37-5
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter37 Configuring Management Access
Configuring ASA Access for ASDM, Telnet, or SSH
Examples
The following example shows how to generate RSA keys and let a host on the inside interface with an
address of 192.168.1.2 access the ASA:
hostname(config)# crypto key generate rsa modulus 1024
hostname(config)# write memory
hostname(config)# aaa authentication ssh console LOCAL
WARNING: local database is empty! Use 'username' command to define local users.
hostname(config)# username exampleuser1 password examplepassword1
hostname(config)# ssh 192.168.1.2 255.255.255.255 inside
hostname(config)# ssh timeout 30
The following example shows how to allow all users on the 192.168.3.0 network to access the ASA on
the inside interface:
hostname(config)# ssh 192.168.3.0 255.255.255.0 inside
Using an SSH Client
In the SSH client on your management host, enter the username and password that you configured in the
“Configuring SSH Access” section on page37-4. When starting an SSH session, a dot (.) displays on the
ASA console before the following SSH user authentication prompt appears:
hostname(config)# .
The display of the dot does not affect the functionality of SSH. The dot appears at the console when
generating a server key or decrypting a message using private keys during SSH key exchange before user
authentication occurs. These tasks can take up to two minutes or longer. The dot is a progress indicator
that verifies that the ASA is busy and has not hung.
Note If more than one SSH configuration session exists and the configuration operation is carried through any
file operations (such as copy, tftp, config net, context mode config file), even if it is a single CLI, it will
be blocked with the response "Command Ignored, configuration in progress...". If the CLI is directly
entered through a command prompt, it is not blocked.
Step7 (Optional)
ssh version version_number
Example:
hostname(config)# ssh version 2
Limits access to SSH version 1 or 2. By default, SSH allows
both versions 1 and 2.
Step8 ssh key-exchange {dh-group1 | dhgroup14}
Example:
hostname(config)# ssh key-exchange
dh-group14
Specifies that either the Diffie-Hellman Group 1 or
Diffie-Hellman Group 14 follows and should be used for key
exchange. Diffie-Hellman Group 1 is the default if no value is
specified.
Command Purpose