Configure SSH Access
Step 1
创建RSA密钥
Generate an RSA key pair, which is required for SSH (for physical ASAs only).
Example:
ciscoasa(config)# crypto key generate rsa modulus 2048
指定rsa系数的大小,这个值越大,产生rsa的时间越长,cisco推荐使用2048.
The modulus value (in bits) is 512, 768, 1024, 2048, 3072, or 4096. The larger the key modulus size you specify, the longer it takes to generate an RSA key pair. We recommend a value of at least 2048.
Step 2
保存RSA密钥
Save the RSA keys to persistent flash memory.
Example:
ciscoasa(config)# write memory
Step 3
配置SSH用户的用户名密码以及权限
Create a user in the local database that can be used for SSH access. You can alternatively use a AAA server for user access, but a local username is recommended.
Example:
ciscoasa(config)# username admin password Far$cape1999 privilege 15
默认权限等级是2,权限等级从0-15,等级越高权限越大
Step 4
(可选配置) Allow public key authentication for a user instead of/as well as password authentication, and enter the public key on the ASA:
Example:
ciscoasa(config)# username admin attributes
ciscoasa(config-username)# ssh authentication pkf
Enter an SSH public key formatted file.
End with the word "quit" on a line by itself:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit RSA, converted by xxx@xxx from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAACAQDNUvkgza37lB/Q/fljpLAv1BbyAd5PJCJXh/U4LO
hleR/qgIROjpnFaS7Az8/+sjHmq0qXC5TXkzWihvRZbhefyPhPHCi0hIt4oUF2ZbXESA/8
jUT4ehXIUE7FrChffBBtbD4d9FkV8A2gwZCDJBxEM26ocbZCSTx9QC//wt6E/zRcdoqiJG
p4ECEdDaM+56l+yf73NUigO7wYkqcrzjmI1rZRDLVcqtj8Q9qD3MqsV+PkJGSGiqZwnyIl
QbfYxXHU9wLdWxhUbA/xOjJuZ15TQMa7KLs2u+RtrpQgeTGTffIh6O+xKh93gwTgzaZTK4
CQ1kuMrRdNRzza0byLeYPtSlv6Lv6F6dGtwlqrX5a+w/tV/aw9WUg/rapekKloz3tsPTDe
p866AFzU+Z7pVR1389iNuNJHQS7IUA2m0cciIuCM2we/tVqMPYJl+xgKAkuHDkBlMS4i8b
Wzyd+4EUMDGGZVeO+corKTLWFO1wIUieRkrUaCzjComGYZdzrQT2mXBcSKQNWlSCBpCHsk
/r5uTGnKpCNWfL7vd/sRCHyHKsxjsXR15C/5zgHmCTAaGOuIq0Rjo34+61+70PCtYXebxM
Wwm19e3eH2PudZd+rj1dedfr2/IrislEBRJWGLoR/N+xsvwVVM1Qqw1uL4r99CbZF9NghY
NRxCQOY/7K77II==
---- END SSH2 PUBLIC KEY ----
quit
INFO: Import of an SSH public key formatted file SUCCEEDED.
Step 5
配置AAA本地认证
(For password access) Enable local (or AAA server) authentication for SSH access:
Example:
ciscoasa(config)# aaa authentication ssh console LOCAL
注意LOCAL,不要先敲小写的l在按table键,需要直接输入大写的LOCAL,或者敲大写的L在按table键。
Step 6
配置允许访问SSH的源地址
Example:
ciscoasa(config)# ssh 192.168.3.0 255.255.255.0 inside
ciscoasa(config)# ssh X.X.X.0 255.255.255.0 outside //允许外网访问
Step 7
设置SSH连接超时时间
(可选配置) Set the duration for how long an SSH session can be idle before the ASA disconnects the session.
Example:
ciscoasa(config)# ssh timeout 30
默认是5分钟,可配置1-60分钟
Step 8
(可选配置) Configure SSH cipher encryption algorithms:
ssh cipher encryption {all | fips | high | low | medium | custom colon-delimited_list_of_encryption_ciphers}
Example:
ciscoasa(config)# ssh cipher encryption custom 3des-cbc:aes128-cbc:aes192-cbc
Step 9
(可选配置) Configure SSH cipher integrity algorithms:
ssh cipher integrity {all | fips | high | low | medium | custom colon-delimited_list_of_integrity_ciphers}
Example:
ciscoasa(config)# ssh cipher integrity custom hmac-sha1-96:hmac-md5
Step 10
(可选配置) Set the Diffie-Hellman (DH) key exchange mode:
ssh key-exchange group {dh-group1-sha1 | dh-group14-sha1 | dh-group14-sha256 }
Example:
ciscoasa(config)# ssh key-exchange group dh-group14-sha1
The default is dh-group14-sha256
必要配置示例汇总
ciscoasa(config)# crypto key generate rsa modulus 2048
ciscoasa(config)# write memory
ciscoasa(config)# username admin password Far$cape1999 privilege 15
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# ssh 192.168.3.0 255.255.255.0 inside
