Cisco PIX: Password Recovery/Reset

Posted August 30, 2004 by Quinn McHenry in Cisco firewall

The password paradox is a commonplace condition. Make your passwords strong and difficult to guess, change them frequently, and do not write them down. It is a formula for forgetfulness. Eventually, many organizations find themselves locked out of their PIX. This tech-recipe describes the process for resetting the PIX password.

This information describes resetting the password on a PIX without a floppy drive. You must first have a TFTP server running. Most UNIX operating systems install with a TFTP server installed, but possibly not running. Windows systems are at a disadvantage because Microsoft no longer ships Windows with a TFTP server. This recipe describes installing and configuring a third-party TFTP server on a Windows system.

You need a console connection to your PIX from some system that is capable of sending a BREAK signal. (The HyperTerminal communications application that ships with Windows does not do this. Again, Windows users are at a disadvantage.) The Private Edition of HyperTerminal does do breaks (if you press the keyboard combination on your keyboard that corresponds to the BREAK key).

Next, if you do not know what version of software is running on your PIX, (If you are not sure, do this anyway. You forgot the password, after all.) connect to the PIX with the terminal emulator of your choice (HyperTerminal, tip, minicom, etc.). Make sure you see reasonable responses to pressing ENTER (such as a password prompt or the name of the router as a nonprivileged prompt). Reboot the router by turning it off and back on, and watch the output. It will tell you the software version number running.

Download the corresponding file from Cisco that matches your PIX software version. (For example, PIX software version 6.1 would correspond to the file np61.bin.) Save it in your TFTP root directory. Now, you are ready for the fun stuff.

Reboot your PIX again, and send it a BREAK signal (~# in tip, CTRL-A f in minicom) while it is starting to boot. You will get a prompt such as monitor>.

Determine (by number) which ethernet interface will be used to connect to the TFTP server. The easiest way to know is to unplug an interface and connect directly to the TFTP server host through a crossover ethernet cable. The TFTP server can be on another subnet since the PIX can be configured to use a gateway during this process.

The rest of this tutorial will be based on the assumption that the interface is number 0. (If it is not, only the interface command below needs to be changed.) We will also assume that the software version is 6.3 and that we have downloaded np63.bin. The IP address of the TFTP server will be, for this example. An IP address that can be used on the PIX is, on a different subnet from that of the TFTP server which is accessible through the gateway at The IP addresses entered during this procedure will not affect the configuration of the PIX after the procedure is completed.

The following commands will cause the PIX to get the password reset image from the TFTP server and use it to reset the password:

monitor> interface 0
monitor> address
monitor> server
monitor> gateway
monitor> file np63.bin
monitor> tftp

The TFTP download should be quick (on the order of a few seconds). If it fails, it will timeout and give an error message. Verify your network cabling. (Ensure that there are link lights, if available, on both sides.) You can ping the TFTP server (ping, although this may fail if the host running the TFTP service blocks pings, so it may not be helpful. If everything looks right, double check your settings as a typo in an IP address will cause problems.

Once the image is downloaded to the PIX, the password reset code will ask you if you are sure you want to reset the password. Press the y key to continue. In a moment, the password will be reset, and the PIX will automatically reboot. The PIX will now have the default telnet password cisco and no enable password.


About Quinn McHenry

Quinn was one of the original co-founders of Tech-Recipes. He is currently crafting iOS applications as a senior developer at Small Planet Digital in Brooklyn, New York.
View more articles by Quinn McHenry

The Conversation

Follow the reactions below and share your own thoughts.

  • awais

    i awais afridi i m working on pix 501 i have same problem plz someone help me i will b very thankful to that person…

  • Rex


    When I cycle power on my Cisco PIX-501, it reports three different version numbers. I’m trying to determine which of these version numbers I use when downloading the appropriate “npXX.bin” file for password recovery:

    CISCO SYSTEMS PIX-501 Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08

    Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001

    Cisco PIX Firewall Version 6.3(5)

    Here’s an extract for Cisco’s Password Recovery web page:

    The appropriate binary file, depending on the PIX software version you run:

    o np70.bin (7.x and 8.0 release)

    o np63.bin (6.3 release)

    o np62.bin (6.2 release)

    o np61.bin (6.1 release)

    o np60.bin (6.0 release)

    o np53.bin (5.3 release)

    o np52.bin (5.2 release)

    o np51.bin (5.1 release)

    o np50.bin (5.0 release)

    o np44.bin (4.4 release)

    o nppix.bin (4.3 and earlier releases)

    Note: You need to determine what .bin file to use, which
    depends upon the PIX code that your PIX currently
    runs irrespective of the BIOS version.

    I assume is 6.3, but I’m very new to the Cisco world and I do NOT want to turn a minor problem in to a big problem!

    Many thanks,

    • Awoawo1

      Note: You need to determine what .bin file to use, which depends upon the PIX code that your PIX currently runs irrespective of the BIOS version.

  • Anonymous

    This is good but it’s still not working for me. Let me explain. At my workplace they were using PIX 506E before but now they just removed it and using proxy instead. Now, I just want to play with pix for my personal learning purpose and we lost the password.

    According to this post it should work fine but I think the enabled ACL and other filtering stuff is preventing TFTP to download image into PIX.

    So far I am able to ping TFTP server from PIX but my PC/ TFTP server is not able to ping PIX (may be ACLs)

    Anyone has idea how to recover in this case?

  • Anonymous

    good softwore

    • Iraq

      Hiiii all i ahve the solution
      avery think are correct above but u need to use SolarWinds-TFTP-Server10.4.0.10
      and PuTTY, after u arrive to connect to Monoter>tftp
      at first you need to run the solarWinds and u see all the log file when u use th tftp server and told u need to put the file np63.bin in the C:\TFTP-server Root
      you need to copy the file np63.bin in this directory at first and then
      you run the command tftp server and u will see the dots and finaly ask u to erase the password that’s all.

      Good Luck

  • Sergio

    But how to reset it if you dont know the IP of the Pix either!