Last year, I wrote a post about securing the Cisco IOS SSH server. It also makes sense to create one for Cisco ASA especially when my old post about enabling SSH on Cisco ASA was back in 2012. That blog post didn’t include the advanced configurations that will improve the security of the Cisco ASA SSH server. With this post, I’d like to share the minimum advanced SSH configurations that network engineers should consider adding to their ASA template.
Enabling AAA on Cisco routers and switches were covered a while back in this guide. As previously mentioned, I am quite new to Cisco ASAs since my old environment was pure routing and switching. Firewalls were handled by IT Security and the firewalls weren’t ASAs. Having said all of that, I enjoy playing with ASAs whenever I get a chance. A couple of days ago, I started teaching myself using the CLI since I’ve always used the ASDM for making changes. I occasionally use the CLI, but not heavily since I am still a newbie in using ASAs. If you are in the same situation as I am, one of the books that are very helpful for non-full time network security engineer is Cisco ASA for Accidental Administrators: An Illustrated Step-by-Step ASA Learning and Configuration Guide. I have no experience with this book so please read through the reviews to make sure it is the one you need.
As I was teaching myself on how to configure an ASA from scratch using CLI, I decided to play around with AAA since I need to get our production ASAs to communicate to our TACACS+ server anyway. After playing around with it and reading the AAA section of Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, I came up with a configuration that will be our standard when building ASAs.
Update: Securing Cisco ASA SSH server
Enabling SSH has been covered here but it only talked about routers and switches. How about Cisco ASA? Today, I had to learn how to do it using CLI and not ASDM since I couldn’t find where the equivalent of aaa authentication ssh console LOCAL and crypto key gen rsa mod 4096 in the ASDM. Since I am really new to Cisco ASA, I am not well-versed in issuing commands under CLI. If you are in a similar situation, I suggest to buy this book. Having said that, I’ve always used ASDM when checking out rules, NATs, and etc but I can understand some of the CLI config. Without further ado, here’s how to enable SSH on a Cisco ASA.