FirePlotter - real-time session monitoring for Cisco PIX/ASA and FortiNet Fortigate Firewalls - a monitor of ports and bandwidth for your firewall

A real-time session monitor for your firewall

Home

Product News

Features

Configuring ASA/PIX 7.x and above to Accept SSH Connections

If you have already configured SSH it does not seem to be working when tested with an SSH Client (like PuTTY), then we recommend using the "diag SSH" command in a telnet or console session to see what the problem is.

If configuring from scratch, then our first task is to generate an RSA public/private key pair to use to securely transfer the session key from the server to the client. The hostname and domain-name must be set before the PIX will allow you to generate the key pair.

To begin in configuration login to the Cisco ASA or PIX using the console or telnet. then enter enable mode and then configuration mode:

Percival> enable
Password: *******
Percival# configure terminal

1. Assign a hostname and domain name to the PIX. This is required to generate the RSA key set.

pixfirewall(config)# hostname percival

percival(config)# domain-name cisco.com

2. Generate an RSA Key pair and save the keys to Flash memory.

percival(config)# crypto key generate rsa

WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.
Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait...

3. View your newly created RSA Public Key.

percival(config)# show crypto key mypubkey rsa

Key pair was generated at: 21:26:02 GMT/BDT Aug 19 2008

Key name: <Default-RSA-Key>

Usage: General Purpose Key

Modulus Size (bits): 1024

Key Data:

30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a85845

15ad4990 5302cdc5 29ecedff 9fd70562 cf1db5b5 04baf537 1ff646d4 e090d5ca

58128028 b362ce22 0c540a6a 76c5c18f 3de5fa20 b94c66c9 e7523a97 4a899317

0209c7d5 7b754da4 76f7e359 58c15570 da8c765d 6a06939e acc64c7a 3a684c7e

7a586c77 3efc4139 8e14e330 20911a6f 003242b7 b952f4a9 7687571a 11020301 0001

Key pair was generated at: 18:12:37 GMT/BDT Aug 19 2008

Key name: <Default-RSA-Key>.server

Usage: Encryption Key

Modulus Size (bits): 640

Key Data:

306c300d 06092a86 4886f70d 01010105 00035b00 30580251 00b41c50 fee794d7

109d198e 2ea1bd1f 24866fad 4623b081 afceb803 7b5889e2 908c343d 38c0dab6

44a02c35 61993036 863891ae fb89df47 6e0cbd2e 4a24227b 77ada29a 6e234604

63bcaf5a 50b627a7 cb020301 000123020301 0001

4. Specify what hosts are allowed to SSH to the PIX and set the SSH inactivity timeout. In this case, you will limit SSH access to a single inside host and kill sessions after one hour of inactivity.

percival(config)# ssh 192.168.111.7 255.255.255.255 inside

percival(config)# ssh timeout 60

5. Set the enable password and Telnet password. You will be required to enter the Telnet password to authenticate your SSH session**.

percival(config)# enable password hArd2Gue$$

percival(config)# passwd Ace$$D3n13d

To exit configuration mode press [CTRL]-Z and to save configuration to flash memory:

Percival # write memory

**Note: If you have previously configured a telnet password and enable password, you don't need to change them for SSH to work.