In this article, we will discuss and configure Cisco ASA to accept Telnet and SSH requests. Cisco ASA Firewall can be managed by a Command Line Interface or Graphical User Interface. For GUI, you must install ASDM on your end device. First, we will configure the management interface and then enable SSH & Telnet. Let’s start!
Management Interface Configuration on Cisco ASA Firewall
I am assuming that you have a fresh Cisco ASA device. You can connect with the Console Cable to get into the command line of Cisco ASA for initial configuration.
First, we will configure the Management Interface required to take the console using SSH, Telnet, or ASDM. However, if your device is in production or you have already configured the Management Interface, skip this step.
ciscoasa# configure terminal ciscoasa(config)# interface management 0/0 ciscoasa(config-if)# ip add 192.168.100.15 255.255.255.0 ciscoasa(config-if)# nameif mgmt ciscoasa(config-if)# security-level 100 ciscoasa(config-if)# no shutdown
Enabling the SSH on the Cisco ASA Firewall
Since Telenet communication is in plain text, it is highly recommended to configure SSH. Once you access your device using SSH, all traffic from your management device to Cisco ASA will be in encrypted form. However, I’ll also configure Telnet for Device Management in the next session.
After the Management Interface configuration, you should define the Hostname and Domain name on the Cisco ASA Firewall.
ciscoasa(config)# hostname ASA-IPTrainer ASA-IPTrainer(config)# domain-name iptrainer.net
Now, you will need to generate the RSA Key since it is required by SSH. You can execute the below command to generate the RSA Keys:
Depending on key length, it will take some time to generate RSA Key Pair.
ASA-IPTrainer(config)# crypto key generate rsa modulus 2048 Keypair generation process begin. Please wait...
You should define the network or IP addresses that can access the Cisco ASA Firewall using SSH. You need to execute the following command:
ASA-IPTrainer(config)# ssh 192.168.100.0 255.255.255.0 mgmt
This command will allow SSH from any Host with an IP Address from the 192.168.100.0/24 subnet.
Finally, you will need to define the authentication method. If you are using any AAA server, you need to tell the firewall to use them.
However, in this example, I’m using Local Database credentials. First, I’ll create local credentials, and then, I’ll configure the firewall to use Local credentials during the SSH authentication.
ASA-IPTrainer(config)# username iptrainer password iptra!ner privilege 15
Notice the command have LOCAL word in caps. It is case sensitive and it must be in caps.
ASA-IPTrainer(config)# aaa authentication ssh console LOCAL
To save your configuration, you need to execute the below command:
ASA-IPTrainer# write memory
We have finished with the Cisco ASA Configuration. Now, you should open an SSH client like Putty to access the Cisco ASA SSH console.
Enabling the Telnet on the Cisco ASA Firewall
It is always recommended to enable SSH because it will encrypt the management traffic. On the other hand, the telnet traffic is in plain text, and anyone can read it.
To enable the Telnet on Cisco ASA, you must configure the management interface as we did in earlier steps.
ASA-IPTrainer(config)# enable password IptraineR
You can restrict the access of Cisco ASA.
Now, we will define the Local credentials that will be used during the login to Cisco ASA. You can execute the below command to define Cisco ASA Local Database users.
ASA-IPTrainer(config)# username iptrainer password iptra!ner privilege 15
Now, tell the firewall to use Local Credentials during the Telnet authentication.
ASA-IPTrainer(config)# aaa authentication telnet console LOCAL
Unlike SSH configuration, we don’t need to configure the Hostname and Domain name for Telnet access.
That’s it. We will now take the telnet access of ASA Firewall using a Telnet client such as Putty, Linux terminal, etc.
Related Articles
- Cisco ASA Firewall – Hairpin or U-turn NAT
- Configure Cisco ASA Firewall for ASDM Access
- Cisco ASA: Security Levels and Zones Explained
- Cisco ASA Configuration Backup using SCP, TFTP, and ASDM
- How to install Cisco ASAv Firewall in EVE-NG Simulator
- Cisco ASA Firewall Interview Questions and Answers
- How to add Palo Alto Networks Firewall into Panorama
- How to configure High Availability in Palo Alto Networks Firewall
- Automated backup from Palo Alto Networks Firewall without Panorama
Summary
In this article, we have enabled SSH and Telnet access to Cisco ASA Firewall. First, we have configured the management interface of the Cisco ASA Firewall. SSH uses different cipher suites to encrypt the traffic. However, telnet communication is in plain text. It is always better to configure SSH. We have configured a local database for SSH and Telnet authentication. We can limit the Telnet and SSH communication by configuring the allowed IPs or networks. Finally, we took the SSH and Telnet of the Cisco ASA device. However, we required a client application such as Putty for Telnet and SSH access.
I hope you like this article. If you like this article, please share it on social media platforms.
Also, if you have any issues while configuring Telnet and SSH, comment in the comment box, and I’ll respond as soon as possible.