enable secret & service password encryption on ASA?

whiteford · ‎02-24-2008

Hi, I've noticed on our Cisco ASA 5520 that it's only using "enable password" all I have to do (via telnet) is put in the password of cisco and then if I type "enable" and password of cisco then I'm on!

Should I be prompted with a username and password?

I've look on the CLI config and I can't see the username cisco or passord cisco anywhere! I have found the "enable password" which is encrypted. What should I do as I don't want to lose access. Should I use "enable secret" instead? and "service password encryption"?

I've noticed SSH2 is enabled, but what username/password woudl this be, level 15?

Harald-Norvik · ‎02-24-2008

Change the following in your config:

passwd

enable password

These are in effect as long as you are not running aaa. The default username on telnet/ssh access is pix for the level 15 access using the http interface use enable_15

... and by the way, the PIX/ASA encryption of the passwords is a one way hash - it cannot be decrypted. Not like the level 7 encryption on the IOS routers.

Harald

whiteford · ‎02-25-2008

Great, I will do:

passwd

enable password

You are right I only use the router IOS and assumed I'd have to use eanble seret, service password encryption etc...

amolhempour · ‎07-15-2008

How can you change the default username for SSH on a pix ?

srue · ‎07-15-2008

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1060011

username newusername password newpassword [privilege priv_level]

aaa authentication ssh console LOCAL

You can assign priv-level 15 to a username and bypass the enable password if you choose.