The Cisco ASA firewall appliance provides both graphical and command line methods for connecting to the device for management. With the graphical method, the administrator can use a web browser (https) for managing the firewall. This method necessitates that the ASDM software (Adaptive Security Device Manager) is installed on the flash memory of the firewall.
The command line methods use either Telnet or SSH to connect to the device. Since the Telnet protocol sends everything in clear text, it is recommended to use SSH where all communication with the firewall is encrypted.
So let’s take a look at the commands needed on the ASA to allow SSH connections:
1) Connect to the ASA via console and get in configuration mode.
2) You have to configure a hostname and domain name
firewall(config)# hostname ASA-FIREWALL
ASA-FIREWALL (config)# domain-name test.com
3) You will need to generate an RSA Key Pair since this is needed by the SSH protocol which uses SSL. This can be achieved with the following command:
ASA-FIREWALL(config)# crypto key generate rsa modulus 2048
After issuing this command and hitting enter, you will see something like the following and you will need to wait:
For >= 2048, key generation could take up to several minutes. Please wait……….
4) Next, you will need to save your newly created Keys to flash by typing the following command:
ASA-FIREWALL # write mem
5) Now, we can tell the ASA exactly which hosts or networks can access the device via SSH. We also need to specify which interface we are allowing access to.
For example, if you have a management PC with internal IP address of 10.0.0.1 and just wanted to allow this PC to access the ASA on the inside interface, you would issue the following command:
ASA-FIREWALL(config) #ssh 10.0.0.1 255.255.255.255 inside
6) Enable authentication for the SSH. You can configure LOCAL authentication by configuring a local username/password on the device:
ASA-FIREWALL(config) # aaa authentication ssh console LOCAL
ASA-FIREWALL(config) # username admin password xxxxxxxx encrypted
7) Download a free SSH client (e.g putty) for connecting to the device.
Related Posts
- Prevent Spoofing Attacks on Cisco ASA using RPF
- Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
- Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
- Cisco ASA Firewall Management Interface Configuration (with Example)
- How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)