Enable Telnet and SSH access to Cisco ASA Firewall

Posted by May 31, 2021 in Cisco

In this article, we will discuss and configure Cisco ASA to accept Telnet and SSH requests. Cisco ASA Firewall can be managed either by Command Line Interface or Graphical User Interface. For GUI, you must install ASDM on your end device. First, we will configure the management interface then we will enable SSH & Telnet. Let’s start!

configure-telnet-ssh-on-cisco-asa-firewall

Management Interface configuration on Cisco ASA Firewall

I am assuming that you are having a fresh Cisco ASA device. You just need to connect with the Console Cable to get into the Command-Line of Cisco ASA for initial Configuration.

First, we will set up the Management Interface. It is required to take the console using SSH, Telnet, or ASDM. However, in case your device is in production or you have already configured Management Interface can skip this step.

ciscoasa# configure terminal
ciscoasa(config)# interface management 0/0
ciscoasa(config-if)# ip add 192.168.100.15 255.255.255.0
ciscoasa(config-if)# nameif mgmt
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown

Enabling the SSH on Cisco ASA Firewall

Since Telenet communication is in plain text, so it is highly recommended to configure SSH. Once you access your device using SSH, all traffic from your management device to Cisco ASA will be in encrypted form. However, I’ll also configure Telnet for Device Management in the next session.

After the Management Interface configuration, now you need to define the Hostname and Domain name on Cisco ASA Firewall.

ciscoasa(config)# hostname ASA-IPTrainer
ASA-IPTrainer(config)# domain-name iptrainer.net

Now, you will need to generate the RSA Key since it is required by SSH. You can execute the below command to generate the RSA Keys:

Depending on key length, it will take some time to generate RSA Key Pair.

ASA-IPTrainer(config)# crypto key generate rsa modulus 2048
Keypair generation process begin. Please wait…

You need to define the network or IP addresses that can access Cisco ASA Firewall using SSH. You just need to execute the following command:

ASA-IPTrainer(config)# ssh 192.168.100.0 255.255.255.0 mgmt

This command will allow the SSH from any Host with an IP Address from the 192.168.100.0/24 subnet.

Recommended:  How to configure Static Routes on Cisco ASA Firewall

Finally, you will need to define the authentication method. In case you are using any AAA server, you need to tell the firewall to use them.

However, in this example, I’m using Local Database credentials. So, First, I’ll create local credentials, then I’ll tell the firewall to use Local credentials during the SSH authentication.

ASA-IPTrainer(config)# username iptrainer password iptra!ner privilege 15

Notice the command have LOCAL word in caps. It is case sensitive and it must be in caps.

ASA-IPTrainer(config)# aaa authentication ssh console LOCAL

To save your changes you need to execute the below command:

ASA-IPTrainer# write memory

We have finished with Cisco ASA Configuration. Now, you just need to open an ssh client like putty to access the Cisco ASA SSH console.

Recommended:  Configure Cisco ASA Firewall for ASDM Access

Enabling the Telnet on Cisco ASA Firewall

It is always recommended to enable SSH because it will encrypt the management traffic. On the other hand, the telnet traffic is in plain text, anyone can read it.

To enable the Telnet on Cisco ASA you need to configure the management interface that we have done in the initial configuration.

ASA-IPTrainer(config)# enable password IptraineR

You can restrict the access of Cisco ASA

Now, we will define the Local credentials that will be used during the login to Cisco ASA. You can execute the below command to define users on Cisco ASA Local Database.

ASA-IPTrainer(config)# username iptrainer password iptra!ner privilege 15

Now, tell the firewall to use Local Credentials during the Telnet authentication.

ASA-IPTrainer(config)# aaa authentication telnet console LOCAL

Unlike SSH configuration, we don’t need to configure Hostname and Domain name for Telnet access.

That’s it. We have done the configuration on Cisco ASA Firewall. Now we will take the telnet access of ASA Firewall using Telnet client such as putty, Linux terminal, etc.

Related Articles

Reference

Summary

In this article, we have enabled SSH and Telnet access to Cisco ASA Firewall. First, we have configured the management interface of the Cisco ASA Firewall. SSH uses RSA keys to encrypt the traffic, however, telnet communication is in plain text. It is always better to configure SSH. We have configured a local database for SSH and Telnet authentication. We can limit the Telnet and SSH communication by configuring the allowed IPs or network. Finally, we were able to take the SSH and Telnet of the Cisco ASA device. Although, we required a client application such as putty for Telnet and SSH access.

Recommended:  Automated backup from Palo Alto Networks Firewall without Panorama

Hope you like this article. In case you like this article, please share it on social media platforms by clicking the below links.

Also, if you have any issues during configuring Telnet and SSH, just comment in the comment box, I’ll respond to you as soon as possible.

Support our work:

If you appreciate what we do and would like to contribute to our efforts, we kindly ask you to consider buying us a coffee. Your small donation can go a long way in helping us cover the costs of hosting, maintenance, and further development.

Please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are always thankful for your never-ending support.

Leave a Reply

Your email address will not be published. Required fields are marked *