Restoring Factory Defaults to the Cisco ASA5505 Firewall via the Console

If you are like me, you tend to click things just to see how they work. Sometimes they don’t work. At all. If you’ve mucked up the IP, vlan, etc settings and the Cisco ASDM can’t get into the device, it’s time for more desperate measures.

If you can get into the ASDM, it is easier to Reset to Factory Defaults using the Cisco’s ASDM.

If you forgot the enable password, Lawrence’s comment on this page might help.

There is a button on the back of the device that says ‘Reset’. This button appears to be entirely for looks. I think will help you fix the problem as much as this button will:

Instead, you’ll need to use the Console Port!

  1. hook up the blue console cable to your serial port, plugging the other end into ‘Console’ port on the ASA 5505. The console port looks like a network jack, but it’s above the usb ports.
  2. Select a terminal program.
    1. In Windows XP, use hyperterminal, click Start, Programs, Accessories, Communications, Hyperterminal, create a connection on Com1 using the terminal settings:
    2. In Windows 7, I recommend Putty. Download and install it, then make a new connection. Select the radio Type: Serial, then click Serial on the left and use these settings:
    • Bits per second: 9600
    • Data bits: 8
    • Parity: None
    • Stop bits: 1
    • Flow control: None
  3. After you open your connection, press enter a couple times, and you should get a prompt like: ‘ciscoasa>’, or ‘nameofyourdevice>’
  4. type ‘ena’ to go to enable mode. Enter the password, or just press enter if there is no password set.
  5. type ‘config t’
  6. type ‘config factory-default’
  7. hit spacebar when the ‘more’ thing happens. You want to get back to the prompt that looks like: ‘ciscoasa(config)#’
  8. type ‘reload save-config noconfirm’
  9. make sure that the outside line is plugged into port zero, and your pc is plugged into any of the ports 1-7.
  10. The Cisco ASA has been reset to factory settings. DHCP is enabled on the cisco device, and it’s internal IP address is now 192.168.1.1!
  11. If you had an enable password set, you may need to enter that in the password box when you try to connect using the ASDM. Otherwise the default username and password is to leave both blank.

99 thoughts on “Restoring Factory Defaults to the Cisco ASA5505 Firewall via the Console

  1. CiscoNewb

    Thanks for the tips. A complete newbie like I am just managed a factory restore.

    I can also confirm the reset button does nothing. When held for 3 seconds and then rebooted. When held on power on. When held for 30 seconds. etc etc. Nothing helps.

    I also could not get the USB console cable going at all for my ASA 5508 so had to use an older PC with a serial port and the older serial to RJ45 cable, but it all worked in the end with your steps.

    Reply
  2. Huyenvv

    Please help me with: appearing warning indicator lights “Alarm” when the boot device not ASA 5512. Then retrieve equipment.

    Reply
  3. Brandon Bunnelle

    I want to preface what I am about to say with “I am not a Cisco master and I am still learning these alien languages”.

    I had a similar issue with my ASA-5505’s where I would reboot the device after following these instructions and the configuration was missing or lost even after I performed the “Write” or “Write Memory” command.

    I believe the issue to reside with the “rommon #0> confreg 0x41” from “Lawrence” not being followed up with a “rommon #0> confreg 0x01” after you “Write” or “Write Memory” and “Reload” before booting back into IOS.

    I believe the following to be true from experience/results:

    rommon #0> confreg 0x41 = bypass “Config” on boot
    rommon #0> confreg 0x01 = default “Config” on boot (memory)

    “0x01” is where your “Write” or “Write Memory” command is sending your configuration in memory for the boot process. By leaving it in the “0x41” state your always bypassing your default config thus never seeing your custom work after the reboot or pulling the power.

    I hope this helps someone in the same situation as me. This is purely my observations but I did have success by ending this whole process with “rommon #0> confreg 0x01” and I am now booting into my custom configuration every single time I reboot or if i pull power.

    Reply
  4. Ricky

    Thank you — great article; I reset these things every now and again but can NEVER remember how to do it and always stumble upon this article.

    Reply
  5. Pingback: Changing VPN endpoint IP on the Cisco asa5505

  6. Dmytro

    I have an issue, I follow the steps and connect everything and use Putty to connect to the ASA 5505, but when the putty command window opens and I press Enter, it doesn’t do anything.

    Reply
    1. Anthony Curreri

      You have to press enter like 6 or 10 times before it responds, sometimes. If that doesn’t work, then double-check your settings:
      Bits per second: 9600
      Data bits: 8
      Parity: None
      Stop bits: 1
      Flow control: None
      If it still doesn’t work, then either your console cable is bad, or you are not using a standard cisco cable. Serial cables are kind of a nightmare in that they can have the correct ends but the pinouts can be non-standard. Try getting your hands on a genuine cisco cable.

      Reply
  7. Morten M

    I have successfully used this guide, but I can’t connect to the device through the ASDM-launcher.

    My pc is getting an ip-address, and I can ping the device, but neither the webinterface og ASDM is working – any ideas?

    The browser times out and the ASDM-launcher just keep trying to connect.

    Thanks

    Regards

    Reply
    1. Anthony Curreri

      If you are getting an ip-address in the 192.168.0 range, and you can ping 192.168.0.1, then I’m not sure why you can’t connect… I vaguely remember that there was a gotcha on finding the url: like maybe you had to do https://192.168.0.1 It’s been years since I’ve used these devices however, I apologize. Try posting more info, or if you find the solution post that!

      Reply
      1. James Newton

        I’m no expert, but doing a config factory-default 192.168.0.1 255.255.255.0 and so on resulted in complete inability to reach the unit via the web browser. https://192.168.0.1/admin was unreachabel. Couldn’t get to ASDM to save my life.

        Re-doing it without the IP address and then going to https://192.168.0.1/admin worked a treat. It apparently doesn’t like the 192.168.0.x network.

        Reply
  8. Pingback: Cisco ASA 5505 reset button | progpen.com

  9. Pingback: How to put my ASA 5505 into single router mode so I can restore factory defaults? - Admins Goodies

  10. Pingback: How to put my ASA 5505 into single router mode so I can restore factory defaults? | PHP Developer Resource

  11. Marc Webb

    So I got the hardware specs,but I can’t reset the password,the computer needs to be online for that ? Asking because I did use one that isn’t hook it up to the net.

    Thanks

    Reply
    1. Anthony Curreri

      These instructions only reset the configuration, not the password. I’ve never had to reset the password on one of these devices, I don’t know how to do it. My only advice is to Google for it.

      Reply
  12. Marc Webb

    Which commands do I type to make sure the password is really erased ? Also to get the hardware specs ?

    Thank you

    Reply
  13. George Hofmann

    I have followed the instructions to reset to factory settings. Completed and believe everything worked. But my computer does not get any ip adderss to conect to. So, I redid the reset many times and get the same result. I have noticed that there is a Error in the executing command lines. It says:
    Failed to apply IP address to interface Vlan2, as the network overlaps with interface Vlan1. Two interfaces cannot be in the same subnet.

    Is this what is causing me not to be able to get an IP address from the devise? If so, how do I resolve this issue?

    Reply
  14. Marc Webb

    Can someone please if the password was reset it,I followed the instructions,but not sure.Thanks

    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

    Low Memory: 632 KB
    High Memory: 507 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class Irq
    00 01 00 1022 2080 Host Bridge
    00 01 02 1022 2082 Chipset En/Decrypt 11
    00 0C 00 1148 4320 Ethernet 11
    00 0D 00 177D 0003 Network En/Decrypt 10
    00 0F 00 1022 2090 ISA Bridge
    00 0F 02 1022 2092 IDE Controller
    00 0F 03 1022 2093 Audio 10
    00 0F 04 1022 2094 Serial Bus 9
    00 0F 05 1022 2095 Serial Bus 9

    Evaluating BIOS Options …
    Launch BIOS Extension to setup ROMMON

    Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008

    Platform ASA5505

    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.

    Launching BootLoader…
    Default configuration file contains 1 entry.

    Searching / for images to boot.

    Loading /asa825-k8.bin… Booting…
    Platform ASA5505

    Loading…
    Àdosfsck 2.11, 12 Mar 2005, FAT32, LFN
    Starting check/repair pass.
    Starting verification pass.
    /dev/hda1: 170 files, 30254/62014 clusters
    dosfsck(/dev/hda1) returned 0

    Processor memory 383561728, Reserved memory: 62914560 (DSOs: 0 + kernel: 6291456
    0)

    Total SSMs found: 0

    Licensed features for this platform:
    Maximum Physical Interfaces : 8
    VLANs : 20, DMZ Unrestricted
    Inside Hosts : Unlimited
    Failover : Active/Standby
    VPN-DES : Enabled
    VPN-3DES-AES : Enabled
    SSL VPN Peers : 2
    Total VPN Peers : 25
    Dual ISPs : Enabled
    VLAN Trunk Ports : 8
    Shared License : Disabled
    AnyConnect for Mobile : Disabled
    AnyConnect for Cisco VPN Phone : Disabled
    AnyConnect Essentials : Disabled
    Advanced Endpoint Assessment : Disabled
    UC Phone Proxy Sessions : 2
    Total UC Proxy Sessions : 2
    Botnet Traffic Filter : Disabled

    This platform has an ASA 5505 Security Plus license.

    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
    Boot microcode :
    SSL/IKE microcode: PLUS-2.03
    IPSec microcode :

    Cisco Adaptive Security Appliance Software Version 8.2(5)

    Or what should I do to confirm that this is factory reset and no password ?

    Thanks

    Reply
  15. Achdav

    Never mind. Got a clue as to what to do from one of the posts above. Took the mem card out, copied the file to it from my laptop card reader and all is well again.

    Thanks for this blog!

    Reply
  16. Achdav

    Hi,

    Thanks for the above info.
    Maybe you can help me with (I’m not an engineer) a 5505 I’m cofiguring. I’m supposed to delete the asa & asdm .bim files, and then replace them with an older version. Problem is I deleted the files but only installed (through 192.168.1.1) the asa822-k8.bin file before rebooting. Now I can’t access it unless using the serial cable. I’d like to copy the asdm-634-53.bin file to the unit but don’t know how to trough putty.

    Thanks for any help.

    Reply
  17. Tom

    So I go through the process to restore to factory defaults (had to reset the password first) and here’s what happens..

    I type ‘config factory-default’ and once that is done I can ping 192.168.1.1 (I have my laptop plugged in directly to the ASA with a static IP address on that same subnet).

    However, when I type ‘reload save-config noconfirm’ and it reboots I can no longer ping that address and can’t get into the ASA with ASDM (can still get in w/ putty fine)..

    I’m just worried it is picking backup a configuration upon reboot and not the default that I’m trying to load on it.

    Please advise.

    Thanks much!

    Reply
    1. Anthony Curreri

      Tom, the ‘save-config’ part of ‘reload save-config noconfirm’ is for writing the volatile memory to flash. Every time I’ve rebooted after issuing this command, it’s booted up with the settings I’ve written. I’m guessing either you have a hardware problem or you have your device configured to boot a different binary than you are writing to. I don’t know how to resolve either one, though–I’ve never encountered this problem, it’s been 5 years since I’ve set one of these up, and I no longer work for the group I set it up for (so I have no access to any cisco devices). Best of luck.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *