Cisco ASA Remote Management – SSH/ASDM

Cisco ASA Remote Management – SSH/ASDM

- in Security
2909
0

By default SSH, telnet or https management is disabled.

First of all we must have configured the management interface of the equipment, something similar to:

ASA-JMCristobal# sh run interface Management0/0
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.1.1.10 255.255.255.0

Enable SSH

Step 1 – Configure the RSA keys

ASA-JMCristobal(config)# crypto key generate rsa modulus 1024
Keypair generation process begin. Please wait…

Step 2 – Set up at least one local user

ASA-JMCristobal(config)# username MyUser password MyPass privilege 15

Step 3 – Define that the authentication uses the local ASA database in SSH sessions.

ASA-JMCristobal(config)# aaa authentication ssh console LOCAL

Step 4 – Enable SSH and allow connections only to the management interface from any IP address:

ASA-JMCristobal(config)# ssh 0.0.0.0 0.0.0.0 management

You can define only some particular network segments or hosts to have SSH access, each network segment or host must be defined on a separate line. The above line management refers to the interface name and not the interface type/number.

Enable configuration by ASDM

ASDM is the GUI manager for the ASA.

Step 1 – Validate that a version of ASDM exists on the ASA

ASA-JMCristobal(config)# dir 
Directory of disk0:/
805673907  -rw-  33696476     16:31:35 Nov 17 2020  asdm.bin
1 file(s) total size: 33696476 bytes
21475885056 bytes total (21285044224 bytes free/99% free)

If the file does not exist, upload a version compatible with the equipment via FTP, SCP, or other protocol.

Step 2 – Configure at least one local user.

ASA-JMCristobal(config)# username MyUser password MyPass privilege 15

Step 3 – Define that the http authentication uses the ASA local database.

ASA-JMCristobal(config)# aaa authentication http console LOCAL

Step 4 – Enable http server

ASA-JMCristobal(config)# http server enable

Step 5 – Allow http connections only for the management interface from any IP address:

ASA-JMCristobal(config)# http 0.0.0.0 0.0.0.0 management

You can define only some particular network segments or hosts that have access with the ASDM; each network segment or host must be defined on a different line. The above line management refers to the interface name and not the interface type/number.

Now all that remains is to log in through a web browser to the IP address of the ASA to download the ASDM, install it and finally connect through this application

Facebook Comments

You may also like

Autonomous System Numbers – BGP

There are two types of BGP Autonomous system