- July
Posted By : Gom Jabbar
Cisco ASA Device Management – SSH

“Cignoro hrobosa sukares hin mange la pchagavas doi me kamavas na beslas lele pal hrobas!”

It was the man to their right calling out across the basin.

To Paul, the words were gibberish, but out of her Bene Gesserit training, Jessica recognized the speech. It was Chakobsa, one of the ancient hunting languages, and the man above them was saying that perhaps these were the strangers they sought.

Frank Herbert

For the same tactical reason that military commands should not be revealed to your opponent, management connections to the Cisco ASA should be secured. This can be done either by encrypting the management traffic over an unsecured network, or by using a protected, out-of-band connection.

The ASA is the guardian to your network, and all commands sent to it should be protected from snooping. If an attacker can eavesdrop on an administrator’s session, they may be able to see what is being configured, or perhaps snaffle the administrator’s username and password. In that case, the ASA is compromised. (See here for an administrator’s plaintext Telnet session intercepted by a packet sniffer.)

Unlike Telnet, SSH provides data confidentiality as well as authentication. For SSH management sessions, the Cisco ASA supports:

  • Both SSH version 1 and SSH version 2
  • 3DES and AES for data encryption
  • HMAC-SHA and HMAC-MD5 for integrity
  • RSA for host authentication
  • Diffie-Hellman Group 1 for key exchange

The default SSH config on the Cisco ASA can be seen with a show run or a show ssh. Management access to the ASA via SSH is disabled by default. The default config only specifies the timeout and versions, as seen with a show ssh:

ciscoasa# sh ssh
Timeout: 5 minutes
Versions allowed: 1 and 2

To enable SSH management access on the Cisco ASA:

  1. Generate a RSA keypair
    ciscoasa# con t
    ciscoasa(config)# crypto key generate rsa
    INFO: The name for the keys will be:
    Keypair generation process begin. Please wait...
  2. Specify the hosts that are allowed to SSH into the ASA and the interface that they will use to connect
    ciscoasa(config)# ssh outside

    Now you can login to the ASA via SSH by using the default username pix and the default password cisco.

  3. (Optional but recommended) If you do not want to use the default password, change the password with the  password command. This will set the password for Telnet and SSH connections to the ASA. For example, to set the password to “atreides”:
    ciscoasa(config)# password atreides
  4. (Optional but recommended) Enable authentication for SSH. Otherwise, create a local user.
    ciscoasa(config)# aaa authentication ssh console LOCAL
    ciscoasa(config)# username duncan password distrans

    The aaa authentication ssh console LOCAL command overrides the password set via the password command.

Additional Information:

Password command in the Cisco ASA 8.4 Command Reference.

Ssh command in the Cisco ASA 8.4 Command Reference.

Show ssh command in the Cisco ASA 8.4 Command Reference.

Show run command in the Cisco ASA 8.4 Command Reference.

Aaa authentication console command in the Cisco ASA 8.4 Command Reference.

Username command in the Cisco ASA 8.4 Command Reference.