Cisco ASA Device Management – SSH

- July

2011

Posted By : Gom Jabbar

“Cignoro hrobosa sukares hin mange la pchagavas doi me kamavas na beslas lele pal hrobas!”

It was the man to their right calling out across the basin.

To Paul, the words were gibberish, but out of her Bene Gesserit training, Jessica recognized the speech. It was Chakobsa, one of the ancient hunting languages, and the man above them was saying that perhaps these were the strangers they sought.

Dune
Frank Herbert

For the same tactical reason that military commands should not be revealed to your opponent, management connections to the Cisco ASA should be secured. This can be done either by encrypting the management traffic over an unsecured network, or by using a protected, out-of-band connection.

The ASA is the guardian to your network, and all commands sent to it should be protected from snooping. If an attacker can eavesdrop on an administrator’s session, they may be able to see what is being configured, or perhaps snaffle the administrator’s username and password. In that case, the ASA is compromised. (See here for an administrator’s plaintext Telnet session intercepted by a packet sniffer.)

Unlike Telnet, SSH provides data confidentiality as well as authentication. For SSH management sessions, the Cisco ASA supports:

Both SSH version 1 and SSH version 2
3DES and AES for data encryption
HMAC-SHA and HMAC-MD5 for integrity
RSA for host authentication
Diffie-Hellman Group 1 for key exchange

The default SSH config on the Cisco ASA can be seen with a show run or a show ssh. Management access to the ASA via SSH is disabled by default. The default config only specifies the timeout and versions, as seen with a show ssh:

ciscoasa# sh ssh
Timeout: 5 minutes
Versions allowed: 1 and 2

To enable SSH management access on the Cisco ASA:

Generate a RSA keypair

ciscoasa# con t
ciscoasa(config)# crypto key generate rsa
INFO: The name for the keys will be:
Keypair generation process begin. Please wait...

Specify the hosts that are allowed to SSH into the ASA and the interface that they will use to connect
```
ciscoasa(config)# ssh 11.11.11.2 255.255.255.255 outside
```
Now you can login to the ASA via SSH by using the default username pix and the default password cisco.
(Optional but recommended) If you do not want to use the default password, change the password with the password command. This will set the password for Telnet and SSH connections to the ASA. For example, to set the password to “atreides”:
```
ciscoasa(config)# password atreides
```
(Optional but recommended) Enable authentication for SSH. Otherwise, create a local user.
```
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# username duncan password distrans
```
The aaa authentication ssh console LOCAL command overrides the password set via the password command.