Add Book to My BookshelfPurchase This Book Online

Chapter 7 - Building a TCP/IP Router-Based Network

Cisco TCP/IP Routing Professional Reference
Chris Lewis
  Copyright © 1999 The McGraw-Hill Companies, Inc.

Overview of Cisco Router Password Recovery Procedures
It should never happen, but it is possible that the router Enable password or secret may get lost, thus denying configuration or many troubleshooting options. There is a way to break into the router if you can operate an ASCII terminal directly connected to the console port. The process in overview is as follows.
  Power cycle the router and break out of the bootstrap program.
  Change the configuration register, to allow you either to get into Enable mode without a password (if the flash image is intact), or to view the current configuration. Then initialize the router so that the router will boot from the ROM system image.
  Either enter the show configuration command to display the router configuration file and read the Enable password, or change the Enable password directly.
  Change the configuration register back to its initial setting, and power cycle the router.
A few words of caution are in order here. Suppose that the image of IOS in flash memory is not intact and you elect to change the configuration register so that you can read only the configuration. As you saw in the original configuration file, knowing the Enable password will not help you if there is an Enable secret set. The Enable secret always appears encrypted in the configuration file. If an Enable secret is set, all this process will allow you to do is write down the configuration, or save it to a TFTP server, so that you can issue the write erase command and then recreate the router configuration with a password you know. If an Enable secret is not set, but the Enable password is encrypted, you are in the same situation.
The exact process for each of the routers in Cisco's product line varies slightly. Here is a step-by-step guide of what to do for all the Cisco 2500, 680x0-based 4000- and 7000-series routers. The 4700-series routers are based on a different processor and have a different procedure, which can be obtained directly from Cisco.
First, type the show version command and note the configuration register setting. If the console port has had a login password set that you do not know, you can assume that the configuration register is 0x2102 or 0x102.
With an ASCII terminal or PC running a terminal emulator attached to the console port, turn on the router and enter the break sequence during the first 60 seconds of the router bootup. The most difficult part of the procedure often is determining the break sequence. For Microsoft terminal products, such as Windows Terminal and Windows 95 Hyperterminal, the break sequence is the Control and Pause keys pressed simultaneously. For Procomm it is the Alt and B keys pressed simultaneously. When the correct break sequence is entered, the router will present a ">" prompt with no router name.
Next you must decide if you are going to enter the mode that allows you only to view and erase the configuration, or if you are going to restart the router so that you can get directly into Enable mode and change the configuration. Assuming that the flash memory is okay, enter o/r0x42, which configures the router to boot from flash. Entering o/r0x41 has the router boot from the boot ROMs next time the IOS is reloaded. As we know, the boot ROMs of a 2500 only contain a stripped-down version of IOS. Note the first character is the letter "o" and the fourth character is the numeral "0".
Next type the letter "I" at the > prompt and hit enter, which will initialize the router.
The router will now attempt to go through the setup procedure, and you will just answer no to all the prompts, which will leave you with a Router> prompt.
From here, you can get into privileged mode by entering the word Enable, from which you can view or change the configuration. You should proceed with some caution at this stage if you do not want to lose your existing configuration file. If you used the o/r0x42 command and want to change the configuration, issue the conf mem command to copy the configuration file from NVRAM into working memory; otherwise all the changes you make will be to the configuration file in RAM, which prior to the conf mem command was blank. If you did not realize this, made configuration changes to the blank file, and saved it prior to reloading the router software, you would overwrite the original configuration file that you want to keep. Once you have issued the conf mem command, you can enter configuration mode and alter the original configuration file, as it is now in RAM. Enter configuration mode with the conf t command.
Once you have changed the Enable password, or completed whatever configuration changes you want, enter config-reg 0x102 at the configure prompt, then press <Ctrl-Z> to exit from configuration mode. Type reload at the Router# prompt and select Yes to save the configuration.

 


 
Books24x7.com, Inc © 2000 –  Feedback