Let’s consider an example as shown on diagram below: configure R1 as an easy VPN Remote and configure R2 as an easy VPN Server and force the traffic to flow via the VPN Tunnel between the Loopback interfaces.

Before starting the Easy VPN configuration, check the connectivity between the Loopback interfaces. For simplicity I configured default route on both routers to each other.

Now let’s start configuration. First of all configure R2 as Easy VPN Server.

R2 Configuration

!enable AAA  new-model
aaa new-model

! enable local authentication method list  with name userauthen for X-AUTH
aaa authentication login userauthen local

! enable local authorization  method  list  with name groupauthor for X-AUTH
aaa authorization network groupauthor local

!create username, by which authorization of Easy VPN Remote will occur later.
username cisco password 0 cisco123

!create ISAKMP PHASE #1 Negotiation
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2

!Create group with pre-shared key for IKE authentication. Save-password Feature allows Remote to save password.
crypto isakmp client configuration group vpngrp
key cisco123
save-password

!create IPSEC Transform-set for DATA Encryption
crypto ipsec transform-set TS esp-3des esp-sha-hmac

!Create Dynamic-map , which will be used to crypto-map later.
crypto dynamic-map dynmap 10
set transform-set myset

! Create crypto map, which will be used to AAA authentication, authorization lists and also in dynamic-crypto map.
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!Now attach the crypto-map to outside interface.
interface FastEthernet0/0crypto map clientmap

By this, easy vpn server configuration is completed. Now let’s start Remote configuration. Configuration is almost similar to the Cisco Easy VPN Client configuration.

R1 Configuration

! Create VPN Profile.
crypto ipsec client ezvpn ez

! Connect automatically to Easy VPN Server. If we don’t do this, then we’ll have to connect manually to Easy VPN server every time the network is down.
connect auto

! Easy VPN group username and password, which are created on server.
group vpngrp key cisco123

!Indicate Mode as network-extension.
mode network-extension

!Indicate the IP address of Easy VPN Server.
peer 192.168.2.2

! Use Username and password saved in profile for connecting to Easy VPN Server.
xauth userid mode local

! Save user and password in Profile.
username cisco password cisco123

! Determine Inside interface. Inside and outside interfaces must be determined on Easy VPN Remote.
interface Loopback0
ip address 10.12.130.1 255.255.255.255
crypto ipsec client ezvpn ez inside
!

interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
crypto ipsec client ezvpn ez outside

Both sites are completed now, so let’s do some testing:

R2#show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.2.1 192.168.2.2   QM_IDLE           1008    0 ACTIVE

R2#show crypto ipsec sa

interface: Fastethernet 0/0

Crypto map tag: clientmap, local addr 192.168.2.2

protected vrf: (none)
local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.12.130.1/255.255.255.255/0/0)
current_peer 192.168.2.1 port 500
PERMIT, flags={}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

Some things to consider:

• USB interfaces are supported from IOS release 12.3 (14) T IP Base and later.
• All ISR and ISR G2 routers support USB flash drives.
• Devices that have 2 USB ports, can use both USB memory sticks simultaneously.
• You can use a USB extension cable; however USB hubs are not supported.
• The IOS version supported on the router is independent of the type of USB (i.e doesn’t matter if USB is version 1.1 or 2). The older ISRs use USB type 1.1 while the newest ISR machines use USB 2.0 types.
• After inserting the USB flash memory into the corresponding port, the IOS software automatically recognizes it and generates a message on the console as shown below:

Mar 10 09:10:20.251: %USBFLASH-5-CHANGE: usbflash1 has-been inserted!

• These routers also support the use of eTokens from Aladdin (security USB tokens).
• The USB can be used to store and read both IOS images and configuration files.
• The files stored on USB sticks are not encrypted.
• Officially, Cisco routers support only USB devices from Cisco. However, it is possible to use any USB memory stick which does not require installation of specific drivers.
• The only format supported by IOS is FAT16. NTFS file format on the USB drive is not supported yet.
• USB flash drives can be formatted from IOS before being used.

How to format a USB drive from IOS

The formatting process is relatively simple using IOS:

Router # format ?
flash: Filesystem to be formatted
usbflash1: Filesystem to be formatted

Router # format usbflash1:

Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in “usbflash1:”.  Continue? [confirm]
Format: Drive communication & 1st Sector Write OK…

Format: All system sectors written. OK…
Format: Total data sectors in formatted partition: 8191435
Format: Total data bytes in formatted partition: -100952576
Format: Operation completed successfully.

Format of usbflash1 complete

From this point the USB flash drive can be used with all file system commands in the Cisco IOS.

However, it may happen that for various reasons the operating system image may not be available, maybe due to file corruption, flash memory corruption, accidental deletion, etc. In this case the device does not have a valid image to load and therefore the router boots into ROM monitor mode (rommon). This mode gives a reduced set of commands that essentially allow the administrator to manually run the boot sequence.

For such cases, and using commands in the ROMMON mode, the Cisco ISR routers have 1 or 2 USB ports that can be used to load the IOS image from a USB flash drive.

How to Boot from USB

The obvious prerequisite of this procedure is to have a valid IOS image, which is suitable for the device you want to put into operation, stored on a USB flash drive. Once we have this resource, we must enter into ROM Monitor mode (rommon). If the device did not have a valid IOS image in the internal flash memory, it will go directly in that mode. If not, we can force entry into rommon mode by interrupting the boot sequence using “Ctrl + Break”.

From this point, we can see the rommon mode prompt:

rommon 1>

In this mode we can see the list of available commands using the question mark or help command:

rommon 1>?
or
rommon 1> help

Then we can check our image stored on USB flash drive:

rommon 2> dir usbflash0:
program load complete, entry point: 0x8000f000, size: 0x3d240
Directory of usbflash0:
2 …… 14871760-… ..- rw-ipbase c2800nm-mz.124-3.bin

Note: The command is dir usbflashx: where x assumes a value of 0 or 1 depending on which USB port of the router you are using.

Then run the command that orders the router to boot from the image stored on USB flash:

rommon 3> boot usbflash0: c2800nm-ipbase-mz.124-3.bin
program load complete, entry point: 0x8000f000, size: 0x3d240
program load complete, entry point: 0x8000f000, size: 0xe2eb30
Self decompressing the image:
################################################## ########################################
################################################## ############# [OK]

Once the router has booted up, you can now work with the normal IOS command line interface. You can copy the image we have in our USB flash into the internal router’s flash memory:

Router> enable
Router # copy usbflash0: c2800nm-ipbase-mz.124-3.bin flash: c2800nm-ipbase-mz.124-3.bin

From now on, the router will be booting up from the internal flash memory.

In this post I will try to illustrate static routing using a small network scenario (see picture below) and explain also some other issues related with ICMP Redirects and Cisco ASA firewall.

Network Description

From the example network above, we have a Cisco ASA firewall (ASA1) protecting our internal networks from the Internet. LAN1 is a Class C network subnet (10.1.1.0/24) which has user computers connected (this might be the headquarters LAN of the Enterprise). There is also a Router (R1) serving as a WAN router to connect a distant remote office over a WAN link.

At the other side of the WAN link we have R2 which serves as the Hub router having two spokes (R3, R4). There are also two more LAN networks with user computers (LAN2 connected to R3 and LAN3 connected to R4).

The IP addresses assigned to the network are as following:

ASA1 Internal IP: 10.1.1.254

R1 IP on LAN1 network: 10.1.1.253
R1 IP on the WAN link: 192.168.1.1

R2 IP on the WAN link: 192.168.1.2
R2 IP connected with R3: 192.168.2.2
R2 IP connected with R4: 192.168.3.2

R3 IP connected with R2: 192.168.2.1
R3 IP on LAN2 network: 10.2.1.254

R4 IP connected with R2: 192.168.3.1
R4 IP on LAN3 network: 10.2.2.254

LAN1 network: 10.1.1.0/24
LAN2 network: 10.2.1.0/24
LAN3 network: 10.2.2.0/24

Traffic Flow Requirements

We need to have the following communication between networks:

• LAN1 computers need to access the Internet through the ASA and also must be able to communicate with users and servers on LAN2 and LAN3.
• LAN1 users should be able to communicate also with “transit subnets” for troubleshooting and management purposes (“transit subnets” are the point-to-point networks connecting routers between them). These “transit subnets” are 192.168.1.0/30, 192.168.2.0/30, 192.168.3.0/30.
• LAN2 and LAN3 computers need to access the Internet through the ASA and also must be able to communicate with LAN1 network.

Configuration of Static Routing

The intention of this article is to explain static routing only, so I will not get into the full configuration details of all devices in the network. I will just show snippets of commands for static routes.

The general format of a static route command on a Cisco router is:

Router(config)# ip route [destination network] [mask] [gateway address]

The command above tells the router the following information: “if you want to send a packet to the following “destination network”, then send it to this “gateway address”.

The format of a static route command on a Cisco ASA firewall is:

ASA(config)# route [interface name] [destination network] [mask] [gateway]

Now let’s see the commands needed for each router. It’s more convenient to start from the bottom up:

Router R3:

R3(config)# ip route 0.0.0.0 0.0.0.0 192.168.2.2

We just need a default route on this router to send ALL traffic towards R2 gateway address (192.168.2.2).

Router R4:

R4(config)# ip route 0.0.0.0 0.0.0.0 192.168.3.2

Similar with R3, we just need a default route on this router to send ALL traffic towards R2 gateway address (192.168.3.2).

Router R2:

! Default route
R2(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.1

! Static routes to reach LAN2 and LAN3
R2(config)# ip route 10.2.1.0 255.255.255.0 192.168.2.1
R2(config)# ip route 10.2.2.0 255.255.255.0 192.168.3.1

This is a little tricky. We need both a default route (to send all upwards traffic, including traffic to the Internet, towards R1) and also we need two specific static routes to reach LAN2 and LAN3 network. The two specific static routes (two last lines) are needed for the reply packets from LAN2 and LAN3 and also for LAN1 to be able to reach LAN2/LAN3.

Router R1:

! Default Route towards ASA for Internet Traffic
R1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.254

! Static routes to reach LAN2 and LAN3
R1(config)# ip route 10.2.1.0 255.255.255.0 192.168.1.2
R1(config)# ip route 10.2.2.0 255.255.255.0 192.168.1.2

! Static routes to reach transit point-to-point networks
R1(config)# ip route 192.168.2.0 255.255.255.252 192.168.1.2
R1(config)# ip route 192.168.3.0 255.255.255.252 192.168.1.2

Firewall ASA1:

ASA1(config)# route outside 0.0.0.0 0.0.0.0 [asa gateway IP]

! Static routes to reach LAN2 and LAN3
ASA1(config)# route inside 10.2.1.0 255.255.255.0 10.1.1.253
ASA1(config)# route inside 10.2.2.0 255.255.255.0 10.1.1.253

The ASA will need a default route towards its default gateway IP (assigned by the ISP), and also two static routes to reach the distant LAN2 and LAN3 networks. You DO NOT need a static route for LAN1 network because it is directly connected to the ASA.

Default Gateway for LAN1 computers

As we said before, one of the traffic flow requirements was to access LAN2 and LAN3 networks from LAN1 computers. If I ask you what should be the default gateway address configured on LAN1 computers, most of you would answer “The ASA internal address 10.1.1.254”. However, this is WRONG. Let me explain why.

Assume you configure the default gateway address for LAN1 hosts to be the ASA address 10.1.1.254. If HostA on LAN1 wants to send traffic to the Internet, then it will send it to its default gateway address (ASA firewall) which will forward the packet to the Internet. So far so good.

However, if HostA wants to send traffic to LAN2 or LAN3 hosts, it will again send the traffic to the ASA which is supposed to send an ICMP Redirect to HostA and tell him “hey, you should really be using 10.1.1.253 to get to LAN2 or LAN3”. However, the Cisco ASA is NOT ABLE to send an ICMP Redirect like it should. Therefore, HostA will never be able to communicate with LAN2/LAN3. If the ASA was a router instead, everything would work fine because routers actually are able to send ICMP Redirects.

So, the correct answer is to configure all hosts on LAN1 network to have Default Gateway address the IP of R1 (10.1.1.253). This way, they will be able to access both the Internet and the other internal LAN networks (LAN2/LAN3).

For any questions or comments please fill out the comment form below.

Configuring Ethernet or Fast Ethernet Interfaces
Router> enable
Router # config terminal

! enter the interface configuration submode
Router(config) # interface fastethernet 0/0

! IP configured on the interface
Router(config-if) # ip address 10.1.10.1 255.255.255.0

!bring the interface up
Router (config-if) # no shutdown
Router (config-if) # description lan (assign a name to the interface)
Router (config-if) # exit
Router (config) #

* Note that the interface naming can be different. Examples are FastEthernet, Ethernet, GigabitEthernet etc. Also, the interface numbering varies from router to router, such as 0, 1, 0/0 0/1, etc.

Configuring DTE Serial Interfaces
Note that DTE serial interfaces receive clock from the Serial WAN modem.

Router> enable
Router# config terminal

! enter the interface configuration submode
Router (config) # interface serial 0/0

Router (config-if) # ip address 172.16.1.1 255.255.255.252
Router (config-if) # no shutdown
Router (config-if) # description WAN Network (assign a name to the interface)
Router (config-if) # exit
Router (config) #

* Note that the interface numbering can be 0, 1, 0/0 0/1, etc. This varies by router.

Configuring DCE Serial Interfaces
Note that DCE serial interfaces provide clock to the connected device on the interface.

Router> enable
Router# config terminal
Router(config) # interface serial 0 / 1
Router(config-if) # ip address 10.1.1.1 255.255.255.0

!configure the clock rate that will be provided by the router
Router(config-if) # clock rate 128000
Router(config-if) # no shutdown
Router(config-if) # description WAN Network (assign a name to the interface)
Router(config-if) # exit
Router(config) #

* Note that the interface number can be 0, 1, 0/0 0/1, etc. This varies by router model.

If the attack contains thousands of non-legitimate connections to initiate TCP communication (SYN packets) towards a single host, the target host gets overloaded from the requested connections because the three-way TCP handshake does not get completed (because these TCP connections have unreachable return addresses, the connections cannot be established).  The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests. The above attack is also called SYN Attack.

TCP Intercept is a feature on routers used to prevent and mitigate TCP SYN-flooding attacks by monitoring the rate of SYN packets and intervening inside the TCP communication whenever necessary in order to reduce the number of incomplete TCP connections.

There are two modes for TCP Intercept: “Intercept Mode” and “Watch Mode”.

Intercept Mode

The most “invasive” mode is “Intercept Mode”. The router establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. This means that if the connection is legitimate, it will reach the server with no problem. If the connection is from a non-legitimate client, the half-open connection will be dropped by the router. This mode consumes a lot of memory and CPU on the router.

Watch Mode

We recommend using the “Watch Mode” instead of the “Intercept Mode”.  In Watch Mode, the router passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the software intervenes and terminates the connection attempt.

Configuration of TCP Intercept

On router connecting the host under attack, configure the following (assume target host under attack is 1.1.1.1):

Router(config)# access-list 101 permit tcp any host 1.1.1.1
Router(config)# ip tcp intercept mode watch
Router(config)# ip tcp intercept list 101

The above configuration will watch the TCP SYN packets towards host 1.1.1.1. If the SYN packets exceed a certain default value, the router starts to close incomplete TCP connections. Specifically, if the number of incomplete connections exceed 1,100, or the number of connections arriving in the last one-minute period exceed 1,100, each new arriving connection causes the oldest partial connection (or a random connection) to be deleted. These are the default values, which can be altered.

However, when a device learns routing information from different sources (eg static routes or using different protocols) Cisco IOS allows the information learned from a specific source to be published to other devices using a different protocol. For example, a route learned through RIP can be advertised to other devices using OSPF. This is what is called “redistribution” of routes: Using a routing protocol to advertise routes that are learned through other means (other protocol, static routes or directly connected). To configure route redistribution some rules must be in place:

• The redistributed route must be present in the routing table.
• The redistributed route will be received by the neighbouring device with a new metric as configured by the redistributing router.

What is it used for?

In principle it is desirable that a network should use a single routing protocol. However, in some cases we may require the use of redistribution: two companies merged, different departments of a company managed by different teams, multi-vendor environments, migration, etc. When addressing a redistribution of routes scenario we should take into account particular aspects of routing: different metrics, administrative distance of each protocol, the capabilities of classful and classless routing, and network topology.

Metrics

Each routing protocol uses a different metric. This causes the routes redistributed to lose the original metric of the protocol and the metric is redefined in terms of the new protocol. For example, if an OSPF route is redistributed with a metric of 1642 in RIP, RIP metric uses number of hops (between 1 and 15). So you must change the metric before redistributing to RIP.

The metric with which a protocol receives the routes learned by another metric is called seed metric.
Each protocol uses a default seed metric:

RIP – default seed metric: infinity.
EIGRP – default seed metric: infinity.
OSPF – default seed metric: 20.
The default seed metric can also be modified using the “default metric” command.

The basic commands
When you configure redistribution of protocols, you should indicate how to redistribute routing information, and how we want to measure these routes (metric) when they are redistributed. If we do not indicate anything, the routes are redistributed with the default metric.

Router (config) # router rip
Router (config-router) # network 129.100.0.0
Router (config-router) # redistribute ospf 1 metric 2

In this example we tell the router to redistribute routing information into RIP when learned through the OSPF process 1 which is in the routing table, with a metric of 2 hops.

Redistribution in EIGRP
To redistribute routing information into EIGRP, it should be noted that the default metric is infinite. Therefore, if you do not specify metric for redistributed routes, they will not appear in the routing table of the neighbouring device.

Furthermore, by defining the metric it should be noted: bandwidth, delay, reliability, load and MTU.

An example:

Router (config) # router eigrp 100
Router (config-router) # redistribute static
Router (config-router) # redistribute rip
Router (config-router) # default-metric 10000 100 255 1 1500

Redistribution in OSPF

The default metric used by OSPF is 20, so it does not require us to specify a metric for the route learned by the adjacent devices. However, when there are multiple subnets on the same network and you want to publish routes for each subnet, you must configure a metric otherwise OSPF will summarize all subnets in the class boundary and publish a single route.

An example:

Router (config) # router ospf 1
Router (config-router) # redistribute static metric 200 subnets
Router (config-router) # redistribute eigrp 100 metric 500 subnets

RIP redistribution

Like EIGRP, RIP redistributes the protocols using a default metric of infinity, so it is necessary to specify a different metric in order for the neighbour router to incorporate the routing information in its table.

An example:

Router (config) # router rip
Router (config-router) # redistribute static metric 1
Router (config-router) # redistribute ospf 1 metric 2

In Service Provider networks one of the main concerns of network administrators is to protect the networking infrastructure from Denial of Service attacks. These DoS attacks are actually the most serious and popular security threat against Service Providers. Botnets are frequently the main source of such attacks. ICMP flooding, UDP flooding, spoofed addresses DoS, SYN attacks etc are a few examples of DoS or DDos (Distributed Denial of Service) attacks. Fortunately the Cisco 7600 router has many robust features and mechanisms to protect itself from such attacks.

In the company that I work (Service Provider) we have already implemented several security protection features on 7600 which are really effective against DoS attacks. A summary of the DoS protection mechanisms on 7600 follows below:

• Security Access Control Lists (ACL): Applied on interfaces to block traffic at Layer3/4 layers.
• QoS Rate Limiting: Using class-maps and policy-maps you can apply rate limiting to specific type of traffic (e.g ICMP)
• uRPF (unicast Reverse Path Forwarding): protects against spoofing attacks.
• Traffic Storm Control: Protects against broadcast storm attacks.
• TCP Intercept: Protects against SYN attacks.
• Hardware-Based Rate Limiters: Work on PFC3 engines. These rate limiters protect the MSFC routing engine from various packets that can overload its CPU (configured with the mls rate-limit command)
• Control Plane Policing (CoPP)::Again used for protection of the MSFC routing engine by applying rate limiting to packets that flow from the data plane to the control plane.

Of course in addition to the above you must not forget other important security mechanisms such as strong password policy, proper Authentication and Accounting, logging, SNMP security, Routing Protocols security (MD5 authentication in OSPF, BGP etc) etc. All of these technical issues must be based on a thorough and carefully written security policy.

In a Local Area Network (LAN), all hosts (PC, Servers etc) have a single default gateway address configured which is used to route packets outside the LAN. If that single default gateway fails, then communication outside the LAN is not possible. With HSRP we can have two gateway routers, one active and one standby, which will provide resiliency regarding the default gateway address. Using HSRP, the two routers will have a physical IP address configured on their LAN-facing interface, but they will have also a Virtual (HSRP address) which will be used as the default gateway address for hosts on the LAN. No matter which router gateway is up and running (either the primary or the secondary), the virtual HSRP address will stay the same.

Let’s see a diagram below to explain this functionality.

First of all, HSRP must be configured between interfaces that have Layer2 connectivity between them. From the diagram above, HSRP will be running between interfaces FE0/1 on the two LAN routers. Interface FE0/1 on RTR-A will have a physical IP address 10.10.10.1 and interface FE0/1 on RTR-B will have a physical IP address 10.10.10.2. An HSRP address 10.10.10.3 will be also configured on both routers. This address will serve as the default gateway address for all hosts on the LAN. RTR-A will be configured as the Active HSRP router by setting a higher hsrp priority.

With HSRP, we can also track a specific interface. This means that if the tracked interface of the active router fails, then HSRP will trigger a failover to the standby router.

Let’s see an actual configuration below:

Configuration

Router RTR-A
RTR-A(config)# int fa0/1
RTR-A(config-if)# ip address 10.10.10.1 255.255.255.0

! enable HSRP group 1 and set the virtual address to 10.10.10.3
RTR-A(config-if)# standby 1 ip 10.10.10.3

! preempt allows the router to become the active router when its priority is higher
RTR-A(config-if)# standby 1 preempt

! increase its priority to 110 to make it active (default priority  is 100)
RTR-A(config-if)# standby 1 priority 110

! track the WAN interface FE0/0
RTR-A(config-if)# standby 1 track fa0/0

Router RTR-B
RTR-B(config)# int fa0/1
RTR-B(config-if)# ip address 10.10.10.2 255.255.255.0

! enable HSRP group 1 and set the virtual address to 10.10.10.3
RTR-B(config-if)# standby 1 ip 10.10.10.3

! preempt allows the router to become the active router when its priority is higher
RTR-B(config-if)# standby 1 preempt

! set priority to 100 to make it the standby router (this is the default value)
RTR-B(config-if)# standby 1 priority 100

! track the WAN interface FE0/0
RTR-B(config-if)# standby 1 track fa0/0

That’s it. Now configure a default gateway address of 10.10.10.3 for your LAN hosts.

The following procedure is applicable for virtually any Cisco router, such as 800, 2600, 3600, 1800,2800,3800 etc.

Step1: 
Connect to the router with a serial console cable and open your terminal emulation software (I personally use secureCRT). Use the normal terminal settings (9600 baud, no parity, 8 data bits, 1 stop bit, no flow control). After that, you should get the command prompt.

Step2:
Now you have to power OFF the router from the power switch. Get ready on your keyboard and turn the power switch to ON. Immediately press the CTRL+BREAK keys on your keyboard several times until the router goes into ROMMON mode. You will see the rommon 1> prompt on your terminal window.

Step3:
Now you need to change the configuration register of your router. This register is responsible to control several boot-up and hardware parameters on the device. The normal value of this register is 0×2102. We will need to change it to 0×2142. This new value tells the router to bypass the startup-configuration (where the password is stored) and boot with the factory default configuration (i.e no password request).

At the rommon prompt type the following:

rommon 1> confreg 0×2142
rommon 2> reset

The “reset” command will reboot the device.

Step4:
After the router reboots, it will ignore the startup configuration and will behave like the very first time that you switched on the device. It will therefore run the initial setup script. Type “no” at the setup request or press “Ctrl-C” to terminate the initial setup procedure.

Step5:
Now you will get the Router> prompt. Type “enable” to get into privilege mode.

Router> enable
Router#  

Step6:
Now we need to load the “Startup-Config” into the “Running-Config”.

Router# copy startup-config running-config

IMPORTANT: DO NOT copy the running config into the startup config because now the running config is basically empty (factory default) so it will erase all of your startup config.

Step7:
Now we are ready to change our passwords. Change the enable password as below.

Router#config t
Router(config)# enable secret newpassword

Step8:
Another important step now is to change the configuration register back to its normal value which is 0×2102

Router(config)#config-register 0×2102

Step9:
Now save the configuration and reboot.

Router(config)#exit
Router# write
Router# reload

Step10:
After the router boots up, log on with your new password and enable all interfaces (using “no shutdown”) because during the recovery procedure the interfaces get shut down.
 
What we have done in the above 10 steps is that we bypassed the original configuration that has the forgotten password, and then we got to the privileged mode without the need to know the password. Then we loaded the original configuration into RAM (so we don’t loose it) and imposed a new password and saved things back to the NVRAM. And then we got back to the original boot sequence.