Cisco ASA – Allow Remote Management

KB ID 0000173 Dtd 14/06/12

Problem

Also See "Connecting to and Managing Cisco Firewalls"

And "Cisco ASA 5500 - Remote Management via VPN"

Quite a while ago I wrote the "Connecting to and managing Cisco firewalls" article, which is still pretty complete, but I've been asked on a few occasions, "How do I actually configure the firewall to allow remote administration via Telnet, SSH, or HTTPS/ASDM?

If you have no connection to the firewall, then you need to connect via console cable (CLICK HERE).

Solution

Cisco ASA Allow Telnet - Via Command Line

1. Log on to the firewall > Go to enable mode > Go to configure terminal mode.
User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA(config)#

2. Now you can either allow access for one machine, or a whole network, the syntax is "telnet {ip address} {subnet mask} {interface that its connected to}.

The following will just allow one host (192.168.1.10).

PetesASA(config)# PetesASA(config)#telnet 192.168.1.10 255.255.255.255 inside PetesASA(config)#

The following will just allow a whole network 192.168.1.1 to 254

PetesASA(config)# PetesASA(config)#telnet 192.168.1.0 255.255.255.0 inside PetesASA(config)#

3. To set the password you use the "passwd" command (yes that's spelled correctly).

PetesASA(config)#
PetesASA(config)# passwd PASSWORD123
PetesASA(config)#

4. By default the telnet session times out after 5 mins, I prefer to change this to 45 minutes.

PetesASA(config)#
PetesASA(config)# telnet timeout45
PetesASA(config)#

5. Lastly, save the changes with a "write mem" command.

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#

Allow Telnet - Via ASDM (version shown 6.4(7))

1. Connect via ASDM > Navigate to Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH > Add > Select Telnet > Supply the IP and subnet > OK. (Note you can set the timeout on this page also).

ASA Enable Telnet Access

Cisco ASA Allow SSH - Via Command Line

1. Log on to the firewall > Go to enable mode > Go to configure terminal mode.

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA(config)#

2. Now you can either allow access for one machine, or a whole network, the syntax is "ssh {ip address} {subnet mask} {interface that its connected to}.

The following will just allow one external host (123.123.123.123).

PetesASA(config)# PetesASA(config)#ssh 192.168.1.10 255.255.255.255 outside PetesASA(config)#

The following will just allow a whole internal network 192.168.1.1 to 254

PetesASA(config)# PetesASA(config)#ssh 192.168.1.0 255.255.255.0 inside PetesASA(config)#

3. To set the password you use the "passwd" command (yes that's spelled correctly).

PetesASA(config)#
PetesASA(config)# passwd PASSWORD123
PetesASA(config)#

4. By default the SSH session times out after 5 mins, I prefer to change this to 45 minutes.

PetesASA(config)#
PetesASA(config)# ssh timeout45
PetesASA(config)#

5. To encrypt the SSH access you need to have a certificate on the firewall, (Note: this certificate is made from the firewall's host name and its domain, if you ever change either, the certificate will break, and SSH access will cease until the certificate is re-created). To create a key issue a "crypto key generate rsa" command.

PetesASA(config)# crypto key generate rsa mod 2048
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
PetesASA(config)#

6. UPDATE Be aware, all ASA devices running an operating system of 8.4(2) or newer, you can NO LONGER LOG IN WITH A USERNAME OF PIX, and the telnet password, you HAVE TO define a username and password, then enable AAA Authentication for SSH.

PetesASA(config)# aaa authentication ssh console LOCAL
PetesASA(config)# username admin password Password123 privilege 15

7. Lastly, save the changes with a "write mem" command.

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#

Cisco ASA Allow SSH - Via ASDM (version shown 6.4(7))

1. Connect via ASDM > Navigate to Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH > Add > Select SSH > Supply the IP and subnet > OK. (Note you can set both the timeout, and the SSH versions you will accept, on this page also). Note you still need to generate the RSA Key (See step 5 above, good luck finding that in the ASDM - drop to command line and do it).

ASA Enable SSH Access

asdm configure telnet access

UPDATE Be aware, all ASA devices running an operating system of 8.4(2) or newer, you can NO LONGER LOG IN WITH A USERNAME OF PIX, and the telnet password, you HAVE TO define a username and password, then enable AAA Authentication for SSH.

Cisco ASA - Enable AAA for SSH (Local Database) ASDM version 6.4(7)

ASA 5500 Add user to local database

Cisco ASA - Add a User to the Local Database

ASA 5500 Add user to local database

Cisco ASA - Allow HTTPS/ASDM - Via Command Line

1. Log on to the firewall > Go to enable mode > Go to configure terminal mode.

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA(config)#

2. Now you can either allow access for one machine or a whole network, the syntax is "http {ip address} {subnet mask} {interface that it's connected to}.

The following will just allow one host (192.168.1.10). 

 

PetesASA(config)#
PetesASA(config)#http 192.168.1.10 255.255.255.255 inside
PetesASA(config)#

The following will just allow a whole network 192.168.1.1 to 254

PetesASA(config)#
PetesASA(config)#http 192.168.1.0 255.255.255.0 inside
PetesASA(config)#

3. Unlike telnet and SSH, HTTPS/ADSM access is via the firewalls enable password (Unless you have enabled AAA logon). this password is set with the "enable password {password}" command. (Note: You will already have entered this password in step 1, only do this if you wish to change it).

PetesASA(config)#
PetesASA(config)# enable password PASSWORD123
PetesASA(config)#

4. You need to make sure that HTTPS access is enabled with a "http server enable" command.

PetesASA(config)#
PetesASA(config)# http server enable
PetesASA(config)#

Note: if your port forwarding https on your firewall you will NOT be able to get access externally unless you put it on a different port (i.e.1234).

PetesASA(config)#
PetesASA(config)# http server enable 1234
PetesASA(config)#

5. Lastly, save the changes with a "write mem" command.

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#

Cisco ASA - Allow HTTPS/ASDM - Via ASDM (version shown 6.4(7))

OK, the title of this might raise an eyebrow, but if you have access to the ASDM and you want to grant access to another IP/Network them you might want to do this. Connect via ASDM > Navigate to Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH > Add > Select ASDM/HTTPS > Supply the IP and subnet > OK. (Note: You can also enable and disable the http Server here and change its port number).

ASA Enable SSH Access

Related Articles, References, Credits, or External Links

Connecting to and Managing Cisco Firewalls

Cisco ASA - Allow Remote Management over a VPN

Original Article Written 30/01/11

Author: Migrated

Share This Post On