Password Recovery

Password Recovery

Password recovery for a PIX Firewall is quite simple if you can get physical access to the device and know the version of the PIX OS. The actual steps depend on whether the unit has a floppy drive like the 520 model. This section looks at both the floppy disk models and the newer units.

Password recovery on the PIX Firewall units erases only the password, not the configuration. With PIX OS version 6.2, if Telnet or console AAA authentication is configured, the process will also prompt to remove these.

To perform password recovery, you must have a PC that can create a terminal session with the PIX device, such as HyperTerm, and a Cisco configuration cable kit. The router has to be down for about ten minutes. For firewalls with a floppy disk drive, a 3.5” floppy is required and, for newer firewalls, a PC running TFTP server is needed. If necessary, the TFTP server software can run on the console PC and the software can be downloaded from Cisco.

Before Getting Started

If this is the first time you’re performing password recovery on this device, use a web browser to go to and do a search on PIX Firewall password recovery. One of the first documents will have a title like “Cisco PIX 500 Series Firewalls: Password Recovery and AAA Configuration Recovery Procedure.” This document contains step-by-step instructions for password recovery, plus links to utilities that are required in the process.

To perform the password recovery procedure, you must have the PIX Password Lockout Utility appropriate for the PIX software release running on the device. The web document found in the last paragraph lists the lockout utility files and should include hyperlinks to download each one. At press time, the list looked like the following. Download the utility that matches the PIX OS of the device. The files are small, under 100K each.

nppix.bin (4.3 and earlier releases) np44.bin (4.4 release) np50.bin (5.0 release) np51.bin (5.1 release) np52.bin (5.2 release) np53.bin (5.3 release) np60.bin (6.0 release) np61.bin (6.1 release) np62.bin (6.2 release)

You’ll see two other files listed with download links. The rawrite exe file is only needed for PIX units with a floppy drive, and the TFTP Server Download Utility file is needed for all other PIX units. If another TFTP server is already available, it’s unnecessary to use this one.


If you haven’t already installed a TFTP server on your laptop, this isn’t a bad unit and it’s free. If I thought I might face this situation again in the near future, I’d download each of the utilities, the rawrite.exe, the TFTP software, and the PDF of this document, and put them all in a folder for future reference.

PIX Devices with a Floppy Drive

If the PIX unit has a floppy drive, perform the following steps. A 3.5” floppy disk is required. It will be formatted and unreadable by DOS/Windows when done.

  1. Place the 3.5” disk in the floppy drive. Note: Trying to direct the output to other media or a folder failed when I tried it.

  2. Execute the rawrite.exe file on your PC and answer the questions on the screen using the correct password recovery filename for the first question. Type a or the appropriate drive letter for the floppy for the second question. Pressing ENTER for the third question causes the floppy disk to be formatted and written to. The screen looked like the following:

    RaWrite 1.2 - Write disk file to raw floppy diskette
    Enter source file name: np62.bin
    Enter destination drive: a:
    Please insert a formatted diskette into drive A: and press -ENTER- :
  3. Start a console session with the PIX unit console port. Because you’re locked out, you should see a password prompt only.

  4. Insert the PIX Password Lockout Utility disk into the floppy drive of the PIX.

  5. Push the Reset button on the lower-left corner of the PIX front panel. The PIX will reboot from the floppy and print a message to the console. The message for 6.2 looked like this:

    Cisco Secure PIX Firewall BIOS (3.6)
    Booting Floppy
    Cisco Secure PIX Firewall floppy loader (3.0) #0: Wed Mar 27 11:02:14 PST 2002
    Reading installation media......
    Cisco Secure PIX Firewall password tool (3.0) #0: Wed Mar 27 11:02:16 PST 2002
    Flash=i28F640J5 @ 0x300
    BIOS Flash=AT29C257 @ 0xd8000
    Do you wish to erase the passwords? [yn] y
    The following lines will be removed from the configuration:
     ???????enable password toXbRG4.WPapU9O3 encrypted
     ? ???? passwd 2KFQnbNIdI.2KYOU encrypted
    Do you want to remove the commands listed above from the configuration? [yn] y
    Passwords and aaa commands have been erased.
  6. You’re prompted to answer two questions. Before answering y to both, eject the floppy disk because the system will reboot when you press ENTER for the second question.

    There should be no enable password. The Telnet password is cisco.

  7. In Configuration mode, use passwd new_password to create a new Telnet password and use enable password new_enable_password to create an enable password, and then save your changes with the write memory command.

PIX Devices Without a Floppy Drive

If the PIX device is a newer unit without a floppy drive, perform the following steps. In this process, you type a series of one-word commands, followed by an IP address or a filename. Look at Step four for the information you need.


I tried this on my 520 (with floppy and v6.2) and it wouldn’t respond to Step 3.

  1. Start a console session with the PIX unit console port. Because you’re locked out, you should only see a password prompt.

  2. Make sure the TFTP server is running and the appropriate Password Lockout Utility file was copied to the folder TFTP uses as its source.

  3. Power on the PIX Firewall and, as soon as the startup messages appear, send a BREAK character or press the ESC key. For Windows HyperTerminal, use CTRL+BREAK. You might have to do his several times. The monitor> prompt will indicate success.

  4. Make the following entries, pressing ENTER after each. The command is repeated or responded to on the next line.

    monitor> interface 1 ???? ? ? ? ??? ? ?? ? ? ?(PIX interface to TFTP)
    0: i8255X @ PCI(bus:0 dev:14 irq:10) 
    1: i8255X @ PCI(bus:0 dev:13 irq:11) 
    Using 1: i82557 @ PCI(bus:0 dev:13 irq:11), MAC: 0002.b945.a23c 
    monitor> address ?? ??? ???? ? ? ?(PIX interface address)
    monitor> server ? ?? ? ? ?? ???? (TFTP server address)
    monitor> file np622.bin ? ??? ? ?? ?? ? ?? ? ?(PIX Lockout Utility)
    file pix622.bin 
    monitor> ping ? ? ?? ?? ??? ?? ??(Test connectivity to TFTP)
    Sending 5, 100-byte 0xcde2 ICMP Echoes to, timeout is 4 seconds: 
    Success rate is 100 percent (5/5) 
    monitor> tftp ? ?? ? ?? ?? ??? ??? ? ???? ? ??(starts TFTP copy)
    Do you wish to erase the passwords? [yn] y ? ?(removes passwords)
    Passwords have been erased.
  5. With PIX OS v 6.2, if AAA authentication Telnet or console commands are set, the system will also prompt to remove those.

    There should be no enable password. The telnet password is cisco.

  6. In Configuration mode, use passwd new_password to create a new Telnet password and use enable password new_enable_password to create an enable password, and then save your changes with the write memory command.

Part III: Virtual Private Networks (VPNs)