ssh access to Cisco ASA 5505

To manage your ASA, it is highly recommended to setup and use ssh instead of telnet. Telnet is clear text, ssh is encrypted. You want ssh access especially if your device will have to be managed from the “outside” world. If this is the case, also choose a complex password and  strong encryption.

To setup ssh access to your ASA, you need to configure it with the following:

  • password
  • enable password
  • user name and password (at least one), privilege is optional
  • domain (optional)
  • setup a specific inside/outside network/host with ssh access
  • setup the ssh timeout
  • generate your own cryptographic key

Here is an example capture of the above related commands:

IPfield-ASA5505# conf t
IPfield-ASA5505(config)# username cris password [--replace_with_your_own_pass--] privilege 15
IPfield-ASA5505(config)# password [--replace_with_your_own_pass--]
IPfield-ASA5505(config)# enable password [--replace_with_your_own_pass--]
IPfield-ASA5505(config)# domain-name
IPfield-ASA5505(config)# ssh inside
IPfield-ASA5505(config)# ssh timeout 5
IPfield-ASA5505(config)# crypto key generate rsa modulus ?
configure mode commands/options:
  1024  1024 bits
  2048  2048 bits
  512   512 bits
  768   768 bits
IPfield-ASA5505(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
IPfield-ASA5505(config)# aaa authentication ssh console LOCAL
IPfield-ASA5505(config)# exit
IPfield-ASA5505# wr
Building configuration...
Cryptochecksum: b1e20832 c8fe4dbe 488a74cf 659f8c05
3058 bytes copied in 1.550 secs (3058 bytes/sec)

Here are a few commands related to ssh access:

IPfield-ASA5505# sh crypto key  mypubkey rsa
[-- Key removed --]
IPfield-ASA5505# sh ssh
Timeout: 5 minutes
Versions allowed: 1 and 2 inside
IPfield-ASA5505# sh ssh sessions
SID Client IP       Version Mode Encryption Hmac     State            Username
0    2.0     IN   aes256-cbc sha1     SessionStarted   cris
                            OUT  aes256-cbc sha1     SessionStarted   cris

You may be facing the situation in which you need to remove a key: to update it with a stronger encryption, or other customization.
The command to remove an existing certificate key is:

IPfield-ASA5505(config)# crypto key zeroize rsa

WARNING: All RSA keys will be removed.
WARNING: All device certs issued using these keys will also be removed.

Do you really want to remove these keys? [yes/no]:

Leave a Reply

Your email address will not be published. Required fields are marked *

9 − = four

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>