Mail Beyond Logo
Posts
Comments

Restoring Factory Defaults to the Cisco ASA5505 Firewall via the Console

January 16th, 2007 by

If you are like me, you tend to click things just to see how they work. Sometimes they don’t work. At all. If you’ve mucked up the IP, vlan, etc settings and the Cisco ASDM can’t get into the device, it’s time for more desperate measures. If you can get into the ASDM, it is easier to Reset to Factory Defaults using the Cisco’s ASDM.

There is a button on the back of the device that says ‘Reset’. This button appears to be entirely for looks. I think will help you fix the problem as much as this button will:

Instead, you’ll need to use the Console Port!

  1. hook up the blue console cable to your serial port, plugging the other end into ‘Console’ port on the ASA 5505. The console port looks like a network jack, but it’s above the usb ports.
  2. Select a terminal program.
    1. In Windows XP, use hyperterminal, click Start, Programs, Accessories, Communications, Hyperterminal, create a connection on Com1 using the terminal settings:
    2. In Windows 7, I recommend Putty. Download and install it, then make a new connection. Select the radio Type: Serial, then click Serial on the left and use these settings:
    • Bits per second: 9600
    • Data bits: 8
    • Parity: None
    • Stop bits: 1
    • Flow control: None
  3. After you open your connection, press enter a couple times, and you should get a prompt like: ‘ciscoasa>’, or ‘nameofyourdevice>’
  4. type ‘ena’ to go to enable mode. Enter the password, or just press enter if there is no password set.
  5. type ‘config t’
  6. type ‘config factory-default’
  7. hit spacebar when the ‘more’ thing happens. You want to get back to the prompt that looks like: ‘ciscoasa(config)#’
  8. type ‘reload save-config noconfirm’
  9. make sure that the outside line is plugged into port zero, and your pc is plugged into any of the ports 1-7.
  10. The Cisco ASA has been reset to factory settings. DHCP is enabled on the cisco device, and it’s internal IP address is now 192.168.1.1!
  11. If you had an enable password set, you may need to enter that in the password box when you try to connect using the ASDM. Otherwise the default username and password is to leave both blank.

If you found this helpful, help me by checking out the ads on the right. Thank you!

Posted in Cisco | 57 Comments »


Link to this post! Copy and paste this code into your blog or website:
<a href="http://www.mailbeyond.com/restoring-factory-defaults-to-the-cisco-asa5505-firewall-via-the-console"> Restoring Factory Defaults to the Cisco ASA5505 Firewall via the Console </a>

57 Responses to “Restoring Factory Defaults to the Cisco ASA5505 Firewall via the Console”

  1. on 04 May 2009 at 1:07 pm   kay17

    Thanks. I needed that. The only thing I added was to do a wri mem after it was set then reload.

    I am setting up a vpn for the first time and wanted to have a clean place to start. This was exactly what I needed.

  2. on 26 Nov 2009 at 9:51 am   omen

    Do i lose some license-stuff or similar if i reset the asa to factory-default? I have to save files before?

    best regards

    omen

  3. on 26 Nov 2009 at 10:59 am   Anthony Curreri

    The only thing you’ll lose is the current configuration. If you want to back that up, follow the first group of steps I have here: Changing VPN endpoint IP on the Cisco asa5505.

  4. on 26 Nov 2009 at 11:23 am   omen

    well thats fine, just need the factory default.

    thx and best regards

    omen

  5. on 28 Feb 2010 at 8:50 am   Fr3d.org – How to Restore Cisco Firewalls to Factory Defaults

    [...] (Source) [...]

  6. on 09 Mar 2010 at 1:23 am   Itree

    Thanks – confiming to others this worked as stated. Much appreciated and saved me a tonne time trying to get any sense out of documentation.

  7. on 09 Mar 2010 at 1:49 am   Itree

    Thank you – works just like you described and saved me considerable pain trying to make sense of Cisco waffle.

  8. on 15 Mar 2010 at 12:49 pm   Måns Tånneryd

    Thanks for a very helpful post. What about the “reload save-config noconfirm” thing though? What does that do?

  9. on 15 Mar 2010 at 1:39 pm   Anthony Curreri

    “reload” is instructing the unit to reboot. “save-config” means before that reload, the unit is going to save the running configuration to flash. “noconfirm” just makes it so that you don’t have to hit enter to confirm the command you’ve just typed in (I hate that).

    I always like to make sure the running configuration is saved to non-volatile flash memory in case the ASA 5505 loses power. The way to ensure the unit will come back up correctly in the event of a power failure is to reboot it!

  10. on 01 Jul 2010 at 4:37 am   shankar

    i need to configure cisco firewall using asdm but do not the tool
    please any one can tell where i can download freely asdm tool

  11. on 01 Jul 2010 at 9:08 am   Anthony Curreri

    You actually download the tool from the device. Browse to https://192.168.1.1/admin and you should get the option to download it. Here is the page from Cisco with more information.

  12. on 05 Oct 2010 at 6:18 pm   routerjoe

    …Very to the point & helpful!

  13. on 27 Oct 2010 at 1:37 pm   Lawrence

    You can’t do this if you don’t have the device password.
    If you don’t have the password and need to reset (which will erase all settings), do this.

    Connect as above.

    Power on the device.
    When it prompts to interrupt boot sequence, do so (press space).

    It should prompt

    rommon #0>

    Type in:
    rommon #0> confreg

    Should show something like:

    Current Configuration Register: 0×00000001
    Configuration Summary:
    boot default image from Flash

    Do you wish to change this configuration? y/n [n]:

    Press n (don’t change)

    We can reset the pass by setting register 0×41, so do this:

    rommon #2> confreg 0×41

    rommon #2> reboot

    You now can login as the password has been removed.

  14. on 27 Oct 2010 at 2:27 pm   Anthony Curreri

    It’s true, you do need the device password. I have not tested the commands Lawrence sent in, so use at your own risk…

  15. on 23 Nov 2010 at 11:19 am   Janne

    I did password erase based on this and it worked. Thanks Lawrence !

  16. on 02 Jan 2011 at 3:58 pm   Axel

    Anthony, thanks for posting this, and thanks to all others for confirming that it works and clarifying/adding to this issue. I am a UNIX guy, and this thing drives me up the walls. The command structure is so screwed up that if you have not taken it in with either your mother’s milk or the first breaths you took, it’s beyond illogical. The one thing that I am still fighting is how to upgrade it easily, and I found that taking out the FLASH drive, adding the required software through a PCMCIA-to-FLASH card in a laptop is the easiest way. It also allows me to fix whatever configuration screwups there were without having to resort to the console cable and a config t/config factory-default thing… This is really a drag if your network does not have a 192.168.1.x address range! Considering that larger FLASH cards are getting harder to come by, I have acquired a stack, so if someone needs to upgrade SW and FLASH card, I’d be happy to do it for them. Just ping me at akloth at earthlink dot net…

  17. on 03 Feb 2011 at 9:02 am   Jonathan

    Thanks for the details — password reset was spot on, too.

    @Axel — you can configure the dhcp to whatever range you need. I agree that it takes some time to get accustomed to the cisco ‘language’ but once you do it actually becomes intuitive fairly quickly. I, too, am a unix/linux guy which is why I appreciate having a cli to navigate/edit the config.

    Good luck, and thanks again for the information!

  18. on 24 Feb 2011 at 3:01 am   viriolo

    thanks for the tips. This works with me.

    Regards

    Port Moresby
    Bush Mechanic

  19. on 28 Feb 2011 at 10:57 pm   sathish g

    Thanks lawrence its working fine

  20. on 15 Mar 2011 at 3:55 am   Tim Newton

    Thanks very much very helpful!

    Would you mind if i tweeted this?

  21. on 17 Mar 2011 at 7:33 pm   drinkxon

    Had an ASA5505 that was setup by another engineer (no longer around) and no one knew the password. Used Lawrence’s post to successfully reset the devices password (though I needed to press Esc to interrupt the boot sequence). Sweet. Now we can get some life out of this thing.
    Thanks OP and Lawrence!

  22. on 18 Mar 2011 at 9:16 am   Mike

    Thanks for this!

    Do you have any idea how to determine what type of license a given model has? I have an ASA 5505 lying around — my roommate was worked remotely, his company folded, and they just told him to keep it. Considering selling it, but don’t know the license type.

  23. on 01 May 2011 at 7:01 pm   jay

    show version and then look for licence. Mine says base license, you can also look at vpn users and such as that is the part you are upgrading for primarily.10 total vpn users on base license. 50 for upgraded, or unlimited for premium package.

  24. on 02 May 2011 at 5:28 pm   Jim

    Good job!

    Thanks!

  25. on 07 Jun 2011 at 6:52 am   naveed

    i did the same procedure on cisco asa 5510 series but when i reloaded after a reboot no configuration was found in running configuration even i copied startup-config to running-config but still when i reboot it the running-config is somehow erased or removed
    could you please tell me about this

    i really need help

    thanks

  26. on 07 Jun 2011 at 12:37 pm   Anthony Curreri

    Naveed, I’ve done this many times to Cisco ASA 5505′s, I’m not sure, but I think the 5510 should work the same way. Based on your description, the only thing I can think of is that you didn’t write memory before rebooting the switch.

  27. on 12 Jun 2011 at 9:08 am   Sen

    Hey all,
    i have never used this before, so sorry for the newbie questions. When I type “confreg” in Hyperterminal, there’s a bunch of gibberish. If I press ‘Enter”, it does nothing. I am not familiar with this stuff at all, but I need to reset this stupid router since the original IT person left town. Any help with keystrokes on hyperterminal would be appreciated or pointing me to the right direction would be wonderful as well. Thank you in advance

  28. on 12 Jun 2011 at 11:10 pm   Anthony Curreri

    Sen, based on what you’ve said, I think you didn’t put the right information in your terminal program. Pay very close attention to all of bits, parity, and flow control stuff. The correct settings are in the instructions on this page.

    Try to following the instructions on this page from start to finish, and let me know where you get confused.

    That said, I feel I should point out that doing this procedure successfully will completely erase all the customized settings the previous IT person entered. That may be a really bad idea if the device is in production… if you have a VPN server remote clients might not be able to connect, if you have servers behind the firewall might become inaccessible, etc, etc. If you are just trying to reset the password so that you can use the device, you should check out Lawrence’s comment.

  29. on 24 Jun 2011 at 6:08 am   James

    Strange problem !!
    I bought an ASA5505 and tried to configure it.
    The problem is that I can not assign the vlan1 to any Ethernet port from 1 to 7, but I can assign vlan2 to E0/0,
    The original IOS is 7.24 and I upgraded it to IOS 8.24, no lucky.

    Is anyone having this problem before ?
    Not sure this is the hardware issue or software issue.

    Thanks,

    James Z

  30. on 25 Jun 2011 at 4:01 am   Neil C

    Hi,

    Got a asa5505 from a well known supplier, and seems it was ‘pre-used’ when I actually purchased it as ‘open box’. Anyway got as far as the trying to reset factory default and I get the following error

    ERROR: Command can only be executed in single router mode

    Given this has a base license running 8.3(1), I’m now not sure how it isn’t running in single router mode…

    Thanks

  31. on 09 Jul 2011 at 6:30 am   ebmudder

    Hi: Thanks for this how to. I started to config a brand new 5505, then tried to reset it to factory defaults as above. Everything seemed to work properly, and when I show config everything looks right…inside interface is 192.168.1.0/24, dhcpd is set to 192.168.1.5-36, etc.

    However, when I connect a PC to any of the inside ports, I can’t get an IP from the device, and even if I manually set the PC to 192.168.1.3, I can’t connect using ASDM or browsing to https://192.168.1.1/admin (can’t even ping it).

  32. on 09 Jul 2011 at 7:05 am   ebmudder

    ah, nevermind…I restored one more time and now it’s working.

  33. on 28 Jul 2011 at 6:31 am   Arunas

    Neil,

    Your fw should be converted into single mode..
    this should help:
    hostname(config)# mode single

    Re
    Arunas

  34. on 04 Oct 2011 at 11:26 am   al

    hello, my apologies, im a newbie too and as most of the people around here, out network admin is no longer with the company and left me nothing. i have an asa 5505 and recently we changed the company IP and i needed to set that up in the router but i couldnt login. so i decided to do a factory restore and start from a clean slate. i was able to do it and it was giving me an ip but i needed to remove the password and i reset it again to factory and now i am not getting any ip address at all. its giving me a 169.254.60.195 ip address. need your expertise.

    thanks

  35. on 04 Oct 2011 at 12:18 pm   Anthony Curreri

    Well, it wouldn’t hurt to try these factory default settings again, it’s possible you messed up a setting when you reset the password.

    Make sure you have the uplink cable plugged into port 0. It’s possible to use another port, but the factory default has you getting a DHCP on port 0.

    Failing all that, you could try setting a static IP on the outside port. The directions for that are here: http://www.mailbeyond.com/set-a-static-ip-for-your-cisco-asa5505-firewall.

    Hope that helps.

  36. on 04 Oct 2011 at 12:50 pm   al

    thanks for the quick response, i did try to reset it again for about 3 or 4 times now and being careful to follow the instructions carefully. on my initial reset it did work and i was getting an ip address 192. but i couldnt log in to asdm so i reset the password and did another factory reset again but now im only getting a 169 ip and port zero is plugged in to our network but when i plug in my pc to port 1-5, i do not get any led lights only on 6 and 7 but still not giving me any address. i cant connect using asdm nor https://192.168.1.1/admin. and i have tried resetting it numerous times and nothing.

  37. on 04 Oct 2011 at 1:09 pm   Anthony Curreri

    Make sure the Lan cable is a good one, and a straight-through (not a cross-over). Make sure your PC isn’t hard coded to a single IP, but is in fact configued to automatically recieve an IP via DHCP.

    If you are connecting the ADSM to a network who is giving out IP’s in the 192.168.1.x range, you will have problems. The device’s default for the inside is 192.168.1.1. Disconnect the uplink. Only connect your testing PC. If you have your computer directly connected to any of the ports 1-7, then you should get link lights and be able to access the ADSM using https://192.168.1.1. If not, try unplugging the cisco unit from the power, waiting a few minutes, and plugging it in again. Wait a few minutes for it to boot and then plug in your pc.

    The fact that you are not getting link lights on certain ports is troubling. You may have a hardware fault. Honestly, unless you need the advanced features of the Cisco ASA 5505, I would say run out to Best Buy and get a consumer-grade device, which will be much more user-friendly to configure…

  38. on 04 Oct 2011 at 3:19 pm   al

    my cable is straight through and i can connect to the network directly. and we are running dhcp. our ip is at 10.0.0.x range. i have tried unplugging the uplink and just use one cable to connect the device, there are no link lights form 0-5 only 6-7 and it will still give me 169 ip. i tried pushing the reset button at the back but it seems useless. i can still connect to the device using the console but no asdm or https. any ideas? thanks

  39. on 04 Oct 2011 at 3:27 pm   Anthony Curreri

    The reset button on the back is useless. Try a different network cable, and a different client computer. Really, that’s all I got. I think you should get link lights regardless of how the device is configured, and especially if the device has been successfully reset to defaults.

  40. on 10 Oct 2011 at 1:14 am   Charl

    Hi,

    My job role has change slightly (as ever!) and I am now being asked to go out and do the set up of two of our sites (temporary offices), which means configuring our Cisco ASA 5505 Firewalls. I’ve not done this before, but we previously used a support company and they are proving difficult to get our firewall username / passwords from (even though we’re the customer and therefore own that information!)

    Anyway, I’ve not configured these devices before and tried it at home yesterday, proving highly unsuccessful as the popup window asks for username / password which I don’t have. Also when installing the ASDM console element it asked for IP address which I don’t know and am not sure how to find for the cisco (though saying that, I can of course find for my own router, is this the one that it wanted??)

    Absolutely newbie for cisco’s and dreading going to set them up – this week! Wednesday and Thursday at two different sites.

    Any good instructions for first timers or should I traul this thread and pick out the step by step guides for resetting and then installing?

    Sorry to be a dunce. IT literate but not cisco firewall literate!

    Cheers

  41. on 10 Oct 2011 at 9:06 am   Anthony Curreri

    Reset the password using these instructions Lawrence submitted. I’ve never had to do this, so good luck!

    Next, use the instructions on this page to reset the Cisco ASA 5505 back to factory defaults.

    Then make sure that your ISP gives you an IP address for the Cisco device. Set it as a static IP using these directions.

    Finally, you’ll want to set up a VPN tunnel using the Cisco devices as endpoints. I didn’t write up any instructions for this, it’s been a few years since I’ve done it and I no longer have access to any of these devices. So I’m afraid you’re on your own here.

    OR

    Have your recalcitrant IT company set up the devices for you.

    Have your lawyer write them a letter threatening legal action if they do not hand over the passwords. Make sure to be clear that if recalcitrant IT company causes any interruptions in productivity that they will be sued for those damages.

    Receive passwords!

    Change the passwords!

    Fire recalcitrant IT company, hire non-recalcitrant IT company.

  42. on 13 Oct 2011 at 11:04 pm   Alan

    is getting this error every time I try

    Executing command: nameif inside
    INFO: Security level for “inside” set to 100 by default.
    Executing command: ip address 192.168.1.1 255.255.255.0
    ERROR: Failed to apply IP address to interface Vlan1, as the network overlaps wi
    th interface Vlan2. Two interfaces cannot be in the same subnet.
    Executing command: security-level 100
    then only getting a 169 Ip
    have tried reseting over and over

  43. on 14 Oct 2011 at 10:34 am   Anthony Curreri

    Alan, try logging into the ASDM and removing the static IP’s you have set on the interfaces, save/reboot it, and try resetting it again. The “Reset to Factory Defaults” I have here, instead of being a one shot go, is more like: “Sequentially issue commands to change things back to normal.” Clearly it’s having trouble issuing one of those commands.

    There are sort-of instructions here. Just, change it away from static, instead of setting it to static.

    http://www.mailbeyond.com/set-a-static-ip-for-your-cisco-asa5505-firewall

  44. on 15 Oct 2011 at 12:21 pm   Kupa

    I am able to access the 5505 firewall using 192.168.1.1 connected to port 1. However, the username and password is failing. The browser am using is mozilla

  45. on 16 Oct 2011 at 10:02 am   Anthony Curreri

    The username should be blank, the password should be whatever your enable password was before you reset the device. You can also try to leave both boxes blank (that’s the default).

    If those things don’t work, try using Lawrence’s password reset instructions, located here.

  46. on 18 Oct 2011 at 12:34 pm   Kevin W.

    One thing I would like to add….

    When setting up a new network with an ASA5505 I use the command at term config

    ciscoasa(config)#configure factory-default 255.255.255.0

    Replace with the address you want the asa to be set to and this will set everything up with that subnet and netmask.

    For example… configure factory-default 10.10.20.254 255.255.255.0
    This will setup the asa to use the 10.10.20 subnet instead of the 192.168.1 subnet. This will also set DHCP to use the same.

    You access asdm with https://10.10.20.254/admin

  47. on 13 Nov 2011 at 2:15 am   Lee

    I have tried to reset the ASA 5505 that i have, i have followed all the advice, but i am getting no where, the device i have was set up quite some time ago and left, the guy has left the ocmpany with the settings for the device.
    When i try a hyperterminal session with the device, i get nothing, i cant even get the device Command line when i press enter a few times, i know the session is there as when i power off and on again, i get the:
    cisco systems page that tells me the BIOS version, and at the bottom the ROMMON version, but i cant get an further on with the reset to factory default?????
    Any help anyone.

  48. on 14 Nov 2011 at 10:20 am   Anthony Curreri

    Console connections can be finicky, you need to make sure you have the right cable, and that all your hyperterminal settings are correct. I’ve always been able to use a computer that had a real COM port, a USB adapter sometimes works, sometimes doesn’t.

    If you have the password, you can use the ASDM to reset the settings instead of the console.

  49. on 15 Nov 2011 at 5:14 am   Kjetot

    Hello.
    I’m trying to reset the password on my cisco 5505, and have followed the instructions given, but then agin it will not boot.

    It only says

    Launching BootLoader…
    Default configuration file contains 1 entry.

    Searching / for images to boot.

    Loading /asa802-k8.bin… Booting…
    Loading…

    It just freeze there?

  50. on 04 Jan 2012 at 9:38 am   David Musashi

    What is the difference between “configure factory-defaults” and “write erase”?
    The “write erase” seems to do a LOT more of a through job of clearing out any existing config than the “configure factory-defaults” seems too.

  51. on 04 Jan 2012 at 9:54 am   Anthony Curreri

    The main difference is that I didn’t know about “write erase.”

    If you want to try it, I found instructions on write erase here. Do this at you own risk, as I’ve never tried it.

    With config factory-default you can specify the inside management IP address and subnet, which is handy. You can learn more about config factory-default here.

  52. on 04 Jan 2012 at 9:59 am   David Musashi

    @Kjetot – How long do you let it sit before you consider it “frozen”? With my ASA 5505 booting 842, it sits there at “Loading /asa42-k8.bin…” for SEVERAL MINUTES before it actually boots. First time it did it to me I thought it froze as well. It wasn’t until I was trying a restart on it and I let it sit while I was away from my desk for several minutes that I learned it wasn’t frozen. When I got back to my desk it had actually booted, just took forever.

  53. on 04 Jan 2012 at 12:31 pm   David Musashi

    @Anthony Curreri – You have to be VERY careful when using those instructions to reset an ASA. Those register settings didn’t work in my 5505 ASA and just caused it to boot into rommon. I then had to use confreg within rommon to set the register to boot correctly. The steps I follow to reset the 5505 ASA using the console cable(clearing out the configuration along with any passwords)
    1. In global config mode: 5505(config)# write erase
    2. At the “Erase configuration in flash memory?” prompt press Enter to confirm
    3. 5505(config)# reload
    4. At the “Proceed with reload?” prompt press Enter to confirm (note that we did NOT do a “write memory” after the write erase but before the reload, nor do we want to save the configuration)
    5. After the 5505 ASA has restarted you should be prompted to “Pre-configure Firewall now through interactive prompts?” I press “n” then enter to not run the interactive setup.
    6. You should now be at the user exec: ciscoasa>
    7. If you go into priviledge exec mode, it should prompt for a password and the password will be blank.

    That’s the steps I follow. I feel this does a much better job of clearing out the configuration. It doesn’t set any of the DHCP stuff that the “configure factory-default” sets up. All in all I feel it gives a “cleaner” reset than the “configure factory-default” gives. of course it does have it’s drawbacks. After running the write erase, all of your Ethernet interfaces are shutdown. Also the ASDM is not accessible without some configuration through the console cable at the command line. What I’ve found that sort of gives the “best of both worlds” is to follow my steps above. Once you’ve done the write erase log back into the ASA and go to global config mode and enter the “configure factory-default” as you suggest above. What this does is take the very clean configuration that the “write erase” creates and turns on all the Ethernet ports, as well as does all the other nice things you’ve mentioned above making it easier to then administer the ASA through the ASDM.

  54. on 04 Jan 2012 at 12:34 pm   Anthony Curreri

    Great, thanks for the info David!

  55. on 04 Jan 2012 at 1:38 pm   David Musashi

    Your welcome! I’m glad that I could be of some help. Seems all too often I’m finding answers on the ‘net and not often enough that I’m supplying them!

  56. on 04 Jan 2012 at 1:51 pm   Anthony Curreri

    That’s exactly why I started this blog! That, and so that I had someplace I could always find answers I came up with. OK, mostly the latter.

  57. on 02 Feb 2012 at 2:57 pm   tanks

    tanks.

Leave a Reply