Takeaway: Losing the password to your firewall can be a nightmare. Fortunately, there are a couple of methods for resetting the password on your Cisco PIX firewall. Scott Lowe explains how you can use either a floppy disk or a TFTP server to reset it.
Admit it. You’ve at one point or another forgotten a password or two, which probably wasn't fun but didn't cause any major problems. However, forgetting the password to your firewall will cause headaches no administrator wants to weather. And, when such a password is forgotten, there's little you can do but give up the ghost. Or is there?
In this Daily Feature, I will show you two different methods you can use to reset your Cisco PIX firewall password. Although both methods take advantage of similar techniques, each uses different hardware. The first method employs the use of a floppy drive, and the second uses a TFTP server.
Physical security
The resetting of the password field assumes that physical security for the network hardware is in place, because it requires either a serial connection to the PIX or access to the firewall's floppy drive.
As Cisco suggests, the procedure you use depends on the version of the PIX software that you are running and whether or not your PIX has a floppy drive. If there is no floppy drive in your PIX, you will either have to use a TFTP server or directly access specific memory locations on the PIX memory. The latter solution is both complex and dangerous, so either the floppy or TFTP method is recommended.
Downtime
Please note that some PIX downtime is required to perform the following procedures.
Resetting your password with a floppy device
To begin, download two files from Cisco's Web site (you must have a username/password to enter this area of the site). The first is a file named rawrite.exe, and the second is a binary file that is dependent upon the version of the PIX software that you are running.
The rawrite.exe utility is used to create a bootable PIX floppy disk. This bootable disk will be used to install the .bin file that you downloaded. To create this floppy disk, make sure that there is a floppy disk in your PC and then execute the rawrite.exe utility. For my system, I downloaded the rawrite.exe file and the np52.bin file (since I am running the 5.2 version of the PIX software) and created the boot floppy with these steps.
Once the process is complete, remove the floppy disk from the drive and insert it into the PIX floppy drive. Next, make sure your serial connection to the PIX is working by attempting a standard login via hyperterminal. With a properly working serial connection and your floppy disk in the PIX floppy drive, reset the PIX. The PIX will boot from this disk and reset the password to the factory default, cisco. When it's done, you'll receive the following message on the connected PC or terminal:
Erasing Flash Password. Please eject diskette and reboot.
Reboot the unit again. The telnet password to the PIX will be set to cisco and can be changed using the commands passwd yourpassword and enable password yourenablepassword, where yourpassword and yourenablepassword are the administrator-specified passwords. Your PIX will be accessible again with the passwords that you specify.
Resetting with a TFTP server
If your PIX doesn't have a floppy drive, place the np52.bin file or whichever one matches your version of PIX software on your TFTP server. The PIX needs to be rebooted and an ESCAPE ([Ctrl][Z]) sequence sent as soon as the startup message appears. This puts the PIX to a monitor> command prompt. You will need to enter some basic parameters to give the PIX simple network connectivity. To do this, you will need to know the interface, address, server, and file commands necessary to establish a connection. Here is an example session that would set these parameters, assuming the inside interface is being used to connect to the TFTP server.
The PIX will reboot and you can reset the password as you like.
If your PIX firewall doesn't have a floppy drive and you don't have a TFTP server, I recommend that you get one. Having one will allow you to back up your configuration from time to time and restore corrupt images.
Last resort
If you cannot install a TFTP server and you don't have a floppy drive in your PIX, it's time to call the Cisco Technical Assistance Center (TAC). They will walk you through a series of steps that involve accessing specific memory locations on the PIX without using the .bin file from the Web site. When resetting passwords in this way, be cautious, because the steps vary from model to model and can be dangerous if not used properly. Some steps involve directly accessing memory locations, which could easily overwrite a critical memory address and render your PIX unbootable, so be careful.
No comments:
Post a Comment