Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Cisco ASA Firewall Configuration / Cisco ASA Master PassPhrase (How to Show Encrypted Password)

Cisco ASA Master PassPhrase (How to Show Encrypted Password)

Written By Harris Andrea

There are several configuration features on Cisco ASA that require some sort of password or secret-key that you need to enter. Some examples include:

  • VPN pre-shared keys (either for site-to-site IPSEC VPN or for Remote Access).
  • AAA server secret key when communicating with a RADIUS server.
  • Routing Protocols keys (for OSPF, EIGRP).
  • Secret key for failover communication.
  • Password to communicate with a Log Server.
  • VPN Load Balancing key
  • Etc

All the above might be hidden when you view the running configuration (by executing “show run”) however they are NOT encrypted inside the configuration file.

For example, if you copy the configuration to an external TFTP Server, all the above passwords and secret-keys will be shown as clear text in the configuration file.

Moreover, when you execute the command “more system:running-config” you will also be able to view the running configuration with all passwords as plain text.

If you want to store all the above passwords in encrypted format in the configuration file, you can use the “Master Passphrase” feature.

MORE READING:  How to Configure EIGRP on a Cisco ASA Firewall (Example Commands)

The master passphrase provides a key that is used to universally encrypt or mask all passwords, without changing their functionality. This feature is available from version 8.3(1) and above.

Master Passphrase Password Encryption Configuration

1) Create the Master Passphrase. This must be between 8-128 characters. Do not use backspace or double quote.

ASA(config)# key config-key password-encryption
New key: verystrongkey
Confirm key: verystrongkey

The above creates the Master Passphrase. Next we need to enable AES password encryption for all passwords:

2) Enable Password Encryption and save the configuration

ASA(config)# password encryption aes
ASA(config)# write mem

NOTEs:

  • If you want to remove the master passphrase use “no key config-key password-encryption [current passphrase]”
  • If you have lost the master passphrase, you must erase the configuration and reboot the ASA: “write erase” and then “reload”.

If you Lose the Master Passphrase you must do the following:

  • Erase the configuration using “write erase” command.
  • Reload the ASA firewall appliance (with the “reload” command)
MORE READING:  Configuring Object Groups on Cisco ASA (Network, Service Objects etc)

Notes:

  • Note that the above will remove the master password but will also remove the configuration containing the encrypted passwords.
  • Note that all of the above configurations are accepted only if you are connected to the ASA using a secure encrypted method over the network, such as SSH or HTTPs.
  • If you already have a master password configured and try to set a new one, the appliance will ask you first for the old master passphrase before allowing to set a new one.

Related Posts

  • Prevent Spoofing Attacks on Cisco ASA using RPF
  • Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
  • Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
  • Cisco ASA Firewall Management Interface Configuration (with Example)
  • How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Bob Gies says

    February 22, 2013 at 5:37 pm

    Nice. I knew of the “more” command, but this is very helpful.
    thx
    bob

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2023 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

0 shares