Although the use of Telnet is generally not recommended, you might prefer it on some occasions. Here are some scenarios:
* If you are using a client that does not support SSH.
* If you are managing a device on a secure OOB (out-of-band) network, where there is no possibility of rogue sniffers being present.
* If you are managing a device through a VPN tunnel that already provides encryption for the management session.
The CLI commands to enable Telnet on the ASA are as follows:
ciscoasa(config)# telnet ?
configure mode commands/options:
Hostname or A.B.C.D The IP address of the host and/or network authorized to
login to the system
X:X:X:X::X/<0-128> IPv6 address/prefix authorized to login to the system
timeout Configure telnet idle timeout
ciscoasa(config)# telnet 10.0.0.10 ?
configure mode commands/options:
A.B.C.D The IP netmask to apply to the IP address
ciscoasa(config)# telnet 10.0.0.10 255.255.255.255 ?
configure mode commands/options:
Current available interface(s):
management Name of interface GigabitEthernet0
ciscoasa(config)# telnet 10.0.0.10 255.255.255.255 management
ciscoasa(config)# telnet timeout ?
configure mode commands/options:
<1-1440> Idle time in minutes after which a telnet session will be closed;
default is 5 minutes
<cr>
ciscoasa(config)# telnet timeout 15
To view or clear Telnet sessions, you can use the following commands:
who: Displays which IP addresses are currently accessing the ASA console via Telnet.
kill <session-id>: Terminates a designated Telnet session without warning the user.
The SSH protocol provides a more secure remote management of the ASA. Before you can enable the SSH server, you must provide a public-private RSA key pair using the crypto key generate rsa command.
ciscoasa(config)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Execute Certification Authority Commands
ciscoasa(config)# crypto key ?
configure mode commands/options:
generate Generate new keys
zeroize Remove keys
ciscoasa(config)# crypto key generate ?
configure mode commands/options:
rsa Generate RSA keys
ciscoasa(config)# crypto key generate rsa ?
configure mode commands/options:
general-keys Generate a general purpose RSA key pair for signing and
encryption
label Provide a label
modulus Provide number of modulus bits on the command line
noconfirm Specify this keyword to suppress all interactive prompting.
usage-keys Generate seperate RSA key pairs for signing and encryption
<cr>
ciscoasa(config)# crypto key generate rsa general-keys modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ciscoasa(config)# show crypto key mypubkey rsa
Key pair was generated at: 15:10:20 UTC Jun 17 2013
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 008e9dfe
33d2537a 51e544f2 c4183a32 bb1c1baf 3192dfc2 98d09d94 2fb97355 850c3bca
1b344c16 ebfcf851 cbfe1a8e d3a7bac5 0b2ca0ac 7d515551 8a34cc48 a64b6c20
2a3ae04e e6937b50 7948d168 a46d0171 da9c4345 f1811aff 0397179a 086ca8f5
267274b1 eb2f2888 5280e92a f0f64330 0326c664 302a3c1b c9e3677f f1020301 0001
ciscoasa(config)# aaa authentication ssh console LOCAL
No comments:
Post a Comment