Open In App

TELNET and SSH on Adaptive Security Appliance (ASA)

Last Updated : 15 Mar, 2023
Improve
Improve
Like Article
Like
Save
Share
Report

Prerequisite – Adaptive security appliance (ASA) 
A user can take management access of a device through a console or remote access by using telnet or SSH. In the same way, ASA (Adaptive Security Appliance) CLI access can take through a console or by using Telnet or SSH and GUI access can be taken through (ASDM-a tool). 

1. Telnet on ASA: 
Telnet is an application layer protocol that uses TCP port number 23. It is used to remote access a device but it is less used as it is less secure. The packets exchanged between the client and the server are in cleartext. 
If we want to configure Telnet on ASA, 3 steps have to be followed. 

  • Enable Telnet services – 
    By default, a login password is configured on ASA as “cisco”. If we want to change it, use the command. 
asa(config)#password GeeksforGeeks

Or by using command 

asa(config)#passwd GeeksforGeeks

Where GeeksforGeeks is the password we have set. 

  • Assign IP addresses who can initiate Telnet connection – 
    In the router, if we have enabled telnet services and not applied any ACL, any IP address can make a telnet connection to the router but in ASA, we have to assign the IP address that can make use of telnet services of ASA. 
    It can be done by the command: 
asa(config)#telnet  {source_IP_address} {subnet_ask} {source_interface}

Here, we have to first mention the {source_IP_address} by which ASA can accept telnet connection. Of course, it can be one IP address or a whole network. Then the subnet mask of {source_IP_address}. Then, we have to mention {source_interface}. It is the interface of ASA through which ASA will be expecting a telnet connection. 

  • Set telnet timeout – 
    It is the time for which the telnet session can be idle before the ASA terminates the session. It can range from 1 to 2440 minutes. The default timeout is 5 minutes. 
    The command used for it is: 
asa(config)#telnet timeout {minutes}

Limitations – 
The ASA, having more than one interface Configured, doesn’t allow telnet from the interface having the lowest security level. 

Configuration example –  

Here, is a small topology in which three routers namely Router1 (IP address-10.1.1.1/24),Router2 (IP address-10.1.2.1/24),Router3 (IP address-10.1.3.1/24) is connected to ASA (IP address-10.1.1.2/24 on INSIDE interface and security level – 100, IP address-10.1.2.2/24 on OUTSIDE interface and security level – 0,10.1.3.2/24 on DMZ and security level – 50). 

In this task, we will allow telnet on all interfaces (INSIDE, OUTSIDE, DMZ) from Router1 (10.1.1.1/24), Router2 (10.1.2.1/24), and Router3 (10.1.3.1/24) respectively. 
Assuming that the IP addressing has already been done on all routers and ASA. Now, enabling telnet for all the router’s IP addresses on ASA and giving passwords as GeeksforGeeks. 

asa(config)#password GeeksforGeeks
asa(config)#telnet 10.1.1.1 255.255.255.255 INSIDE
asa(config)#telnet timeout 10
asa(config)#telnet 10.1.2.1 255.255.255.255 OUTSIDE
asa(config)#telnet timeout 10
asa(config)#telnet 10.1.3.1 255.255.255.255 DMZ
asa(config)#telnet timeout 10

And telnet ASA by using command  

Router#telnet {ASA_interface_IP_address}

Example –  

Router1#telnet 10.1.1.2

Similarly, on Router2 and Router3. 
Now, in this scenario, Router1 and Router3 will be able to telnet ASA but Router2 will not be able to telnet because the ASA interface (OUTSIDE) has the lowest security level. 

Note – 
If we want to use the local database of the ASA then first we have to create a local database by command. 

asa(config)#username Cisco password GeeksforGeeks

And then force the ASA to use the local database for login by the command.  

asa(config)#aaa authentication telnet console LOCAL

Note that LOCAL is case-sensitive. 

2. SSH on ASA: 
SSH is an application layer protocol used to take remote access to a device. It uses TCP port number 22 and is more secured than Telnet as its packets are encrypted. 
SSH is also configured in the same way as telnet but commands are different. 

To enable SSH on ASA, there are 2 steps: 

  • Enable SSH services – 
    To enable SSH on ASA first generate the crypto key by command. 
asa(config)#crypto key generate rsa modulus {modulus_value}

After generating the crypto key, create a local database on ASA by command. 

asa(config)#username cisco password GeeksforGeeks

Where cisco is username and password is GeeksforGeeks. 

  • Tell IP addresses of devices which can access ssh on ASA – 
    Just like in Telnet, we have to allow some IP addresses that are allowed to access ASA through ssh. It can be done by command:- 
asa(config)#ssh {source_IP_address} {subnet_ask} {source_interface}

Here, we have to first mention the {source_IP_address} by which ASA can accept ssh connection. Then the subnet mask of {source_IP_address}. Then, we have to mention {source_interface}. It is the interface of ASA through which ASA will be expecting ssh traffic. 

  • Set SSH timeout – 
    It is the time for which the ssh session can be idle before the ASA terminates the session. It can range from 1 to 2440 minutes. The default timeout is 5 minutes. 
    The command used for it is: 
asa(config)#ssh timeout {minutes}

If we want to use a local database for ssh login then use a command 

asa(config)#aaa authentication ssh console LOCAL

Configuration example –  

Using the same topology in which three routers namely Router1 (IP address-10.1.1.1/24),Router2 (IP address-10.1.2.1/24),Router3 (IP address-10.1.3.1/24) is connected to ASA (IP address-10.1.1.2/24 on INSIDE interface and security level – 100, IP address-10.1.2.2/24 on OUTSIDE interface and security level – 0,10.1.3.2/24 on DMZ and security level – 50). 

In this task, we will allow ssh on all interfaces (INSIDE, DMZ) from Router1 (10.1.1.1/24) and Router3 (10.1.3.1/24) respectively. 
Assuming that the IP addressing has already been done on all routers and ASA. Now, enabling ssh for all the router’s IP addresses on ASA and giving username as Saurabh and password as GeeksforGeeks. 

asa(config)#crypto key generate rsa modulus 1024
asa(config)#username saurabh password GeeksforGeeks 
asa(config)#aaa authentication ssh console LOCAL 
asa(config)#ssh 10.1.1.1 255.255.255.255 INSIDE
asa(config)#ssh timeout 10
asa(config)#ssh 10.1.3.1 255.255.255.255 DMZ
asa(config)#telnet timeout 10

And SSH, ASA from Router1 by using a command.  

Router1#ssh -l saurabh 10.1.1.2

SSH, ASA from Router2 by using a command.  

Router3#ssh -l saurabh 10.1.3.2

Both will be able to ssh ASA and there are no restrictions with ASA like there are, using with telnet. 

TELNET and SSH are both network protocols used to establish a remote connection to a device such as the Adaptive Security Appliance (ASA).

TELNET is an older protocol that allows for unsecured remote access to a device’s command line interface (CLI). It sends data in plain text format, which makes it susceptible to interception and snooping by unauthorized individuals. For this reason, it is recommended to use SSH instead of TELNET whenever possible.

SSH, on the other hand, is a more secure protocol that provides encrypted remote access to a device’s CLI. It uses cryptographic techniques to protect the data exchanged between the client and the server, making it less vulnerable to interception and unauthorized access. By default, the ASA uses SSH version 2 for encrypted remote access.

To configure TELNET or SSH access on the ASA, you need to first configure the relevant access control lists (ACLs) to allow traffic to and from the desired hosts. Next, you need to enable TELNET or SSH on the ASA and configure the relevant parameters, such as the port number and authentication method.

Here are the basic steps to enable TELNET or SSH access on the ASA:

  • Configure an ACL to permit TELNET or SSH traffic to the ASA. For example:
     
python

access-list outside_access_in permit tcp any host <ASA IP address> eq telnet
access-list outside_access_in permit tcp any host <ASA IP address> eq ssh
  • Enable TELNET or SSH on the ASA. For TELNET:
     
css

telnet <ASA IP address>
For SSH:
css

ssh <ASA IP address>
  • Configure the TELNET or SSH parameters. 

For example, to set the SSH port to 2222:
 

vbnet
ssh version 2
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh key-exchange group dh-group14-sha1
ssh authentication-retries 3
ssh port 2222
  • Configure authentication for TELNET or SSH. You can use local usernames and passwords, or integrate with an external authentication server such as RADIUS or TACACS+.
     
  • It is generally recommended to use SSH instead of TELNET for remote access to the ASA, as SSH provides better security and encryption.
     


Like Article
Suggest improvement
Next
Adaptive Security Appliance (ASA) Features
Share your thoughts in the comments

Similar Reads

Basic configuration of Adaptive Security Appliance (ASA)
Port Address Translation (PAT) on Adaptive Security Appliance (ASA)
Adaptive Security Appliance (ASA) Features
Difference between SSH and Telnet
TELNET and SSH in Cisco devices
Difference between Adaptive and Non-Adaptive Routing algorithms
Default flow of traffic (ASA)
Cisco ASA Redistribution example
Static NAT (on ASA)
Difference between TELNET and FTP
author
saurabhsharma56
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox