Cisco ASA Remote Management – SSH/ASDM

Cisco ASA Remote Management – SSH/ASDM

- in Security
2401
0

By default SSH, telnet or https management is disabled.

First of all we must have configured the management interface of the equipment, something similar to:

ASA-JMCristobal# sh run interface Management0/0
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.1.1.10 255.255.255.0

Enable SSH

Step 1 – Configure the RSA keys

ASA-JMCristobal(config)# crypto key generate rsa modulus 1024
Keypair generation process begin. Please wait…

Step 2 – Set up at least one local user

ASA-JMCristobal(config)# username MyUser password MyPass privilege 15

Step 3 – Define that the authentication uses the local ASA database in SSH sessions.

ASA-JMCristobal(config)# aaa authentication ssh console LOCAL

Step 4 – Enable SSH and allow connections only to the management interface from any IP address:

ASA-JMCristobal(config)# ssh 0.0.0.0 0.0.0.0 management

You can define only some particular network segments or hosts to have SSH access, each network segment or host must be defined on a separate line. The above line management refers to the interface name and not the interface type/number.

Enable configuration by ASDM

ASDM is the GUI manager for the ASA.

Step 1 – Validate that a version of ASDM exists on the ASA

ASA-JMCristobal(config)# dir 
Directory of disk0:/
805673907  -rw-  33696476     16:31:35 Nov 17 2020  asdm.bin
1 file(s) total size: 33696476 bytes
21475885056 bytes total (21285044224 bytes free/99% free)

If the file does not exist, upload a version compatible with the equipment via FTP, SCP, or other protocol.

Step 2 – Configure at least one local user.

ASA-JMCristobal(config)# username MyUser password MyPass privilege 15

Step 3 – Define that the http authentication uses the ASA local database.

ASA-JMCristobal(config)# aaa authentication http console LOCAL

Step 4 – Enable http server

ASA-JMCristobal(config)# http server enable

Step 5 – Allow http connections only for the management interface from any IP address:

ASA-JMCristobal(config)# http 0.0.0.0 0.0.0.0 management

You can define only some particular network segments or hosts that have access with the ASDM; each network segment or host must be defined on a different line. The above line management refers to the interface name and not the interface type/number.

Now all that remains is to log in through a web browser to the IP address of the ASA to download the ASDM, install it and finally connect through this application

Facebook Comments

You may also like

Configuring an SFTP repository in ISE

Cisco ISE allows you to create and delete