Configuring Cisco ASA/PIX 7.x for SSH

Posted on September 3, 2009. Filed under: CCNA | Tags: , , , |

If you have already configured SSH it does not seem to be working when tested with an SSH Client (like PuTTY), then we recommend using the “diag SSH” command in a telnet or console session to see what the problem is.
If configuring from scratch, then our first task is to generate an RSA public/private key pair to use to securely transfer the session key from the server to the client. The hostname and domain-name must be set before the ASA/PIX will allow you to generate the key pair.

To begin in configuration login to the Cisco ASA/PIX using the console or telnet. then enter enable mode and then configuration mode:

Percival> enable
Password: *******
Percival# configure terminal

1. Assign a hostname and domain name to the ASA/PIX. This is required to generate the RSA key set.

pixfirewall(config)# hostname percival

percival(config)# domain-name

2. Generate an RSA Key pair and save the keys to Flash memory.

percival(config)# crypto key generate rsa

WARNING: You have a RSA keypair already defined named .
Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait…

3. View your newly created RSA Public Key.

percival(config)# show crypto key mypubkey rsa

Key pair was generated at: 21:26:02 GMT/BDT Aug 19 2008

Key name:

Usage: General Purpose Key

Modulus Size (bits): 1024

Key Data:

30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a85845

15ad4990 5302cdc5 29ecedff 9fd70562 cf1db5b5 04baf537 1ff646d4 e090d5ca

58128028 b362ce22 0c540a6a 76c5c18f 3de5fa20 b94c66c9 e7523a97 4a899317

0209c7d5 7b754da4 76f7e359 58c15570 da8c765d 6a06939e acc64c7a 3a684c7e

7a586c77 3efc4139 8e14e330 20911a6f 003242b7 b952f4a9 7687571a 11020301 0001

Key pair was generated at: 18:12:37 GMT/BDT Aug 19 2008

Key name: .server

Usage: Encryption Key

Modulus Size (bits): 640

Key Data:

306c300d 06092a86 4886f70d 01010105 00035b00 30580251 00b41c50 fee794d7

109d198e 2ea1bd1f 24866fad 4623b081 afceb803 7b5889e2 908c343d 38c0dab6

44a02c35 61993036 863891ae fb89df47 6e0cbd2e 4a24227b 77ada29a 6e234604

63bcaf5a 50b627a7 cb020301 000123020301 0001

4. Specify what hosts are allowed to SSH to the ASA/PIX and set the SSH inactivity timeout. In this case, you will limit SSH access to a single inside host and kill sessions after one hour of inactivity.

percival(config)# ssh inside

percival(config)# ssh timeout 60

5. Set the enable password and Telnet password. You will be required to enter the Telnet password to authenticate your SSH session**.

percival(config)# enable password hArd2Gue$$

percival(config)# passwd Ace$$D3n13d

To exit configuration mode press [CTRL]-Z and to save configuration to flash memory:

Percival # write memory

**Note: If you have previously configured a telnet password and enable password, you don’t need to change them for SSH to work.


Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

2 Responses to “Configuring Cisco ASA/PIX 7.x for SSH”

RSS Feed for IT Certifications Comments RSS Feed

Where's The Comment Form?

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: