| Complete these steps to recover your
password:
1.
Install a serial terminal or a PC with terminal emulation
software on the PIX console port.
2.
Verify that you have a connection with the PIX, and that
characters are going from the terminal to the PIX, and from the PIX
to the terminal.
Note: Because
you are locked out, you only see a password prompt.
3.
Immediately after you power on the PIX Firewall and the
startup messages appear, send a BREAK character or press the
ESC key. The
monitor> prompt is
displayed. If needed, type ? (question mark) to list the
available commands.
4.
Use the interface command to specify which interface
the ping traffic should use. For floppiless PIXes with only two
interfaces, the monitor command defaults to the inside
interface.
5.
Use the address command to specify the IP address of
the PIX Firewall's interface.
6.
Use the server command to specify the IP address of
the remote TFTP server containing the PIX password recovery file.
7.
Use the file command to specify the filename of the
PIX password recovery file. For example, the 5.1 release uses a file
named np51.bin.
8.
If needed, enter the gateway command to specify the IP
address of a router gateway through which the server is accessible.
9.
If needed, use the ping command to verify
accessibility. If this command fails, fix access to the server
before continuing.
10.
Use the tftp command to start the download.
11.
As the password recovery file loads, this message is
displayed:
12. Do you wish to erase the passwords? [yn] y
Passwords have been erased.
Note: If
there are Telnet or console aaa authentication commands in
version 6.2, the system also prompts to remove these.
13.
The default Telnet password after this process is "cisco."
There is no default enable password. Go into configuration mode and
issue the passwd your_password command to
change your Telnet password and the enable password
your_enable_password command to create an enable
password, and then save your configuration.
This example of floppiless PIX password
recovery with the TFTP server on the outside interface is taken from
a lab environment.
Network Diagram
monitor>interface 0
0: i8255X @ PCI(bus:0 dev:13 irq:10)
1: i8255X @ PCI(bus:0 dev:14 irq:7 )
Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9
monitor>address 10.21.1.99
address 10.21.1.99
monitor>server 172.18.125.3
server 172.18.125.3
monitor>file np52.bin
file np52.bin
monitor>gateway 10.21.1.1
gateway 10.21.1.1
monitor>ping 172.18.125.3
Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.18.125.3, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor>tftp
tftp np52.bin@172.18.125.3 via 10.21.1.1...................................
Received 73728 bytes
Cisco Secure PIX Firewall password tool (3.0) #0: Tue Aug 22 23:22:19 PDT 2000
Flash=i28F640J5 @ 0x300
BIOS Flash=AT29C257 @ 0xd8000
Do you wish to erase the passwords? [yn] y
Passwords have been erased.
Rebooting....
|
