注册 登录  
 加关注
查看详情
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

CCIE那点事-李萧明

博客已转移到www.jdccie.com CCIE那点事敬请期待

 
 
 

日志

 
 

PIX Asa 密码恢复  

2011-05-03 11:30:00|  分类: Vpn |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance

To recover passwords, perform the following steps:

Step 1 PIX Asa 密码恢复 - dc31151 - 李萧明Connect to the security appliance console port according to the "Accessing the Command-Line Interface" section on page 2-4.

Step 2 PIX Asa 密码恢复 - dc31151 - 李萧明Power off the security appliance, and then power it on.

Step 3 PIX Asa 密码恢复 - dc31151 - 李萧明During the startup messages, press the Escape key when prompted to enter ROMMON.

Step 4 PIX Asa 密码恢复 - dc31151 - 李萧明To set the security appliance to ignore the startup configuration at reload, enter the following command:

rommon #1> confreg

The security appliance displays the current configuration register value, and asks if you want to change the value:

Current Configuration Register: 0x00000011

Configuration Summary:

boot TFTP image, boot default image from Flash on netboot failure

Do you wish to change this configuration? y/n [n]:

Step 5 PIX Asa 密码恢复 - dc31151 - 李萧明Record your current configuration register value, so you can restore it later.

Step 6 PIX Asa 密码恢复 - dc31151 - 李萧明At the prompt, enter Y to change the value.

The security appliance prompts you for new values.

Step 7 PIX Asa 密码恢复 - dc31151 - 李萧明Accept the default values for all settings, except for the "disable system configuration?" value; at that prompt, enter Y.

Step 8 PIX Asa 密码恢复 - dc31151 - 李萧明Reload the security appliance by entering the following command:

rommon #2> boot

The security appliance loads a default configuration instead of the startup configuration.

Step 9 PIX Asa 密码恢复 - dc31151 - 李萧明Enter privileged EXEC mode by entering the following command:

hostname> enable

Step 10 PIX Asa 密码恢复 - dc31151 - 李萧明When prompted for the password, press Return.

The password is blank.

Step 11 PIX Asa 密码恢复 - dc31151 - 李萧明Load the startup configuration by entering the following command:

hostname# copy startup-config running-config

Step 12 PIX Asa 密码恢复 - dc31151 - 李萧明Enter global configuration mode by entering the following command:

hostname# configure terminal

Step 13 PIX Asa 密码恢复 - dc31151 - 李萧明Change the passwords in the configuration by entering the following commands, as necessary:

hostname(config)# password password

hostname(config)# enable password password

hostname(config)# username name password password

Step 14 PIX Asa 密码恢复 - dc31151 - 李萧明Change the configuration register to load the startup configuration at the next reload by entering the following command:

hostname(config)# config-register value

Where value is the configuration register value you noted in Step 5 and 0x1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.

Step 15 PIX Asa 密码恢复 - dc31151 - 李萧明Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config

Password Recovery for the PIX 500 Series Security Appliance

Performing password recovery on the security appliance erases the login password, enable password, and aaa authentication console commands. To erase these commands so you can log in with the default passwords, perform the following steps:

Step 1 PIX Asa 密码恢复 - dc31151 - 李萧明Download the PIX password tool from Cisco.com to a TFTP server accessible from the security appliance. See the link in the "Password Recovery Procedure for the PIX" document at the following URL:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a0080 09478b.shtml

Step 2 PIX Asa 密码恢复 - dc31151 - 李萧明Connect to the security appliance console port according to the "Accessing the Command-Line Interface" section on page 2-4.

Step 3 PIX Asa 密码恢复 - dc31151 - 李萧明Power off the security appliance, and then power it on.

Step 4 PIX Asa 密码恢复 - dc31151 - 李萧明Immediately after the startup messages appear, press the Escape key to enter monitor mode.

Step 5 PIX Asa 密码恢复 - dc31151 - 李萧明Configure the network settings for the interface that accesses the TFTP server by entering the following commands:

monitor> interface interface_id

monitor> addressinterface_ip

monitor> servertftp_ip

monitor> filepw_tool_name

monitor> gateway gateway_ip

Step 6 PIX Asa 密码恢复 - dc31151 - 李萧明Download the PIX password tool from the TFTP server by entering the following command:

monitor> tftp

If you have trouble reaching the server, you can enter the pingaddress command to test the connection.

Step 7 PIX Asa 密码恢复 - dc31151 - 李萧明At the "Do you wish to erase the passwords?" prompt, enter Y.

You can now log in with the default login password of "cisco" and the blank enable password.

The following example shows the PIX password recovery with the TFTP server on the outside interface:

monitor> interface 0                     。。。。。。此处要接网线,不然initialize error

0: i8255X @ PCI(bus:0 dev:13 irq:10)

1: i8255X @ PCI(bus:0 dev:14 irq:7 )

Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9

monitor> address 10.21.1.99

address 10.21.1.99

monitor> server 172.18.125.3

server 172.18.125.3

monitor> file np70.bin

file np52.bin

monitor> gateway 10.21.1.1

gateway 10.21.1.1

monitor> ping 172.18.125.3

Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.18.125.3, timeout is 4 seconds:

!!!!!

Success rate is 100 percent (5/5)

monitor> tftp

tftp np52.bin@172.18.125.3 via 10.21.1.1...................................

Received 73728 bytes

Cisco PIX password tool (4.0) #0: Tue Aug 22 23:22:19 PDT 2005

Flash=i28F640J5 @ 0x300

BIOS Flash=AT29C257 @ 0xd8000

Do you wish to erase the passwords? [yn] y

Passwords have been erased.

Rebooting....

Disabling Password Recovery

You might want to disable password recovery to ensure that unauthorized users cannot use the password recovery mechanism to compromise the security appliance. To disable password recovery, enter the following command:

hostname(config)# no service password-recovery

On the ASA 5500 series adaptive security appliance, the no service password-recovery command prevents a user from entering ROMMON with the configuration intact. When a user enters ROMMON, the security appliance prompts the user to erase all Flash file systems. The user cannot enter ROMMON without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on using ROMMON and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available. The service password-recovery command appears in the configuration file for informational purposes only; when you enter the command at the CLI prompt, the setting is saved in NVRAM. The only way to change the setting is to enter the command at the CLI prompt. Loading a new configuration with a different version of the command does not change the setting. If you disable password recovery when the security appliance is configured to ignore the startup configuration at startup (in preparation for password recovery), then the security appliance changes the setting to boot the startup configuration as usual. If you use failover, and the standby unit is configured to ignore the startup configuration, then the same change is made to the configuration register when the no service password recovery command replicates to the standby unit.

On the PIX 500 series security appliance, the no service password-recovery command forces the PIX password tool to prompt the user to erase all Flash file systems. The user cannot use the PIX password tool without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available.

Other Troubleshooting Tools

The security appliance provides other troubleshooting tools to be used in conjunction with Cisco TAC:

?PIX Asa 密码恢复 - dc31151 - 李萧明Viewing Debug Messages

?PIX Asa 密码恢复 - dc31151 - 李萧明Capturing Packets

?PIX Asa 密码恢复 - dc31151 - 李萧明Viewing the Crash Dump

Viewing Debug Messages

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use. To enable debug messages, see the debug commands in the Cisco Security Appliance Command Reference.

Capturing Packets

Capturing packets is sometimes useful when troubleshooting connectivity problems or monitoring suspicious activity. We recommend contacting Cisco TAC if you want to use the packet capture feature. See the capture command in the Cisco Security Appliance Command Reference.

Viewing the Crash Dump

If the security appliance crashes, you can view the crash dump information. We recommend contacting Cisco TAC if you want to interpret the crash dump. See the show crashdump command in the Cisco Security Appliance Command Reference.

Common Problems

This section describes common problems with the security appliance, and how you might resolve them.

Symptom    The context configuration was not saved, and was lost when you reloaded.

Possible Cause    You did not save each context within the context execution space. If you are configuring contexts at the command line, you did not save the context before you changed to the next context.

Recommended Action    Save each context within the context execution space using the copy run start command. You cannot save contexts from the system execution space.

Symptom    You cannot make a Telnet connection or SSH to the security appliance interface.

Possible Cause    You did not enable Telnet or SSH to the security appliance.

Recommended Action    Enable Telnet or SSH to the security appliance according to the "Allowing Telnet Access" section on page 33-1 or the "Allowing SSH Access" section on page 33-2.

Symptom    You cannot ping the security appliance interface.

Possible Cause    You disabled ICMP to the security appliance.

Recommended Action    Enable ICMP to the security appliance for your IP address using the icmp command.

Symptom    You cannot ping through the security appliance, even though the access list allows it.

Possible Cause    You did not enable the ICMP inspection engine or apply access lists on both the ingress and egress interfaces.

Recommended Action    Because ICMP is a connectionless protocol, the security appliance does not automatically allow returning traffic through. In addition to an access list on the ingress interface, you either need to apply an access list to egress interface to allow replying traffic, or enable the ICMP inspection engine, which treats ICMP connections as stateful connections.

Symptom    Traffic does not pass between two interfaces on the same security level.

Possible Cause    You did not enable the feature that allows traffic to pass between interfaces on the same security level.

Recommended Action    Enable this feature according to the "Allowing Communication Between Interfaces on the Same Security Level" section on page 6-5.

  评论这张
 
阅读(7)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018