Password Recovery for the PIX
Contents
Introduction
Prerequisites
Step-by-Step Procedure
PIX With a Floppy Drive
PIX Without a Floppy Drive
Sample Output
This document describes how to recover a PIX password for PIX software
releases through 6.3. Note that performing password recovery on the PIX
erases only the password, not the configuration. If there are Telnet or
console aaa authentication commands in versions 6.2 and greater,
the system will also prompt to remove these.
Note: If you have configured AAA on the PIX and the AAA server
is down, you can access the PIX by entering the Telnet password initially,
and then "pix" as the username and the enable password (enable password
password) for the password. If there is no enable password in the PIX
configuration, enter "pix" for the username and press ENTER. If the enable
and Telnet passwords are set but not known, you will need to continue
with the password recovery process.
The PIX Password Lockout Utility is based on the PIX software release
you are running.
In addition to the required files listed in the next section, you will
need the following items to follow the password recovery procedure:
To use the password recovery procedure, you need the PIX Password Lockout
Utility (which you must download from Cisco CCO), which includes the following
files:
-
Choose one of the following files, depending on the PIX software
version you are running. DO NOT CLICK HERE UNLESS YOU ARE CONNECTED
TO THE INTERNET.
-
rawrite.exe
(needed only for PIX machines with a floppy drive). DO NOT CLICK
HERE UNLESS CONNECTED TO THE INTERNET.
-
TFTP Server Software (needed only for PIX machines without a floppy
drive) — TFTP server software is no longer available from Cisco.com,
but you can find many TFTP servers by searching for "tftp server"
on your favorite Internet search engine. Cisco does not specifically
recommend any particular TFTP implementation.
To recover your password, follow the steps below:
-
Execute the rawrite.exe file on your PC and answer the questions
on the screen using the correct password recovery file.
-
Install a serial terminal or a PC with terminal emulation software
on the PIX console port.
-
Verify that you have a connection with the PIX, and that characters
are going from the terminal to the PIX, and from the PIX to the terminal.
Note: Because you are locked out, you will see only a
password prompt.
-
Insert the PIX Password Lockout Utility disk into the floppy drive
of the PIX.
-
Push the Reset button on the front of the PIX. The PIX will reboot
from the floppy and print the message below:
Erasing Flash Password. Please eject diskette and reboot.
-
Eject the disk and press the Reset button. You will now be able to
log in without a password. When you are prompted for a password, press
ENTER.
-
The default Telnet password after this process is "cisco." There
is no default enable password. Go into configuration mode and issue
the passwd your_password command to change your Telnet
password and the enable password your_enable_password
command to create an enable password, and then save your configuration.
To recover your password, follow the steps below:
Note: Sample output from the password recovery procedure is
available below.
-
Install a serial terminal or a PC with terminal emulation software
on the PIX console port.
-
Verify that you have a connection with the PIX, and that characters
are going from the terminal to the PIX, and from the PIX to the terminal.
Note: Because you are locked out, you will see only a
password prompt.
-
Immediately after you power on the PIX Firewall and the startup messages
appear, send a BREAK character or press the ESC key. The monitor>
prompt is displayed. If needed, type ? (question mark) to list
the available commands.
-
Use the interface command to specify which interface the ping
traffic should use. For floppiless PIXes with only two interfaces,
the monitor command defaults to the inside interface.
-
Use the address command to specify the IP address of the PIX
Firewall's interface.
-
Use the server command to specify the IP address of the remote
TFTP server containing the PIX password recovery file.
-
Use the file command to specify the filename of the PIX password
recovery file. For example, the 5.1 release uses a file named np51.bin.
-
If needed, enter the gateway command to specify the IP address
of a router gateway through which the server is accessible.
-
If needed, use the ping command to verify accessibility. If
this command fails, fix access to the server before continuing.
-
Use the tftp command to start the download.
-
As the password recovery file loads, the following message is displayed:
Do you wish to erase the passwords? [yn] y
Passwords have been erased.
Note: If there are Telnet or console aaa authentication
commands in version 6.2, the system will also prompt to remove these.
-
The default Telnet password after this process is "cisco." There
is no default enable password. Go into configuration mode and issue
the passwd your_password command to change your Telnet
password and the enable password your_enable_password
command to create an enable password, and then save your configuration.
The following example of floppiless PIX password recovery with the TFTP
server on the outside interface is taken from a lab environment.
Network Diagram
monitor> interface 0
0: i8255X @ PCI(bus:0 dev:13 irq:10)
1: i8255X @ PCI(bus:0 dev:14 irq:7 )
Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9
monitor> address 10.21.1.99
address 10.21.1.99
monitor> server 172.18.125.3
server 172.18.125.3
monitor> file np52.bin
file np52.bin
monitor> gateway 10.21.1.1
gateway 10.21.1.1
monitor> ping 172.18.125.3
Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.18.125.3, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor> tftp
tftp np52.bin@172.18.125.3 via 10.21.1.1...................................
Received 73728 bytes
Cisco Secure PIX Firewall password tool (3.0) #0: Tue Aug 22 23:22:19 PDT 2000
Flash=i28F640J5 @ 0x300
BIOS Flash=AT29C257 @ 0xd8000
Do you wish to erase the passwords? [yn] y
Passwords have been erased.
Rebooting....
