failed pix 501 password recovery

Unanswered Question
May 22nd, 2008

I have a pix501 with configuration unknown to me. I exectued the standard password recovery procedure. Although during the procedure I was informed that the password and any aaa configuration were reset (and even I was prompted to agree to delete the password and enable password comands), still when I reboot from the console I am prompted to input a username and password. The procedure recommends telneting to the pix with the standard password cisco. In my case I can't guess the IP and even if I guess this IP it maybe that telnet was disabled in the PIX firewall. So the question is: is there a default username/password usable from the console as a result of the procedure? I have attempted with no luck some more or less obvious guesses.

Any suggestions are welcome. The pix os in my case is 6.3(5) and I have used the recommended np63.bin file during the reset procedure. Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
omikcisco1 Fri, 05/23/2008 - 00:42

Indeed I used this document.

All was OK until step 12. As explained in my original posting I don't know the IP of the PIX to complete step 12. The Note ending step 11 of the procedure reads:

"Note: If there are Telnet or console aaa authentication commands in version 6.2, the system also prompts to remove these."

If I use the console to login I am still prompted for a username and password. This should not have hapened if the aaa authentication commands on the console ports would have been indeed erased.

If I repeat the procedure I am indicated in Step 11 that "no password or aaa authentications commands where found" yet I continue to be prompted for a username (which can't be empty).

andrew.prince@m... Fri, 05/23/2008 - 00:57


If you are using the url provided and performing every step in the guide - YOU actually configure the IP address that the PIX uses in the interface you specify? YOu specify the file to be tftp'f to the PIX - how could you not know the IP address when you have to configure it for the process to work?

Install a serial terminal or a PC with terminal emulation software on the PIX console port.

Verify that you have a connection with the PIX, and that characters are going from the terminal

to the PIX, and from the PIX to the terminal.

Note: Because you are locked out, you only see a password prompt.

Immediately after you power on the PIX Firewall and the startup messages appear, send a

BREAK character or press the ESC key. The monitor> prompt is displayed. If needed, type ?

(question mark) to list the available commands.

monitor>interface 0

0: i8255X @ PCI(bus:0 dev:13 irq:10)

1: i8255X @ PCI(bus:0 dev:14 irq:7 )

Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9

monitor>address <>

address x.x.x.x - this is the address you just configured

monitor>server <>

server y.y.y.y - this is the address you just configured

monitor>file <>

file thecorrectfilename.bin

monitor>gateway <>

gateway z.z.z.z - this is the address you just configured

monitor>ping y.y.y.y

Sending 5, 100-byte 0xf8d3 ICMP Echoes to y.y.y.y, timeout is 4 seconds:


Success rate is 100 percent (5/5)

monitor>tftp - this is the link for the file with the pix running 6.3

omikcisco1 Fri, 05/23/2008 - 03:28


Thank you for the answers.

Concerning your first remark please note that the IP settings I give while in ROMmon mode (via a terminal emulation software) during the password recovery procedure are temporary and only for the purpose of downloading np63.bin. Once this file is downloaded the PIX automatically reboots and therefore comes back to the IP settings in the configuration stored in the flash.

The Step 12 in the procedure as published by Cisco seems flowed to me (or incorrectly explained). Reading other posts I understand that loading np63.bin only deletes from the configuration stored in the flash the information about passwords and aaa authentication. If it is to access a PIX firewall ONLY via telnet after this procedure was performed consider the fact that the adminstrator may have firewalled the telnet port on the PIX and this setting is not going to disappear by loading np63.bin. So it appears there are cases when Step 12 of the procedure can't be completed.

Most probably what one should expect as a result of the procedure should be: after the PIX reboots at the console prompt (seen via a terminal emulation software) one is prompted

for a password which should be 'cisco' and this is granting access to the PIX etc...

In my case when I do so I see instead of a password prompt a username prompt.

I hope now is clear what exactly is happening in my case.

andrew.prince@m... Fri, 05/23/2008 - 03:43

If you are following ALL the steps in the guide exactly, do you get the prompt:-

Do you wish to erase the passwords? [yn]

If so - do you press "y" and receive the below:-

Passwords have been erased.



omikcisco1 Fri, 05/23/2008 - 06:32

Yes. This is exactly how it goes. In addition at the first attempt it was indicated to me the two lines in the configuration which I have to agree to be deleted. Something like:

enable password XXXXX encrypted

password YYYYY encrypted


andrew.prince@m... Fri, 05/23/2008 - 07:04

If the process appears to finish and reboot the pix, but still asks you for a uid/pwd - then the process was not 100% complete.

I suggest you do the password recovery directly connected to the device?

omikcisco1 Fri, 05/23/2008 - 07:51

This is exactly how I do. I attach the console cable to the PC serial port and I have one ethernet cable between the PIX and the PC. I use Hyperterminal to issue the commands to ROMmon.

After the PIX reboots I am attempting to login to PIX console using Hyperterminal.

I attach a text file containing all the session so one can see what is happening right now.

andrew.prince@m... Fri, 05/23/2008 - 08:47

it looks like you have erased the passwd & secret passwords, but the configuration has been configured with aaa - which is pointing to either a local username or external AAA server.

omikcisco1 Fri, 05/23/2008 - 09:17

Indeed I did this as a part of the procedure (and this was supposed to happen: the procedure is supposed to erase those passwords).

I also assume that there was originally a local username. We do not use here external AAA servers. However if all the aaa configuration was erased as a result of loading of the np63.bin in particular were erased the statements:

aaa-server LOCAL protocol LOCAL

aaa authentication serial console LOCAL

As a result any statemement like:

username XXX password YYY encrypted privilege N defining a local user should be ignored (and is not).

So this is indeed a failed recovery procedure and not because it was not correctly executed on the user side.

The issue however stays the same for me: how can I recover a PIX501 brought in this weierd state?

andrew.prince@m... Fri, 05/23/2008 - 09:40

I do not think you can clear the config from flash memory from any other place but the command line.

I suggest you contact the person who had the firewall before and give you the login details?

omikcisco1 Fri, 05/23/2008 - 10:23

Investigating what has happened before with the PIX is not guaranteed to give me the desired information.

It is very strange for me that Cisco publishes a procedure who in certain circumstances fails.

As the traditional reset button in SOHO devices is missing and as far as it is documented the erasing of the configuration can't be done via ROMmon I am wondering if I open the device maybe there is a dip switch resetting to factory defaults.


This Discussion