Tuesday, July 2, 2013

Configure Remote Access on the ASA using Telnet and SSH

Although the use of Telnet is generally not recommended, you might prefer it on some occasions. Here are some scenarios:

* If you are using a client that does not support SSH.

* If you are managing a device on a secure OOB (out-of-band) network, where there is no possibility of rogue sniffers being present.

* If you are managing a device through a VPN tunnel that already provides encryption for the management session.

The CLI commands to enable Telnet on the ASA are as follows:

ciscoasa(config)# telnet ?

configure mode commands/options:
  Hostname or A.B.C.D  The IP address of the host and/or network authorized to
                       login to the system
  X:X:X:X::X/<0-128>   IPv6 address/prefix authorized to login to the system
  timeout              Configure telnet idle timeout
ciscoasa(config)# telnet 10.0.0.10 ?

configure mode commands/options:
  A.B.C.D  The IP netmask to apply to the IP address
ciscoasa(config)# telnet 10.0.0.10 255.255.255.255 ?

configure mode commands/options:
Current available interface(s):
  management  Name of interface GigabitEthernet0
ciscoasa(config)# telnet 10.0.0.10 255.255.255.255 management
ciscoasa(config)# telnet timeout ?

configure mode commands/options:
  <1-1440>  Idle time in minutes after which a telnet session will be closed;
            default is 5 minutes
  <cr>
ciscoasa(config)# telnet timeout 15


To view or clear Telnet sessions, you can use the following commands:

who: Displays which IP addresses are currently accessing the ASA console via Telnet.

kill <session-id>: Terminates a designated Telnet session without warning the user.




The SSH protocol provides a more secure remote management of the ASA. Before you can enable the SSH server, you must provide a public-private RSA key pair using the crypto key generate rsa command.

ciscoasa(config)# crypto ?

configure mode commands/options:
  ca           Certification authority
  dynamic-map  Configure a dynamic crypto map
  ikev1        Configure IKEv1 policy
  ikev2        Configure IKEv2 policy
  ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation
  isakmp       Configure ISAKMP
  key          Long term key operations
  map          Configure a crypto map

exec mode commands/options:
  ca  Execute Certification Authority Commands
ciscoasa(config)# crypto key ?

configure mode commands/options:
  generate  Generate new keys
  zeroize   Remove keys
ciscoasa(config)# crypto key generate ?

configure mode commands/options:
  rsa  Generate RSA keys
ciscoasa(config)# crypto key generate rsa ?

configure mode commands/options:
  general-keys  Generate a general purpose RSA key pair for signing and
                encryption
  label         Provide a label
  modulus       Provide number of modulus bits on the command line
  noconfirm     Specify this keyword to suppress all interactive prompting.
  usage-keys    Generate seperate RSA key pairs for signing and encryption
  <cr>
ciscoasa(config)# crypto key generate rsa general-keys modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ciscoasa(config)# show crypto key mypubkey rsa
Key pair was generated at: 15:10:20 UTC Jun 17 2013
Key name: <Default-RSA-Key>
 Usage: General Purpose Key
 Modulus Size (bits): 1024
 Key Data:

  30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 008e9dfe
  33d2537a 51e544f2 c4183a32 bb1c1baf 3192dfc2 98d09d94 2fb97355 850c3bca
  1b344c16 ebfcf851 cbfe1a8e d3a7bac5 0b2ca0ac 7d515551 8a34cc48 a64b6c20
  2a3ae04e e6937b50 7948d168 a46d0171 da9c4345 f1811aff 0397179a 086ca8f5
  267274b1 eb2f2888 5280e92a f0f64330 0326c664 302a3c1b c9e3677f f1020301 0001

ciscoasa(config)# aaa authentication ssh console LOCAL



No comments:

Post a Comment