ASA5505: Setting up ssh for remote management.

ASA5505: Setting up ssh for remote management.

by Cyrus Lok on Thursday, April 8, 2010 at 11:13pm
I have a generated RSA key which is stored in my ASA’s flash memory. I am going to recreate a RSA key once more, so I will zeroize the key. If there is a RSA key stored in the flash, ASA will prompt whether I want to replace the current generated key with the old one.

Zeroize the key:

ciscoasa(config)# crypto key zeroize rsa
WARNING: All RSA keys will be removed.
WARNING: All device digital certificates issued using these keys will also be removed

Do you really want to remove these keys? [yes/no]: y
ciscoasa(config)#

Generating RSA key needs to define a domain name, this is the same as in IOS.

ciscoasa(config)# domain-name cyruslab.com
ciscoasa(config)#

Generate a 1024-bit long RSA key:
ciscoasa(config)# crypto key generate rsa general-keys modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait…
ciscoasa(config)#

Actually it is sufficient if I just type crypto key generate rsa <cr>, the interactive prompt will just prompt me for the length of the key (modulus).

This is the 1024-bit long RSA key which I have just generated:

ciscoasa(config)# sh crypto key mypubkey rsa
Key pair was generated at: 06:20:15 UTC Apr 8 2010
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:

30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c2890c
ad9065a0 f17eebbd 726029dc 0a9f40a9 ca714031 5de9d15b fe7b8fc7 e11e7ffd
8f27befc beaf0aae fa937c69 482a1595 f8865cc1 d8ced14a 737243c3 8f9886ab
75be998a 8a7437a1 bac57f34 d31774b7 a53cd803 a7837bc4 92f9f326 8fc818a5
54ca0476 3c864534 7b50d635 88905d28 cfeec63d e32324a9 98eba845 3b020301 0001

Allow ssh connection from my private network:
ciscoasa(config)# ssh 192.168.1.0 255.255.255.0 inside

Allow ssh connection from the internet (any connection):
ciscoasa(config)# ssh 0 0 outside

Set up ssh idle time-out period (maximum is 1hour):
ciscoasa(config)# ssh timeout 30

ssh has two versions: 1 and 2. ssh version 1 is less secured than version 2. My default ssh supports two versions:

ciscoasa(config)# sh ssh
Timeout: 30 minutes
Versions allowed: 1 and 2
192.168.1.0 255.255.255.0 inside
0.0.0.0 0.0.0.0 outside

To support only version 2, I have to explicitly tell my firewall with this command:
ciscoasa(config)# ssh version 2

ciscoasa(config)# sh ssh
Timeout: 30 minutes
Version allowed: 2
192.168.1.0 255.255.255.0 inside
0.0.0.0 0.0.0.0 outside

I think putty supports ssh version 2.. so I shall test it…

A security warning came up because this RSA signature key has not been verified by any CA, this is generated by ASA. However this can be trusted because I generated it 😉

Click yes button to store this key into my windows XP.

I could not find a command to set up the username for remote login, but the default for pix/asa is pix…zzz

Great! Putty supports ssh version 2.

From my console, I can check the current ssh sessions to my ASA5505:

To show current ssh sessions.

To kill ssh session:

ssh disconnect <sid> for disconnecting ssh session.

kill <sid> for killing telnet session.

LOL! SSH session has been sniped!

Advertisements
This entry was posted in Security. Bookmark the permalink.

One Response to ASA5505: Setting up ssh for remote management.

  1. charles says:

    Thanks for your work. A lot more useful than docs from Cisco !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s