Cisco Asa Generate Ssh Key Asdm
Learning has never been so easy!

This guide will walk you through the basics of hardening SSH access to your Cisco ASA firewall using ASDM. If you're like me, you'd rather have a GUI than spending the day Googling CLI commands.

4 Steps total

Step 1: Login to ASDM

Sep 11, 2018  ciscoasa(config)# crypto key generate rsa modulus 2048 For the ASAv, the RSA key pairs are automatically created after deployment. The modulus value (in bits) is 512, 768, 1024, 2048, or 4096. Follow this on the ASDM interface. Configuration Device Management Certificate Management Identity Certificates. Under Add a new Identity certificate click New in order to add a default key pair if one does not exists. Then, click Generate Now. Follow this on the ASDM interface. Configuration Device Management Certificate Management Identity Certificates. Under Add a new Identity certificate click New in order to add a default key pair if one does not exists. Then, click Generate Now. Oct 29, 2018  Here’s how to set up SSH on a new ASA out of the box, as well as set up local authentication. Step 7: Generate ssh key pair. Ciscoasa# crypto key generate rsa modulus 4096 INFO: The name for the keys will be: Key. Upgrading ASA and ASDM Images. Adding and Removing Devices from the Meraki Dashboard.

Step 2: Change the default allow SSH version from 1 to 2

Go to Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

Under SSH Settings, change the value of 'Allowed SSH Version(s)' from 1 to 2.

Step 3: Change the default Diffie-Hellman group from 1 to 14

Cisco Asa Generate Ssh Key Asdm

Remain in Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

Under SSH Settings, change the radio toggle of 'DH Key Exchange' from Group 1 to Group 14.

Step 4: Lock down SSH access to the firewall

Remain in Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

Under 'Specify the addresses of all hosts/networks which are allowed to access the ASA using ASDM/HTTPS/Telnet/SSH', you should add the static IPs of the devices or servers you wish to access the firewall from.

Click Add on the right.

Select the radio button next to SSH.

Select 'Inside' as the interface.

Enter the static IP of the device/server.

Enter 255.255.255.255 as the subnet mask.

Click OK.

Cisco Asa Setup Ssh

Repeat for all remaining devices/servers or specify any outside IPs which are static that require remote access.

WARNING: If your firewall has 0.0.0.0 'any' enabled by default, make sure you save your changes by adding your static IP first before deleting the 'any' entry. Otherwise, your session will disconnect.

You may repeat the last step for hardening access to ASDM as well.

3 Comments

  • Sonora
    alexthompson4 Oct 16, 2018 at 06:51pm

    Thank you for the guide! For accessing the ASA through SSH, what devices would you recommend connecting from (a server, etc) from a security standpoint?

  • Ghost Chili
    starg33ker Oct 16, 2018 at 06:56pm

    I only connect to the ASA from our Hyper-V host.

  • Sonora
    alexthompson4 Oct 16, 2018 at 07:02pm

    That's a good idea! I shall have to work on implementing it at my workplace.

Coments are closed
Scroll to top