Brooklyn, New York.
View more articles by Quinn McHenry

The Conversation

Follow the reactions below and share your own thoughts.