Enabling SSH Access on Cisco ASA Appliances

It is very important to access your ASA via SSH and not telnet. Even if you only enable access from your inside interface, this will protect from clear text password scanning on your local network via an undetected malware bot.

For this example, we are enabling SSH on our inside interface network (192.168.100.0/24).

To get started, enter configuration mode:

asa# config t

Make sure you have an enable password set, in the case TEXT is your clear text enable password:

asa(config)# enable password TEXT

Now we create a local user for SSH login, in this case the username is admin with password ABC123:

asa(config)# aaa authentication ssh console LOCAL
asa(config)# username admin password ABC123 privilege 15

Allow access from our inside network:

asa(config)# ssh 192.168.100.0 255.255.255.0 inside

And finally, generate an RSA key:

asa(config)# domain-name foobar.com
asa(config)# crypto key generate rsa modulus 1024

Its an important to note, you have to specify a domain name in order to generate a functional RSA key. Also, if you wanted to enable SSH access from the outside, you would use the following line:

asa(config)# ssh 75.100.5.45 255.255.255.255 outside

In this case, I am only allowing SSH from a singular IP address of 75.100.5.45 for say a home office.

Total Views: 8346 ,