Configure SSH On Cisco ASA Firewall CLI

edledge Cisco logo

Scenario:
Make
: Cisco ASA
Model
: All ASA Models [ASA 5506-X, ASA 5506 W-X, ASA 5508-X etc]
Mode: CLI (Command Line Interface)
Description: In this article, we will discuss in details the stepwise method to configure SSH access onto Cisco ASA Firewall. We will use Command Line Interface [CLI] for the configuration of SSH on ASA. We can Configure SSH through GUI [Graphical User Interface] method as well onto the Cisco ASA.

When we configure an ASA we need to enable SSH and ASDM access for management and maintenance of the Firewall remotely. Here we will discuss, how to configure SSH on an ASA. This configuration method is valid for both standalone and failover ASA units. In Failover mode the active firewall will be accessible over SSH.

Step1: Console Access
Access the Firewall via Console to make changes.

Console ASA

Step2: Username & Password
Create Username & password of the ASA for authentication.

edledge-asa#
edledge-asa# configure t
edledge-asa(config)# username admin password edledge

Step3: Enable Password
Set enable password to enter into privilege mode.

edledge-asa#
edledge-asa# conf t
edledge-asa(config)# enable password edledge

Step4: Local AAA
Enable LOCAL aaa authentication for username to SSH onto ASA.

edledge-asa(config)# aaa authentication ssh console LOCAL
edledge-asa#

Note: The word “LOCAL” should be used only in capital letters.

Step5: RSA Key
Generate RSA key pair as shown below.

edledge-asa#conf t
edledge-asa(config)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be:
Keypair generation process begin. Please wait.....

Note: It is advisable to use 2048 bit, else 1024 and other bits can be used as well.

Step6: Management Interface
Set the Management interface as per your Firewall Configuration. It could be inside or any other VLAN or interface like maintenance or management.

edledge-asa# 
edledge-asa# conf t
edledge-asa(config)# management-access inside

Step7: Allow SSH
Define the subnets or IPs which are allowed to SSH onto ASA.

edledge-asa# 
edledge-asa# conf t
edledge-asa(config)# ssh 10.0.1.0 255.255.255.0 inside
edledge-asa(config)# ssh 10.0.2.0 255.255.255.0 inside
edledge-asa#

Step8: Confirmation
Now SSH onto ASA to confirm it is all working fine. As soon as you will SSH the ASA you will get a prompt as shown below, click “YES” to proceed.

RSA Key Prompt

SSH is configured and all set to use.

SSH access is really important for the maintenance and management of ASA and/or network. We can upgrade and/or downgrade the Firmware of the ASA whenever needed. Yes, ASA firmware upgrade can be done via ASDM as well. Do not forget to refer attached link if you are looking for configuring Failover on Cisco ASA.

Source – Cisco, Knowledge Base, Lab

EA00052

Leave a Reply

Your email address will not be published. Required fields are marked *