Tuesday, October 23, 2012

Cisco ASA: ERROR: Command authorization failed

I had this pair of ASA 5520s that I could log in just fine on, but I couldnt run any commands except a 'show version' and a 'show curpriv', that I was aware of.  As it turns out, there was an authorization command on the ASA that had gotten on there, and all the usernames on the ASA had a priv level of '2'.  Not good.  I kept getting this error when I typed in a command I wanted:
 CiscoASA5520# conf t
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
So, just so you can see, here is what I ran to verify that.
CiscoASA5520# sho curpriv
Username : skillen
Current privilege level : 15   <----- Before this process, it said '2'.
Current Mode/s : P_PRIV

So, I reboot the ASA to do a password recovery, so that I could reset my privilage level.  So, I disconnected the primary ASA interface cables and  I type in "reload".
At this point, Im hitting ESC to stop the booting process of the ASA.  I then get to ROMMON mode.  Below is the process I went through to do a password recovery.

rommon #0> confreg

Current Configuration Register: 0x00000001       <------- Note this number
Configuration Summary:
  boot default image from Flash

Do you wish to change this configuration? y/n [n]: y
enable boot to ROMMON prompt? y/n [n]:
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]:
disable system configuration? y/n [n]: y                  <--------- This is the only option you change out of these questions.  Type 'Y'.
go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:

Current Configuration Register: 0x00000040       <---------- Notice this config register is different than above.
Configuration Summary:
  boot ROMMON
  ignore system configuration

Update Config Register (0x40) in NVRAM...

rommon #1> boot
Launching BootLoader...
Boot configuration file contains 1 entry.

Loading disk0:/asa804-k8.bin... Booting...


ciscoasa> en
ciscoasa# copy start run

Destination filename [running-config]?

...INFO: Non-failover interface config is cleared on GigabitEthernet0/2 and its sub-interfaces
INFO: Non-failover interface config is cleared on GigabitEthernet0/3 and its sub-interfaces
INFO: Global will be Port Address Translated
INFO: Global will be Port Address Translated
..WARNING: crypto map has incomplete entries
WARNING: No 'svc image' commands have been issued
Cryptochecksum (unchanged):

14389 bytes copied in 2.390 secs (7194 bytes/sec)
CiscoASA5520# config t
CiscoASA5520(config)# no username userlogin
CiscoASA5520(config)# username userlogin pass guessthispassword pri 15
CiscoASA5520(config)# config-register 0x00000001
CiscoASA5520# wr mem
CiscoASA5520# reload
Proceed with reload? [confirm]

Shutting down isakmp
Shutting down webvpn
Shutting down File system

*** --- SHUTDOWN NOW ---


Booting system, please wait...

There you go, password reset.