Config SSH and ASDM in Cisco ASA 5500 series

SSH Configuration Commands

Step 1: Create a username and password

(config t)# domain-name hackandsecure.com
(config t)# username hns1 password ******* privilege 15

Step 2: Enable SSH from inside
(If you would like to restrict to a specific IP, specify as ssh 10.240.102.8 255.255.255.0 inside)

(config t)# ssh 0.0.0.0.0 0.0.0.0 inside

Step 3: Allow LOCAL authentication
Note: LOCAL should be mentioned exactly as it is (CAPS)

(config t)# aaa authentication ssh console LOCAL

asa-ssl-authentication

Step 4: Create RSA key-pair

(config t)# crypto key gen rsa gen mod 1024

Step 5: It is always good practice to specify timeout for inactive SSH session to say 10 mins.
(config t)# ssh timeout 10

 

ASDM Configuration Commands

Step 1: Using ‘Show Version’ command verify that correct version of ASDM image is loaded matching ASA version.

asa-asdm-version

Step 2: Enable http server

(config)# http server enable
(config)# http 0.0.0.0 0.0.0.0 inside

enable-asdm-http

You can run ‘Show run http’ to verify that http server is already enabled.

Note: WebVPN uses the same 443 port as ASDM, so if ASDM is enabled, change http port to a different port 4443

(config)# no http server enable
(config)# http server enable 4443

Step 3: Allow LOCAL authentication
Note: LOCAL should be mentioned exactly as it is (CAPS), you can see as an example, ASA couldn’t recognize the command locaL

aaa authentication http console LOCAL

asa-asdm-authentication

Step 4: Ensure ASA is listening on port 443

asdm-liten-port

Step 5: Timeout for inactive session of 10 mins.
(config t)# http server time-out 10

Do you still have problem accessing through SSH or ASDM?

• Add SSL encryption standard to ASA. Most default browsers and SSH clients would reject the default cipher that is present in Cisco ASA
(config)# ssl encryption rc4-shal1 aes128-sha1 aes256-sha1 3des-sha1

ssl-cipher-asa-standard

One thought on “Config SSH and ASDM in Cisco ASA 5500 series

Leave a Reply