Cisco PIX: Password recovery/reset

Contributor Icon Contributed by qmchenry Date Icon August 30, 2004  
Tag Icon Tagged: Cisco firewall

The password paradox is a commonplace condition. Make your passwords strong and difficult to guess, change them frequently, and don’t write them down. It a formula for forgetfulness. Eventually, many organizations find themselves locked out of their PIX. This recipe describes the process for resetting the PIX password.


This information describes resetting the password on a PIX without a floppy drive. You must first have a TFTP server running. Most UNIX operating systems install with a TFTP server installed but possibly not running. Windows systems are at a disadvantage because Microsoft no longer ships Windows with a TFTP server. This recipe describes installing and configuring a third-party TFTP server on a Windows system.

You need a console connection to your PIX from some system that is capable of sending a BREAK signal (the HyperTerminal communications application that ships with Windows doesn’t do this.. again, Windows folks are at a disadvantage). The Private Edition of HyperTerminal does do breaks (if you press the keyboard combination on your keyboard that corresponds to the BREAK key).

Next, if you don’t know what version of software is running on your PIX (or if you aren’t sure, do this anyway — you forgot the password, afterall), connect to the PIX with the terminal emulator of your choice (HyperTerminal, tip, minicom, etc.) and make sure you see reasonable responses to pressing ENTER (like a password prompt or the name of the router as a nonprivileged prompt. Reboot the router by turning it off and back on and watch the output. It will tell you the software version number running.

Download the corresponding file from Cisco that matches your PIX software version (for example, PIX software version 6.1 would correspond to the file np61.bin) and save it in your TFTP root directory. Now you are ready for the fun stuff.

Reboot your PIX again and send it a BREAK signal (~# in tip, CTRL-A f in minicom) while it is starting to boot. You will get a prompt like monitor>.

Determine (by number) which ethernet interface will be used to connect to the TFTP server. The easiest way to know is to unplug an interface and connect directly to the TFTP server host through a crossover ethernet cable. The TFTP server can be on another subnet since the PIX can be configured to use a gateway during this process.

The rest of this recipe will be based on the assumption that the interface is number 0 (if it isn’t, only the interface command below needs to be changed). We’ll also assume that the software version is 6.3 and that we’ve downloaded np63.bin. The IP address of the TFTP server will be 192.168.2.69 for this example, and an IP address that can be used on the PIX is 192.168.1.2, on a different subnet from that of the TFTP server which is accessible through the gateway at 192.18.1.1. The IP addresses entered during this procedure will not affect the configuration of the PIX after the procedure is completed.

The following commands will cause the PIX to get the password reset image from the TFTP server and use it to reset the password:

monitor> interface 0
monitor> address 192.168.1.1
monitor> server 192.168.2.69
monitor> gateway 192.168.1.1
monitor> file np63.bin
monitor> tftp

The TFTP download should be quick (on the order of a few seconds). If it fails, it will timeout and give and error message. Verify your network cabling (ensure that there are link lights, if available, on both sides). You can ping the TFTP server (ping 192.168.2.69), although this may fail if the host running the TFTP service blocks pings, so it may not be helpful. If everything looks right, double check your settings as a typo in an IP address will cause problems.

Once the image is downloaded to the PIX, the password reset code will ask you if you are sure you want to reset the password. Press the y key to continue and in a moment, the password will be reset and the PIX will automatically reboot. The PIX will now have the default telnet password cisco and no enable password.

Previous recipe | Next recipe |
 

Viewing 2 Comments

    • ^
    • v
    This question is regarding the Tech Recipe posted by qmchenry on August 30, 2004. I could not find it in the forum thread, so I could reply to it, which is why this is a "New" topic. If you do a google search on <reset pix password>, it will be the third link listed.

    I've followed the instructions qmchenry stated with a couple of differences:
    1-my TFTP server is located on the inside (on the PC, which is connected via hyperterminal pe to the PIX; so the interface is set to 1

    2-I did not use a cross-over cable. I left the cabling as it was: cable modem going to ethernet0 and ethernet1 going to a Nortel Baystack switch where the pc (with windows 2000 server running and my pdc) is plugged into

    So, my settings are:
    interface 1
    address 10.1.1.1 (ip of PIX)
    server 10.1.1.2 (ip of tftp server)
    file np70.bin

    I am able to ping the tftp server and get 100% reply, but when I run tftp, the hyperterminal only sits at the prompt: tftp np70bin@10.1.1.2

    There are no dots and the activity light on pix blinks a lot, but eventually I have to break the connection and the tftp server log states something like unable to send file to 10.1.1.1.

    There is one other piece of information. My Cisco PIX version is 7.1(2) but the highest version file I could find is np70.bin. I didn't think it would hurt to try it. Could this be the conflict? Is there a newer version?

    I'd appreciate any and all advice you can give me.

    Thanks in advance.
    • ^
    • v
    Do you have an access-list on that interface? You might also try a different tftp software. I'm not 100% on the layout of your PIX, but remember that you need PIX(config)# tftp-server (interface) <ip> <directory>

    Good luck!
 
close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus