Tuesday, July 20, 2010

PIX/ASA: SSH/Telnet Configuration Example


Network Diagram

This document uses this network setup:
ssh-inside-out-pix7x-1.gif 


SSH Access to the Security Appliance

Complete these steps in order to configure SSH access to the security appliance:

  1. SSH sessions always require a username and password for authentication. There are two ways to meet this requirement.
    Configure a username and password and use AAA:
    Syntax :


    pix(config)#username username password password
    pix(config)#aaa authentication {telnet | ssh | http | serial} console {LOCAL | 
    server_group [LOCAL]}
    Note: If you use a TACACS+ or RADIUS server group for authentication, you can configure the security appliance to use the local database as a fallback method if the AAA server is unavailable. Specify the server group name and then LOCAL (LOCAL is case sensitive). We recommend that you use the same username and password in the local database as the AAA server, because the security appliance prompt does not give any indication which method is used.
    Note: Example :


    pix(config)#aaa authentication ssh console TACACS+ LOCAL
    Note: You can alternatively use the local database as your main method of authentication with no fallback. In order to do this, enter LOCAL alone.
    Example :


    pix(config)#aaa authentication ssh console LOCAL
    OR
    Use the default username of pix and the default Telnet password of cisco. You can change the Telnet password with this command:


    pix(config)#passwd password
    Note: The password command can also be used in this situation. Both commands do the same thing.
  2. Generate an RSA key pair for the PIX Firewall, which is required for SSH:


    pix(config)#crypto key generate rsa modulus modulus_size
    Note: The modulus_size (in bits) can be 512, 768, 1024, or 2048. The larger the key modulus size you specify, the longer it takes to generate the RSA key pair. The value of 1024 is recommended.
    Note: The command used to generate an RSA key pair is different for PIX software versions earlier than 7.x. In earlier versions, a domain name must be set before you can create keys.
    Note: In multiple context mode, you must generate the RSA keys for every contexts. In addition, crypto commands are not supported in system context mode.
  3. Specify the hosts allowed to connect to the security appliance.
    This command specifies the source address, netmask and interface of the host(s) allowed to connect with SSH. It can be entered multiple times for multiple hosts, networks, or interfaces. In this example, one host on the inside and one host on the outside are permitted.


    pix(config)#ssh 172.16.1.1 255.255.255.255 inside
    pix(config)#ssh 10.1.1.2 255.255.255.255 outside
  4. Optional: By default, the security appliance allows both SSH version 1 and version 2. Enter this command in order to restrict connections to a specific version:


    pix(config)# ssh version 
    Note: The version_number can be 1 or 2.
  5. Optional: By default, SSH sessions are closed after five minutes of inactivity. This timeout can be configured to last for between 1 and 60 minutes.


    pix(config)#ssh timeout minutes
Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

1 comment:

Related post:

Related Posts with Thumbnails