Comments on: Restoring Factory Defaults to the Cisco ASA5505 Firewall via the Console

By: tanks

tanks — Thu, 02 Feb 2012 21:57:12 +0000

tanks.

By: Anthony Curreri

Anthony Curreri — Wed, 04 Jan 2012 20:51:45 +0000

That’s exactly why I started this blog! That, and so that I had someplace I could always find answers I came up with. OK, mostly the latter.

By: David Musashi

David Musashi — Wed, 04 Jan 2012 20:38:35 +0000

Your welcome! I’m glad that I could be of some help. Seems all too often I’m finding answers on the ‘net and not often enough that I’m supplying them!

By: Anthony Curreri

Anthony Curreri — Wed, 04 Jan 2012 19:34:08 +0000

Great, thanks for the info David!

By: David Musashi

David Musashi — Wed, 04 Jan 2012 19:31:16 +0000

@Anthony Curreri – You have to be VERY careful when using those instructions to reset an ASA. Those register settings didn’t work in my 5505 ASA and just caused it to boot into rommon. I then had to use confreg within rommon to set the register to boot correctly. The steps I follow to reset the 5505 ASA using the console cable(clearing out the configuration along with any passwords)
1. In global config mode: 5505(config)# write erase
2. At the “Erase configuration in flash memory?” prompt press Enter to confirm
3. 5505(config)# reload
4. At the “Proceed with reload?” prompt press Enter to confirm (note that we did NOT do a “write memory” after the write erase but before the reload, nor do we want to save the configuration)
5. After the 5505 ASA has restarted you should be prompted to “Pre-configure Firewall now through interactive prompts?” I press “n” then enter to not run the interactive setup.
6. You should now be at the user exec: ciscoasa>
7. If you go into priviledge exec mode, it should prompt for a password and the password will be blank.

That’s the steps I follow. I feel this does a much better job of clearing out the configuration. It doesn’t set any of the DHCP stuff that the “configure factory-default” sets up. All in all I feel it gives a “cleaner” reset than the “configure factory-default” gives. of course it does have it’s drawbacks. After running the write erase, all of your Ethernet interfaces are shutdown. Also the ASDM is not accessible without some configuration through the console cable at the command line. What I’ve found that sort of gives the “best of both worlds” is to follow my steps above. Once you’ve done the write erase log back into the ASA and go to global config mode and enter the “configure factory-default” as you suggest above. What this does is take the very clean configuration that the “write erase” creates and turns on all the Ethernet ports, as well as does all the other nice things you’ve mentioned above making it easier to then administer the ASA through the ASDM.

By: David Musashi

David Musashi — Wed, 04 Jan 2012 16:59:52 +0000

@Kjetot – How long do you let it sit before you consider it “frozen”? With my ASA 5505 booting 842, it sits there at “Loading /asa42-k8.bin…” for SEVERAL MINUTES before it actually boots. First time it did it to me I thought it froze as well. It wasn’t until I was trying a restart on it and I let it sit while I was away from my desk for several minutes that I learned it wasn’t frozen. When I got back to my desk it had actually booted, just took forever.

By: Anthony Curreri

Anthony Curreri — Wed, 04 Jan 2012 16:54:17 +0000

The main difference is that I didn't know about "write erase." If you want to try it, I found instructions on write erase here. Do this at you own risk, as I've never tried it. With config factory-default you can specify the inside management IP address and subnet, which is handy. You can learn more about config factory-default here.

By: David Musashi

David Musashi — Wed, 04 Jan 2012 16:38:17 +0000

What is the difference between “configure factory-defaults” and “write erase”?
The “write erase” seems to do a LOT more of a through job of clearing out any existing config than the “configure factory-defaults” seems too.

By: Kjetot

Kjetot — Tue, 15 Nov 2011 12:14:59 +0000

Hello.
I’m trying to reset the password on my cisco 5505, and have followed the instructions given, but then agin it will not boot.

It only says

Launching BootLoader…
Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa802-k8.bin… Booting…
Loading…

It just freeze there?

By: Anthony Curreri

Anthony Curreri — Mon, 14 Nov 2011 17:20:48 +0000

Console connections can be finicky, you need to make sure you have the right cable, and that all your hyperterminal settings are correct. I've always been able to use a computer that had a real COM port, a USB adapter sometimes works, sometimes doesn't. If you have the password, you can use the ASDM to reset the settings instead of the console.