Last year, I wrote a post about securing the Cisco IOS SSH server. It also makes sense to create one for Cisco ASA especially when my old post about enabling SSH on Cisco ASA was back in 2012. That blog post didn’t include the advanced configurations that will improve the security of the Cisco ASA SSH server. With this post, I’d like to share the minimum advanced SSH configurations that network engineers should consider adding to their ASA template.
Enabling Cisco ASA SSH server
Before we can connect to our Cisco ASA via SSH, we need to have a checklist of things we need to configure.
- While it’s a good idea to have enable password configured, it is optional for SSH.
- You must have at least one user account locally.
- Configure ASA’s authentication method. The authentication method can be local, RADIUS, or TACACS+.
- Generate RSA key pair.
- Configure ACL to allow a specific IP address or range(s).
Setting enable password
My old post covered how to set enable password. It’s the same command on how to set the enable password, but in the newer ASA software, it uses PBKDF2 to encrypt the password compared to the MD5-based hash in older ASA software.
ASA5506(config)# enable password strongpasswordhere
ASA5506(config)# sh run | i enable password
enable password $sha512$5000$XEBAb1W7gNRdaxFbPHiF6A==$NlSiKyjZpreT3hbRL9gBsg== pbkdf2
Generating RSA keys
As covered in my old post, to enable SSH on the ASA, we’ll need to generate RSA key pair first. Current NIST recommendation is to use 2048-bit or above. In this post, I am going to use 4096-bit key pair.
ASA5506(config)# crypto key generate rsa modulus 4096
SSH Version
Configuring the Cisco ASA SSH server to accept only version 2 is best practice. The reason for this is because SSHv1 has vulnerabilities. That said, make sure to add this to your ASA template.
ASA5506# show ssh
Idle Timeout: 10 minutes Versions allowed: 1 and 2
<-- Output omitted -->
ASA5506# config t
ASA5506(config)# ssh version 2
ASA5506(config)# show ssh
Idle Timeout: 10 minutes Version allowed: 2
<-- Output omitted -->
SSH Encryption Algorithms
By default, it seems that the ASA’s encryption algorithm is configured to use the medium settings. Unfortunately, I cannot seem to verify it using the show run all command. However, the combination of show ssh and show ssh ciphers does the trick.
ASA5506# show ssh
Idle Timeout: 10 minutes
Versions allowed: 2
Cipher encryption algorithms enabled: aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
<-- Output omitted -->
ASA5506# show ssh ciphers
Available SSH Encryption and Integrity Algorithms
Encryption Algorithms:
all: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
low: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
medium: aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
fips: aes128-cbc aes256-cbc
high: aes256-cbc aes256-ctr
<-- Output omitted -->
The client and server negotiate the encryption algorithm. That said, it is possible that the client would pick a weaker cipher. To avoid that, we’re going to specify the use of a safer cipher. According to this thread, the use of EAX or GCM is preferable when available. If not, the use CTR over CBC mode. By specifying the encryption algorithm, we’re telling ASA to only offer the AES-256-CTR mode to any clients that try to connect to it.
Here’s the verbose output of my SSH to a Cisco ASA using the default SSH cipher encryption.
Mac-mini:~ networkjutsu$ ssh -vvv ASA5506
OpenSSH_7.6p1, LibreSSL 2.6.2
<-- Output omitted -->
debug2: ciphers ctos: aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
<-- Output omitted -->
Let’s configure the ASA to only use AES256 CTR mode.
A5506(config)# ssh cipher encryption custom aes256-ctr ASA5506(config)# show ssh Idle Timeout: 10 minutes Version allowed: 2 Cipher encryption algorithms enabled: aes256-ctr Cipher integrity algorithms enabled: hmac-sha1 hmac-sha1-96
Here’s the verbose output of my SSH connection to a Cisco ASA device using the SSH cipher encryption configuration mentioned above.
Mac-mini:~ networkjutsu$ ssh -vvv ASA5506
OpenSSH_7.6p1, LibreSSL 2.6.2
<-- Output omitted -->
debug2: ciphers ctos: aes256-ctr
debug2: ciphers stoc: aes256-ctr
<-- Output omitted -->
SSH Integrity Algorithm
By default, it seems that the ASA’s integrity algorithm is configured to use the medium settings. Unfortunately, I cannot seem to verify it using the show run all command. However, the combination of show ssh and show ssh ciphers does the trick.
ASA5506# show ssh
Idle Timeout: 10 minutes
Version allowed: 2
Cipher encryption algorithms enabled: aes256-ctr
Cipher integrity algorithms enabled: hmac-sha1 hmac-sha1-96
<-- Output omitted -->
ASA5506# show ssh ciphers
Available SSH Encryption and Integrity Algorithms
<-- Output omitted -->
Integrity Algorithms:
all: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96
low: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96
medium: hmac-sha1 hmac-sha1-96
fips: hmac-sha1
high: hmac-sha1
The default setting for the ASA SSH integrity algorithm is medium. Which means, it will accept both HMAC-SHA1 and HMAC-SHA1-96. The difference between the two algorithms is the digest length. The HMAC-SHA1-96 is a truncated message digest. From my limited understanding, the HMAC-SHA1-96 is the weakened version of HMAC-SHA1 due to the shortened message digest.
Here’s the verbose output of my SSH to a Cisco ASA using the default SSH integrity algorithm.
Mac-mini:~ networkjutsu$ ssh -vvv ASA5506
OpenSSH_7.6p1, LibreSSL 2.6.2
<-- Output omitted -->
debug2: MACs ctos: hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha1,hmac-sha1-96
<-- Output omitted -->
Let’s configure the ASA to only use HMAC-SHA1.
ASA5506(config)# ssh cipher integrity custom aes256-ctr
ASA5506(config)# show ssh
Idle Timeout: 10 minutes
Version allowed: 2
Cipher encryption algorithms enabled: aes256-ctr
Cipher integrity algorithms enabled: hmac-sha1
Here’s the verbose output of my SSH connection to a Cisco ASA device using the SSH integrity algorithm configuration mentioned above.
Mac-mini:~ networkjutsu$ ssh -vvv ASA5506
OpenSSH_7.6p1, LibreSSL 2.6.2
<-- Output omitted -->
debug2: MACs ctos: hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha1,hmac-sha1-96
<-- Output omitted -->
SSH Key Exchange
The ASA support two Diffie-Hellman key exchange methods and these are DH Group 1 (768-bit) and DH Group 14 (2048-bit). By default, the ASA is set to use Diffie-Hellman Group 1. Unfortunately, this is below what NIST recommends to use in this day and age.
Here’s a Cisco ASA with default SSH key exchange configuration. I issued the no ssh key-exchange to be sure.
ASA5506(config)# no ssh key-exchange
ASA5506(config)# sh run all | i ssh key-exchange
ssh key-exchange group dh-group1-sha1
Here’s the verbose output of my SSH connection to a Cisco ASA using the default SSH key exchange.
Mac-mini:~ networkjutsu$ ssh -vvv ASA5506
OpenSSH_7.6p1, LibreSSL 2.6.2
<-- Output omitted -->
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha1 compression: none
<-- Output omitted -->
Let’s configure the ASA to use DH Group 14.
ASA5506(config)# ssh key-exchange group dh-group14-sha1
Here’s the verbose output of my SSH connection to the Cisco ASA after changing the key exchange method.
Mac-mini:~ networkjutsu$ ssh -vvv ASA5506
OpenSSH_7.6p1, LibreSSL 2.6.2
<-- Output omitted -->
debug1: kex: algorithm: diffie-hellman-group14-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha1 compression: none
<-- Output omitted -->
SSH ACL
Restricting remote management to a certain IP address is a best practice. It is also required to add the ACL, or we won’t be able to access the Cisco ASA via SSH. That said, I included the command here.
ssh 192.168.1.0 255.255.255.0 management
Final Words
All of the configurations covered here are what I’d say minimum security standard for all Cisco ASA devices. It is, after all, a network security device, so it is a must to secure it properly. Though this post is just a small part of protecting the management plane and network engineers must incorporate other security configurations.
Are you ready to improve your network security?
Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.
NetworkJutsu provides networking and network security consulting services for startups, a more established small and medium-sized business (SMB), or large business throughout the San Francisco Bay Area.
Want to learn more about ASA?
Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services (3rd Edition)
Cisco ASA for Accidental Administrators: An Illustrated Step-by-Step ASA Learning and Configuration Guide
Disclosure
NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.