Configure Management Remote Access
This section describes how to configure ASA access for ASDM, Telnet, or SSH, and other management parameters such as a login banner.
Configure ASA Access for HTTPS, Telnet, or SSH
This section describes how to configure ASA access for HTTPS, including ASDM and CSM, Telnet, or SSH. See the following guidelines:
-
To access the ASA interface for management access, you do not also need an access rule allowing the host IP address. You only need to configure management access according to the sections in this chapter. If, however, you configure HTTP redirect to redirect HTTP connections to HTTPS automatically, you must enable an access rule to allow HTTP; otherwise, the interface cannot listen to the HTTP port.
-
Management access to an interface other than the one from which you entered the ASA is not supported. For example, if your management host is located on the outside interface, you can only initiate a management connection directly to the outside interface. The only exception to this rule is through a VPN connection. See Configure Management Access Over a VPN Tunnel.
-
The ASA allows:
-
A maximum of 5 concurrent Telnet connections per context, if available, with a maximum of 100 connections divided among all contexts.
-
A maximum of 5 concurrent SSH connections per context, if available, with a maximum of 100 connections divided among all contexts.
-
In single context mode, a maximum 30 ASDM concurrent sessions. In multiple context mode, you can have a maximum of 5 concurrent ASDM sessions per context, with a maximum of 32 ASDM instances among all contexts.
ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the multiple-context mode system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions.
-
A maximum of 6 concurrent non-ASDM HTTPS sessions in single context mode or per context, if available, with a maximum or 100 HTTPS sessions among all contexts.
-
Configure HTTPS Access for ASDM, Other Clients
This section describes how to configure ASA access for HTTPS, including ASDM and CSM.
Before you begin
-
In multiple context mode, complete this procedure in the context execution space. To change from the system to a context configuration, in the Configuration > Device List pane, double-click the context name under the active device IP address.
Procedure
Step 1 |
Choose Add. , and clickThe Add Device Access Configuration dialog box appears. |
Step 2 |
Choose ASDM/HTTPS. |
Step 3 |
Choose the management interface and set the host IP addresses allowed, and click OK. Specify any named interface. For bridge groups, specify the bridge group member interface. |
Step 4 |
To require certificate authentication, in the Specify the interface requires client certificate to access ASDM area, click Add to specify the interface and an optional certificate map that must be matched for successful authentication. See to create the certificate map. For more information, see Configure ASDM Certificate Authentication. |
Step 5 |
Configure HTTP Settings.
|
Step 6 |
Click Apply. |
Configure SSH Access
This section describes how to configure ASA access for SSH. See the following guidelines:
-
(8.4 and later) The SSH default username is no longer supported. You can no longer connect to the ASA using SSH with the pix or asa username and the login password. To use SSH, you must configure AAA authentication by choosing ; then define a local user by choosing . If you want to use a AAA server for authentication instead of the local database, we recommend also configuring local authentication as a backup method.
Before you begin
In multiple context mode, complete this procedure in the context execution space. To change from the system to a context configuration, in the Configuration > Device List pane, double-click the context name under the active device IP address.
Procedure
Step 1 |
Choose Add. , and clickThe Add Device Access Configuration dialog box appears. |
Step 2 |
Choose SSH. |
Step 3 |
Choose the management interface and set the host IP addresses allowed, and click OK. Specify any named interface. For bridge groups, specify the bridge group member interface. |
Step 4 |
(Optional) Configure SSH Settings.
|
Step 5 |
Click Apply. |
Step 6 |
Configure SSH user authentication. |
Step 7 |
Generate a key pair (for physical ASAs only). For the ASAv, the key pairs are automatically created after deployment. The ASAv only supports the RSA key. |
Step 8 |
(Optional) Configure SSH cipher encryption and integrity algorithms: |
Examples
The following example generates a shared key for SSH on a Linux or Macintosh system, and imports it to the ASA:
-
Generate the RSA public and private keys for 4096 bits on your computer:
jcrichton-mac:~ john$ ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/Users/john/.ssh/id_rsa): /Users/john/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): pa$$phrase Enter same passphrase again: pa$$phrase Your identification has been saved in /Users/john/.ssh/id_rsa. Your public key has been saved in /Users/john/.ssh/id_rsa.pub. The key fingerprint is: c0:0a:a2:3c:99:fc:00:62:f1:ee:fa:f8:ef:70:c1:f9 john@jcrichton-mac The key's randomart image is: +--[ RSA 4096]----+ | . | | o . | |+... o | |B.+..... | |.B ..+ S | | = o | | + . E | | o o | | ooooo | +-----------------+
-
Convert the key to PKF format:
jcrichton-mac:~ john$ cd .ssh jcrichton-mac:.ssh john$ ssh-keygen -e -f id_rsa.pub ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "4096-bit RSA, converted by john@jcrichton-mac from OpenSSH" AAAAB3NzaC1yc2EAAAADAQABAAACAQDNUvkgza37lB/Q/fljpLAv1BbyAd5PJCJXh/U4LO hleR/qgIROjpnDaS7Az8/+sjHmq0qXC5TXkzWihvRZbhefyPhPHCi0hIt4oUF2ZbXESA/8 jUT4ehXIUE7FrChffBBtbD4d9FkV8A2gwZCDJBxEM26ocbZCSTx9QC//wt6E/zRcdoqiJG p4ECEdDaM+56l+yf73NUigO7wYkqcrzjmI1rZRDLVcqtj8Q9qD3MqsV+PkJGSGiqZwnyIl QbfYxXHU9wLdWxhUbA/xOjJuZ15TQMa7KLs2u+RtrpQgeTGTffIh6O+xKh93gwTgzaZTK4 CQ1kuMrRdNRzza0byLeYPtSlv6Lv6F6dGtwlqrX5a+w/tV/aw9WUg/rapekKloz3tsPTDe p866AFzU+Z7pVR1389iNuNJHQS7IUA2m0cciIuCM2we/tVqMPYJl+xgKAkuHDkBlMS4i8b Wzyd+4EUMDGGZVeO+corKTLWFO1wIUieRkrUaCzjComGYZdzrQT2mXBcSKQNWlSCBpCHsk /r5uTGnKpCNWfL7vd/sRCHyHKsxjsXR15C/5zgHmCTAaGOuIq0Rjo34+61+70PCtYXebxM Wwm19e3eH2PudZd+rj1dedfr2/IrislEBRJWGLoR/N+xsvwVVM1Qqw1uL4r99CbZF9NghY NRxCQOY/7K77IQ== ---- END SSH2 PUBLIC KEY ---- jcrichton-mac:.ssh john$
-
Copy the key to your clipboard.
-
In ASDM, choose Edit. Click Public Key Using PKF and paste the key into the window: , select the username and then click
-
Verify the user can SSH to the ASA. For the password, enter the SSH key password you specified when you created the key pair.
jcrichton-mac:.ssh john$ ssh test@10.86.118.5 The authenticity of host '10.86.118.5 (10.86.118.5)' can't be established. RSA key fingerprint is 39:ca:ed:a8:75:5b:cc:8e:e2:1d:96:2b:93:b5:69:94. Are you sure you want to continue connecting (yes/no)? yes
The following dialog box appears for you to enter your passphrase:
Meanwhile, in the terminal session:
Warning: Permanently added '10.86.118.5' (RSA) to the list of known hosts. Identity added: /Users/john/.ssh/id_rsa (/Users/john/.ssh/id_rsa) Type help or '?' for a list of available commands. asa>
Configure Telnet Access
This section describes how to configure ASA access for Telnet. You cannot use Telnet to the lowest security interface unless you use Telnet inside a VPN tunnel.
Before you begin
-
In multiple context mode, complete this procedure in the context execution space. To change from the system to a context configuration, in the Configuration > Device List pane, double-click the context name under the active device IP address.
-
To gain access to the ASA CLI using Telnet, enter the login password. You must manually set the password before using Telnet.
Procedure
Step 1 |
Choose Add. , and clickThe Add Device Access Configuration dialog box appears. |
Step 2 |
Choose Telnet. |
Step 3 |
Choose the management interface and set the host IP addresses allowed, and click OK. Specify any named interface. For bridge groups, specify the bridge group member interface. |
Step 4 |
(Optional) Set the Telnet Timeout. The default timeout value is 5 minutes. |
Step 5 |
Click Apply. |
Step 6 |
Set a login password before you can connect with Telnet; there is no default password.
|
Configure HTTP Redirect for ASDM Access or Clientless SSL VPN
You must use HTTPS to connect to the ASA using ASDM or clientless SSL VPN. For your convenience, you can redirect HTTP management connections to HTTPS. For example, by redirecting HTTP, you can enter either http://10.1.8.4/admin/ or https://10.1.8.4/admin/ and still arrive at the ASDM launch page at the HTTPS address.
You can redirect both IPv4 and IPv6 traffic.
Before you begin
Normally, you do not need an access rule allowing the host IP address. However, for HTTP redirect, you must enable an access rule to allow HTTP; otherwise, the interface cannot listen to the HTTP port.
Procedure
Step 1 |
Choose .The table shows the currently configured interfaces and whether redirection is enabled on an interface. |
Step 2 |
Select the interface that you use for ASDM, and click Edit. |
Step 3 |
Configure the following options in the Edit HTTP/HTTPS Settings dialog box:
|
Step 4 |
Click OK. |
Configure Management Access Over a VPN Tunnel
If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you must identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface.
Note |
For secure SNMP polling over a site-to-site VPN, include the IP address of the outside interface in the crypto map access-list as part of the VPN configuration. |
VPN access to an interface other than the one from which you entered the ASA is not supported. For example, if your VPN access is located on the outside interface, you can only initiate a connection directly to the outside interface. You should enable VPN on the directly-accessible interface of the ASA and use name resolution so that you don’t have to remember multiple addresses.
Management access is available via the following VPN tunnel types: IPsec clients, IPsec Site-to-Site, Easy VPN, and the AnyConnect SSL VPN client.
Before you begin
Due to routing considerations with the separate management and data routing tables, the VPN termination interface and the management access interface need to be the same type: both need to be management-only interfaces or regular data interfaces.
Procedure
Step 1 |
Choose . |
Step 2 |
Choose the interface with the highest security (the inside interface) from the Management Access Interface drop-down list. Bridge group interfaces are not supported. |
Step 3 |
Click Apply. The management interface is assigned, and the change is saved to the running configuration. |
Change the Console Timeout
The console timeout sets how long a connection can remain in privileged EXEC mode or configuration mode; when the timeout is reached, the session drops into user EXEC mode. By default, the session does not time out. This setting does not affect how long you can remain connected to the console port, which never times out.
Procedure
Step 1 |
Choose . |
Step 2 |
Define a new timeout value in minutes, To specify an unlimited amount of time, enter 0. The default value is 0. |
Step 3 |
Click Apply. The timeout value change is saved to the running configuration. |
Customize a CLI Prompt
The ability to add information to a prompt allows you to see at-a-glance which ASA you are logged into when you have multiple modules. During a failover, this feature is useful when both ASAs have the same hostname.
In multiple context mode, you can view the extended prompt when you log in to the system execution space or the admin context. Within a non-admin context, you only see the default prompt, which is the hostname and the context name.
By default, the prompt shows the hostname of the ASA. In multiple context mode, the prompt also displays the context name. You can display the following items in the CLI prompt:
cluster-unit |
Displays the cluster unit name. Each unit in a cluster can have a unique name. |
context |
(Multiple mode only) Displays the name of the current context. |
domain |
Displays the domain name. |
hostname |
Displays the hostname. |
priority |
Displays the failover priority as pri (primary) or sec (secondary). |
state |
Displays the traffic-passing state or role of the unit. For failover, the following values are displayed for the state keyword:
For clustering, the values for control and data are shown. |
Procedure
Step 1 |
Choose |
Step 2 |
Do any of the following to customize the prompt:
The prompt is changed and appears in the CLI Prompt Preview field. |
Step 3 |
Click Apply . The new prompt is saved to the running configuration. |
Configure a Login Banner
You can configure a message to display when a user connects to the ASA, before a user logs in, or before a user enters privileged EXEC mode.
Before you begin
-
From a security perspective, it is important that your banner discourage unauthorized access. Do not use the words “welcome” or “please,” as they appear to invite intruders in. The following banner sets the correct tone for unauthorized access:
You have logged in to a secure device. If you are not authorized to access this device, log out immediately or risk possible criminal consequences.
-
After a banner has been added, Telnet or SSH sessions to the ASA may close if:
-
There is not enough system memory available to process the banner message(s).
-
A TCP write error occurs when trying to display banner message(s).
-
-
See RFC 2196 for guidelines about banner messages.
Procedure
Step 1 |
Choose . |
Step 2 |
Add your banner text to the field for the type of banner that you are creating for the CLI:
|
Step 3 |
Click Apply. The new banner is saved to the running configuration. |
Set a Management Session Quota
You can establish a maximum number of simultaneous ASDM, SSH, and Telnet sessions that are allowed on the ASA. If the maximum is reached, no additional sessions are allowed and a syslog message is generated. To prevent a system lockout, the management session quota mechanism cannot block a console session.
Before you begin
In multiple context mode, complete this procedure in the System execution space. To change from the context to the System configuration, in the System under the active device IP address. pane, double-click
Procedure
Step 1 |
Choose . |
Step 2 |
Enter the maximum number of simultaneous ASDM, SSH, and Telnet sessions that are allowed on the ASA. Valid values range from 0 to 10000. |
Step 3 |
Click Apply to save the configuration changes. |