test me

Site Search:

Configuring Cisco ASA/PIX 7.x for SSH

If you have already configured SSH it does not seem to be working when tested with an SSH Client (like PuTTY), then we recommend using the "diag SSH" command in a telnet or console session to see what the problem is.
If configuring from scratch, then our first task is to generate an RSA public/private key pair to use to securely transfer the session key from the server to the client. The hostname and domain-name must be set before the ASA/PIX will allow you to generate the key pair.


To begin in configuration login to the Cisco ASA/PIX using the console or telnet. then enter enable mode and then configuration mode:


Percival> enable
Password: *******
Percival# configure terminal


1. Assign a hostname and domain name to the ASA/PIX. This is required to generate the RSA key set.


pixfirewall(config)# hostname percival


percival(config)# domain-name cisco.com


2. Generate an RSA Key pair and save the keys to Flash memory.


percival(config)# crypto key generate rsa


WARNING: You have a RSA keypair already defined named .
Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait...


3. View your newly created RSA Public Key.


percival(config)# show crypto key mypubkey rsa


Key pair was generated at: 21:26:02 GMT/BDT Aug 19 2008


Key name:


Usage: General Purpose Key


Modulus Size (bits): 1024


Key Data:


30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a85845


15ad4990 5302cdc5 29ecedff 9fd70562 cf1db5b5 04baf537 1ff646d4 e090d5ca


58128028 b362ce22 0c540a6a 76c5c18f 3de5fa20 b94c66c9 e7523a97 4a899317


0209c7d5 7b754da4 76f7e359 58c15570 da8c765d 6a06939e acc64c7a 3a684c7e


7a586c77 3efc4139 8e14e330 20911a6f 003242b7 b952f4a9 7687571a 11020301 0001


Key pair was generated at: 18:12:37 GMT/BDT Aug 19 2008


Key name: .server


Usage: Encryption Key


Modulus Size (bits): 640


Key Data:


306c300d 06092a86 4886f70d 01010105 00035b00 30580251 00b41c50 fee794d7


109d198e 2ea1bd1f 24866fad 4623b081 afceb803 7b5889e2 908c343d 38c0dab6


44a02c35 61993036 863891ae fb89df47 6e0cbd2e 4a24227b 77ada29a 6e234604


63bcaf5a 50b627a7 cb020301 000123020301 0001


4. Specify what hosts are allowed to SSH to the ASA/PIX and set the SSH inactivity timeout. In this case, you will limit SSH access to a single inside host and kill sessions after one hour of inactivity.


percival(config)# ssh 192.168.111.7 255.255.255.255 inside


percival(config)# ssh timeout 60


5. Set the enable password and Telnet password. You will be required to enter the Telnet password to authenticate your SSH session**.


percival(config)# enable password hArd2Gue$$


percival(config)# passwd Ace$$D3n13d


To exit configuration mode press [CTRL]-Z and to save configuration to flash memory:


Percival # write memory


**Note: If you have previously configured a telnet password and enable password, you don't need to change them for SSH to work.

1 comment: