加载中…
个人资料
绝世流浪汉
绝世流浪汉
  • 博客等级:
  • 博客积分:0
  • 博客访问:86,005
  • 关注人气:10
  • 获赠金笔:0支
  • 赠出金笔:0支
  • 荣誉徽章:
相关博文
推荐博文
谁看过这篇博文
加载中…
正文 字体大小:

【互联网后台技术--cisco网络技术】为ASA设备配置ssh

(2011-11-15 13:59:31)
标签:

cisco

asa

ssh

it

分类: 互联网运维技术

    下面这篇英文描述,是我写在公司内网上的《Cisco ASA All-in-One Firewall, IPS, Anti-X, andVPN Adaptive Security Appliance》阅读笔记摘除之一,这里描述了在asa设备中启动ssh服务的一些基本配置步骤,和注意事项。原文粘贴如下。

   

 

About ssh on asa

      SSH is the recommended way to connect to the security appliance for remote management because the data packets are encrypted by industry-standard algorithms such as 3DES and AES. The SSH implementation on the security appliance supports both version 1 and 2.
Before the SSH client and the Cisco ASA SSH server encrypt data, they go through an exchange of RSA security keys. These keys are used to ensure that an unauthorized user cannot look at the packet content. When a client tries to connect, the security appliance
presents its public keys to the client. After receiving the keys, the client generates a random key and encrypts it, using the public key sent by the security appliance. These encrypted client keys are sent to the security appliance, which decodes them using its
own private keys. This completes the key exchange phase, and the security appliance starts the user authentication phase

 

To configure ssh on ASA follow these steps:

  • Step 1. Generate the RSA keys.

The SSH daemon on the security appliance uses the RSA keys to encrypt thesessions. you can use the crypto key generate rsa commandfrom the CLI as shown in the following output.

 
test(config)# crypto key generate rsa

INFO: The name for the keys will be: Keypair generation process begin. Please wait...

  

        You can change the default modulus size, 1024 bits, to 512, 768, or 2048 bits.After the keys have been generated, you can view the public keys by using the show crypto key mypubkey rsa command:

 
test(config)# show crypto key mypubkey rsa
Key pair was generated at: 22:41:07 UTC Aug 21 2009
Key name: 
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181
00b85a0c
7af04bc1 028c072e 4be49fad 29e7c8e2 9b1341cc e6ace229 2556b310
66a12627
05166501 30ca3360 e32307d7 31d2f839 7a36005e 0656cc36 4fa23aa5
7d9a3f09
fd5b35b2 cdf1b393 8e4ba10f 0752f2ec c29915cf f058945a 4ac11cd6
d46c72d7
a45766e1 851d1093 e1cd4a93 f222631f 6c51a55f e9ef229a 4481f719
55020301 0001

编者注:注意以上这个生成的key在配置文件中是不可见的。

  • Step 2. Enable SSH on an interface.

   ASDM prompts you to select an interface name and specify the IP address/mask, similar to what
was covered in the Telnet section. As shown in the following example, the
security appliance is configured to accept SSH sessions from the mgmt network,
10.18.82.0/24:

 
test(config)# ssh 10.18.82.0 255.255.255.0 mgmt

Note Unlike Telnet, Cisco ASA enables you to terminate SSH sessions on the outside
interface. SSH sessions are already encrypted and do not require an IPSec tunnel.
After a client negotiates the security parameters, the security appliance
prompts the user for authentication credentials. If the authentication is successful,
the user is put into user access mode.
Note If AAA settings or local user accounts are not used, the default username is pix
and the password is cisco

  • Step 3. Restrict the SSH version.

The security appliance can restrict a user to use either SSH version 1 (SSHv1)
or SSH version 2 (SSHv2) when a connection is made. By default, the security
appliance accepts both versions. SSHv2 is the recommended version because
of its strong authentication and encryption capabilities. However, the security
appliance does not provide support for the following SSHv2 features:
■ X11 forwarding
■ Port forwarding
■ Secure File Transfer Protocol (SFTP) support
■ Kerberos and AFS ticket passing
■ Data compression
In ASDM, select the SSH version from the Allowed SSH Version(s) dropdown
menu, as shown in Figure 3-18. To set a specific SSH version via CLI,
use the ssh version command, followed by the actual version of the shell.
Note The security appliance must have the 3DES-AES feature set in the license to support SSHv2 sessions.

  • Step 4. Modify the idle timeout (optional).

Similar to the Telnet timeout, you can fine-tune the idle timeout value between
1 and 60 minutes. If the organizational security policy does not allow long idle
connections, the idle timeout value can be changed to a lower value, such as 3
minutes, from its default value of 5 minutes.

  • Step 5. Monitor the SSH sessions.

As with Telnet sessions, you can monitor the SSH session by going to
Monitoring > Properties > Device Access > ASDM/HTTPS/Telnet/SSH
Sessions. This displays useful information such as the username, IP address of
the client, encryption and hashing used, the current state of the connection,
and the SSH version that is used. You can also use the show ssh session command
from the CLI to get similar information.
If you like to manually disconnect an active SSH session, click the
Disconnect button. CLI admins can issue the ssh disconnect command followed
by the session ID number.

  • Step 6. Enable secure copy (SCP).

You can use the SCP file transfer protocol to move files to the network device
securely. It functions similarly to FTP but with the added advantage of data
encryption. The security appliance can act as an SCP server to allow SSHv2
clients to copy files in Flash. Use the ssh scopy enable command as follows:

 
test(config)# ssh scopy enable

Note The SSH client must be SCP capable to be able to transfer files.

 

0

阅读 评论 收藏 转载 喜欢 打印举报/Report
  • 评论加载中,请稍候...
发评论

    发评论

    以上网友发言只代表其个人观点,不代表新浪网的观点或立场。

      

    新浪BLOG意见反馈留言板 电话:4000520066 提示音后按1键(按当地市话标准计费) 欢迎批评指正

    新浪简介 | About Sina | 广告服务 | 联系我们 | 招聘信息 | 网站律师 | SINA English | 会员注册 | 产品答疑

    新浪公司 版权所有