Skip to main content

Setting Up SSH and Local Authentication on Cisco ASA

By October 29, 2018September 18th, 2020Blog, Cisco, Networking
cisco

Here’s how to set up SSH on a new ASA out of the box, as well as set up local authentication.

Step 1: Configure aaa to use local database for ssh and console

ciscoasa# aaa authentication ssh console LOCAL

***NOTE*** aaa = authentication (permitting access), authorization (specify commands when granted access), accounting (keeps track of utilization reports of users after logged in and generate accounting reports for billing)
LOCAL = local database

Step 2: Create admin username with privilege 15 (username, P@ssw0rd)

ciscoasa# username username password P@ssw0rd priv 15

***NOTE*** priv 15 = top privilege level (full superuser, can give different command access to different privilege levels)

Step 3: Turn on password for enable

ciscoasa# aaa authentication enable console LOCAL

***NOTE*** forcing a password for the enable prompt

Step 4: Turn on serial console authentication

ciscoasa# aaa authentication serial console LOCAL

***NOTE*** turns on user/pass for serial access

Step 5: Save the changes so far

ciscoasa# write mem

Step 6: log out console and verify access

ciscoasa(config)# end
ciscoasa# exit
Logoff
Username: username
Password: ********

Step 7: Generate ssh key pair

ciscoasa# crypto key generate rsa modulus 4096
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait…
ciscoasa(config)#***NOTE*** SSH is an encrypted protocol, uses RSA to generate public and private key
4096 = block size
rsa = encryption algorithm

Step 8: Allow access to the inside interface

ciscoasa# ssh 0.0.0.0 0.0.0.0 inside

***NOTE*** enable ssh access to the inside interface from any IPv4

Step 9: Force ssh version 2

ciscoasa# ssh version 2

Step 10: Add timeout of 15 min to ssh

ciscoasa# ssh timeout 15

Step 11: Verify login with ssh through 192.168.1.1 in putty

login as: username
username@192.168.1.1’s password:
User peiadmin logged in to ciscoasa
Logins over the last 1 days: 2.  Last login: 16:47:06 UTC Aug 2 2018 from console
Failed logins since the last login: 0.
Type help or ‘?’ for a list of available commands.
ciscoasa> en
Password: ********
ciscoasa#
Alison Wallick, PEI

One Comment

Leave a Reply