Understanding the ASA Configuration Register

I often come up with ideas for my posts based on questions I have from my students. In a CCIE Security 5-day ILT I had a student ask me the question: Does the ASA use a config-register like a router does?

The answer is yes it does, kinda. Let me explain. First off, lets see what the Cisco ASA configuration register is configured for by default. We do this using the show version command.

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(1) 

Device Manager Version 6.1(5)

Compiled on Tue 05-May-09 22:45 by builders

System image file is "disk0:/asa821-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 4 mins 13 secs

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode   : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0         : address is 001b.53ff.0360, irq 9

1: Ext: Ethernet0/1         : address is 001b.53ff.0361, irq 9

2: Ext: Ethernet0/2         : address is 001b.53ff.0362, irq 9

3: Ext: Ethernet0/3         : address is 001b.53ff.0363, irq 9

4: Ext: Management0/0       : address is 001b.53ff.0364, irq 11

5: Int: Not used            : irq 11

6: Int: Not used            : irq 5

Licensed features for this platform:

Maximum Physical Interfaces  : Unlimited

Maximum VLANs                : 100

Inside Hosts                 : Unlimited

Failover                     : Active/Active

VPN-DES                      : Enabled

VPN-3DES-AES                 : Enabled

Security Contexts            : 2

GTP/GPRS                     : Disabled

SSL VPN Peers                : 2

Total VPN Peers              : 250

Shared License               : Disabled

AnyConnect for Mobile        : Disabled

AnyConnect for Linksys phone : Disabled

AnyConnect Essentials        : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions      : 2

Total UC Proxy Sessions      : 2

Botnet Traffic Filter        : Disabled

This platform has an ASA 5510 Security Plus license.

Serial Number: JMX1122L0VX

Running Activation Key: 0xb3165a49 0xf8ec70c2 0xb8523520 0x9a040038 0xc70a2f90

Configuration register is 0x41

Configuration has not been modified since last system restart.

ciscoasa#

So there we have it.  The configuration register is set to 0×41.  Lets break this down further.  With the ASA configuration register there are five configurable HEX characters. We know from basic HEX that each character is 4 bits and the way that’s numbered is from the left to the right as seen here:

4, 3, 2, 1, 0

Let’s examine these values:

Character 4

When the ASA boots up there is a 10 second period of time where a break countdown is seen:

Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006

Platform ASA5510

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 8 seconds.

By changing the left most character, character 4, you can disable this break countdown.  The only valid values are a 0 or a 1, therefore if the value is 0 the countdown occurs and if set to 1 the countdown is disabled.

Character 3

To understand character three you need to understand a command available to the ASA in configuarion mode.  That command is boot system and it lets you tell the ASA where you would like it to find and load the system image from.  As you can see in the output below you have a few choices, one of which is a TFTP server.

ciscoasa(config)# boot system ?

configure mode commands/options:

disk0:  Path and filename on disk0:

disk1:  Path and filename on disk1:

flash:  Path and filename on flash:

tftp:   A URL beginning with this prefix.

ciscoasa(config)# boot system

Now here is where the third character comes into play.  If for some reason you have told your ASA that it should go out to a TFTP server to get its system configuration and that TFTP server is not available what should happen next?  Well with character three you can tell the ASA to boot to ROMMON instead.  The valid values are 0 or 2, so it its set to 0 it does not boot into ROMMON and if the value is set to 2 it will provided the TFTP boot fails.

Character 2

This one is pretty easy as it’s reserved for future use.  So for now we just ignore it.

Character 1

The acceptable values here are 0,1,4 or 5.  If you set it to 1 you are saying that you want to boot to TFTP defined in ROMMON.  If you set it to 4 you are going to ignore the startup config file, something that’s handy for a password recovery.  Now if you set the value to 5 it actually does both 1 and 4, thus killing two birds with one stone.

Character 0

This is the right most character with values from 1-9.  This section specifies which image you want to boot.
These are all listed in the command reference for ASA under config-register

Password Recovery

So now this brings me to the question, how can I perform a password recovery on an ASA?  Is it similar to the routers?  The answer is “Yes.”  It is similar to the routers.  Here is what you do:

1. Power off the ASA and then power it back on while connected with a terminal application to the console port.
2. During the bootup process hit the escape key when the countdown starts.
3. At the Rommon prompt type confreg:

rommon #1> confreg 0x41
Update Config Register (0x41) in NVRAM...
rommon #1> confreg 

1. Next You’ll want to simply follow the prompts. Accepting the default will modify the config-register value so that you ignore the startup-config next boot.
2. Type boot and you are in business.

Now there is of course, more that we could discuss, but I’ll keep this post short and let you take it and run. Have fun with it, play with the options, and PLEASE break something- just make sure you break something in the labs and not your production network! :)

-Regards

Brandon Carroll – CCIE #23837

Senior Technical Instructor – IPExpert

Mailto: bcarroll@ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130

Understanding the ASA Configuration Register, 5.0 out of 5 based on 2 ratings