How to Configure SSH Version 2 on Cisco ASA Firewall: A Step-by-Step Guide

  • Post category:Blog
  • Post comments:0 Comments
  • Reading time:5 mins read

How to Configure SSH Version 2 on Cisco ASA Firewall: A Step-by-Step Guide

Introduction

Secure Shell (SSH) is a widely-used protocol for securing remote access to network devices. When managing Cisco ASA firewalls, it is crucial to set up SSH to ensure secure communication between administrators and the device. SSH Version 2 (SSHv2) is the recommended version due to its enhanced security features compared to SSHv1. This guide will walk you through the process of configuring SSHv2 on a Cisco ASA firewall, step by step.

Prerequisites

Before you begin the SSH configuration, ensure the following prerequisites are met:

  • Access to Cisco ASA CLI: Ensure you have console or SSH access to the Cisco ASA CLI.
  • Basic Network Configuration: The ASA should have at least one interface configured with an IP address and reachable from the management network.
  • AAA Configuration (Optional but recommended): It’s advisable to configure AAA (Authentication, Authorization, and Accounting) for better security management.

Step 1: Access the Cisco ASA CLI

The first step is to access the Cisco ASA command-line interface (CLI). You can do this via:

  • Console Access: Directly connect to the ASA via a console cable.
  • Telnet/SSH Access: If already configured, you can access the ASA remotely using Telnet or SSH.
ASA> enable
Password: ********
ASA#

Use the enable command to enter privileged EXEC mode.

Step 2: Generate RSA Keys for SSH

SSH relies on RSA keys for encryption. If you haven’t already generated RSA keys, you need to do so before enabling SSH.

ASA(config)# crypto key generate rsa modulus 2048

The modulus size can vary, but 2048 bits is the standard for secure configurations. The ASA will generate the RSA keys, which may take a few moments.

Step 3: Configure SSH Version 2

To explicitly set SSH Version 2 as the preferred version on the ASA, use the following command:

ASA(config)# ssh version 2

This ensures that only SSHv2 connections will be accepted, enhancing the security of the connection.

Step 4: Define the Allowed IP Address Range

You need to specify which IP addresses or subnets are allowed to initiate an SSH session to the ASA. This is crucial for limiting access and enhancing security.

ASA(config)# ssh 192.168.1.0 255.255.255.0 inside

This command allows SSH connections from any device within the 192.168.1.0/24 network on the ‘inside’ interface. Adjust the IP range and interface according to your network design.

Step 5: Configure Local User Authentication

While AAA is preferred, you can configure local user authentication if AAA is not in use. Create a user with a privilege level of 15, which provides full access.

ASA(config)# username admin password SuperSecurePassword privilege 15

Replace admin and SuperSecurePassword with your preferred username and password.

Step 6: (Optional) Configure AAA Authentication for SSH

If you are using AAA for authentication, you need to configure it to apply to SSH connections.

ASA(config)# aaa authentication ssh console LOCAL

This command sets up the ASA to authenticate SSH users against the local user database. If you’re using an external AAA server, replace LOCAL with the appropriate AAA method.

Step 7: Enable SSH Access on the Desired Interface(s)

You must ensure that SSH access is enabled on the interface(s) from which you wish to connect. This involves configuring the SSH timeout and setting up the SSH session limit.

ASA(config)# ssh timeout 10
ASA(config)# ssh limit 5

The ssh timeout 10 command sets the session timeout to 10 minutes, while ssh limit 5 restricts the maximum number of SSH sessions to 5.

Step 8: Save the Configuration

After completing the SSH configuration, save the changes to ensure they persist after a reboot.

ASA(config)# write memory

This command saves the running configuration to the startup configuration.

Step 9: Verifying SSH Configuration

To verify that SSH is configured correctly and running, you can use the following commands:

ASA# show ssh sessions

This command displays active SSH sessions. Additionally, you can verify that SSHv2 is being used:

ASA# show running-config ssh

This will display the SSH configuration, including the version and allowed IP ranges.

Step 10: Testing the SSH Connection

Finally, test the SSH connection from a device within the allowed IP range. Use an SSH client to connect to the ASA’s IP address.

ssh admin@192.168.1.1

Replace admin with the username you configured and 192.168.1.1 with the IP address of the ASA. You should be prompted for the password, and upon successful authentication, gain access to the ASA CLI.

Troubleshooting Tips

  • Connection Refused: Ensure the IP range and interface are correctly configured.
  • Timeout Issues: Check the network connectivity and ensure there is no firewall blocking SSH.
  • Authentication Failures: Verify the username and password. If using AAA, ensure the server is reachable and correctly configured.

Conclusion

Configuring SSHv2 on a Cisco ASA firewall is a critical step in securing your network infrastructure. By following the steps outlined in this guide, you can ensure that your ASA firewall is accessible only through secure, encrypted channels. This setup not only enhances security but also provides peace of mind knowing that unauthorized access is minimized. Always remember to periodically review your SSH configuration and update passwords and key sizes to keep up with the latest security best practices.