How to Configure SSH Access to a Cisco ASA Firewall

There are a couple of ways to manage a Cisco ASA firewall –

  1. Using the graphical user interface ASDM
  2. Using the CLI (Command Line Interface) which requires SSH access to the ASA and this document will show how to set that up as it is not enabled by default.

Step 1

You will need is to create a username on the ASA for logging in with –

username <name> password <password> eg.

asa(config)# username asauser password ciscoletmein – (obviously you would choose a more secure password for a production system)

 

Step 2

You need to tell the ASA where to look for the user account details which in this case is on the device itself. Cisco devices also support having a centralised account database and you can tell each device to query the database for user details but that is not covered in this document.

asa(config)# aaa authentication ssh console LOCAL

 

Step 3

SSH requires a set of public and private keys to secure the connection so you need to generate them.

asa(config)# crypto key generate rsa general-keys modulus 1024

 

Step 4

This is optional but it is recommended to only allow SSH version 2 –

asa(config)# ssh version 2

 

Step 5

The final step is to tell the ASA on which interfaces to allow SSH and from which IPs. You would generally want to restrict this to specific management IPs if possible. In addition it is preferable not to allow connections on the outside interface on an internet facing firewall but this is not always possible depending on the topology.

If you are going to allow SSH connections to the outside interface then it very strongly recommended that you only allow specific IPs that access.

You would allow access using the following command –

ssh <IP address> <subnet mask> <interface name>

For Example

ssh 172.16.7.0 255.255.255.0 inside

would allow connections from any IP in the 172.16.7.x subnet on the inside interface of the ASA.