Update: Securing Cisco ASA SSH server
Enabling SSH has been covered here but it only talked about routers and switches. How about Cisco ASA? Today, I had to learn how to do it using CLI and not ASDM since I couldn’t find where the equivalent of aaa authentication ssh console LOCAL and crypto key gen rsa mod 4096 in the ASDM. Since I am really new to Cisco ASA, I am not well-versed in issuing commands under CLI. If you are in a similar situation, I suggest to buy this book. Having said that, I’ve always used ASDM when checking out rules, NATs, and etc but I can understand some of the CLI config. Without further ado, here’s how to enable SSH on a Cisco ASA.
ASA-5505# conf t
ASA-5505 (config)# enable password password_here encrypted
ASA-5505 (config)# username user_here password password_here encrypted privilege 15
ASA-5505 (config)# aaa authentication ssh console LOCAL
ASA-5505 (config)# ssh 192.168.0.10 255.255.255.0 inside
! Obviously, you can add/change IPs that you want to allow SSH from.
ASA-5505 (config)# domain-name networkjutsu.com
ASA-5505 (config)# crypto key gen rsa mod 4096
ASA-5505 (config)# ssh version 2
ASA-5505 (config)# ssh key-exchange group dh-group14-sha1As you know, it is a good idea to enable SSH and disable Telnet. Since ASA does not enable SSH and/or Telnet by default, you have less to worry about. But if you have to choose between them, of course pick the SSH.
I hope this has been helpful and thank you for reading!
Want to learn more about ASA?
Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services (3rd Edition)
Cisco ASA for Accidental Administrators: An Illustrated Step-by-Step ASA Learning and Configuration Guide
Disclosure
NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.
