Cisco ASA: SSH access to ASA

Design & Configure

Configuration General (17)

Design Corner (7)

DevOps (6)

Enterprise Routing (26)

Enterprise Switching (26)

Enterprise WAN (15)

LAN Security (2)

Network Security (34)

Network Services (3)

SD-WAN (6)

Technology: Network Security
Area: Firewalls
Vendor: Cisco
Software: 8.X, 9.X
Platform: Cisco ASA

You can access the ASA appliance in a few ways. One way is telnet and ssh to Cisco ASA. To activate ssh access to ASA you need to have at least:

username and password which will be used in the authentication process,
AAA lists definition that specifies the source of authentication – they can be retrieved from Radius server, TACACS+ server or LOCAL ASA database
Crypto key pair defined for encrypted traffic to work

One of the confusing elements for beginners is the console word. This is an old semantic (used always and has no meaning). So to enable telnet:

Define local username and password:
ASA#configure terminal ASA(config)#username username privilege 15 password some_password

Define AAA lists for ssh:

ASA(config)#aaa authentication ssh console LOCAL

Generate crypto key pair to use with SSH server:

ASA(config)#domain-name grandmetric.labs ASA(config)#crypto key generate rsa general-keys modulus 1024

In addition, you can set the allowed sources, and define on which interface ssh will be allowed:

ASA(config)#ssh 0.0.0.0 0.0.0.0 OUTSIDE

Hint: With ASA you can provide 0 0 which means 0.0.0.0 0.0.0.0, so the above line can be written as:

ASA(config)#ssh 0 0 OUTSIDE

Author: Marcin Bialy