The next part of the Linux Ubuntu series is how to enable SSH from the box to the ASA – and only in this section will we setup the ASA before the Linux box. And the reason for this is simple – we need to have SSH running on the ASA before we can SSH to the device from our Linux box, right? The reason why we’re using SSH as opposed to Telnet is that Telnet transfers data in simple plain text, whereas SSH can encrypt traffic making it much more secure. Telnet uses port 23 – SSH uses port 22.
Cisco ASA SSH configuration
Step 1: Create username and password
ciscoasa (config)# username Ibraheem password routercoach privilege 15
Step 2: SSH requires a domain and hostname
ciscoasa (config)# domain-name routercoach.com
ciscoasa(config)# hostname RC-ASA1
RC-ASA1(config)#
Step 3: Configure aaa to use ssh and the local database
RC-ASA1(config)# aaa authentication ssh console LOCAL
Step 4: Generate SSH keys
RC-ASA1(config)# crypto key generate rsa modulus 1024
Step 5: Then we allow access from the MGMT interface
RC-ASA1(config)# ssh 0.0.0.0 0.0.0.0 MGMT
OK, this should be the only steps that we need for configuration on the ASA. Let’s jump onto our Linux device. First let’s see if we have reachability to the ASA from our Linux box:
Cool – so we can ping the device. How about actually ssh’ing to the ASA:
Dayyum! But I think this is solvable – basically what’s happening here’s that the diffie-hellman-group1-sha1 is coming from the ASA, but the Linux box doesn’t know about this. Let’s add diffie-helman to our ssh config file. This is found in the /etc/ssh/ssh_config
Other blogs might say you have to put this line in a specific part of the file – I just bang it in straight at the top
Then Save the file by ctrl+x, press Y and the enter.
OK, let’s try the SSH thing again:
Looking great – but I forget to put an enable password on the ASA. Let’s do that now and try again
And jump on the Linux device and try to SSH again:
So cool – we’ve managed to SSH to the ASA. Catch you in the next part.