Accessing your ASA remotely through SSH

      No Comments on Accessing your ASA remotely through SSH

There is often a need for remote administration capabilities on a firewall appliance however there isn’t the need for a full blown VPN solution.  I’ve set up a lot of 5505 appliances for clients who don’t even want the VPN configured.  That being said, if there’s a chance that I’m going to need remote access, I’ll usually open up SSH as long as its okay with the owner of the network.  Some people will configure ASDM for external access on a secondary IP (if on exists in the clients external subnet), however I usually don’t do this initially.  Its something that I can always configure later through SSH if need be.  The first time that I did this I thought I could figure it out on my own.  Not the case…

-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them

Generate RSA keys if you haven’t done so already
ASA(config)# crypto key generate rsa
Note: If you already have generated the default key you’ll get this warning
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.
Do you really want to replace them? [yes/no]:
In most cases I would recommend saying yes, I haven’t heard of an instance to this point where regenerating the keys has caused issues.

Enable SSH on the inside and outside interfaces
ASA(config)# ssh outside
ASA(config)# ssh inside
Note: If you wish you could lock down both the inside and the outside to specific IP’s by not using the any any subnet assignment.

Configure a username and password if you haven’t done so already
ASA(config)# username <Username> password <Password>
Note: if you already have other local users defined for other purposes you can use those.

Tell the ASA to use Local authentication with SSH
ASA(config)# aaa authentication ssh console LOCAL

That’s it!  Try it from the outside and see if it works.  I use PUTTY for most of my SSH work and it seems to work very well.

Leave a Reply

Your email address will not be published. Required fields are marked *