TELNET and SSH on Adaptive Security Appliance (ASA)

Prerequisite – Adaptive security appliance (ASA)
A user can take management access of a device through console or remote access by using telnet or SSH. In the same way, ASA (Adaptive Security Appliance) CLI access can take through console or by using Telnet or SSH and GUI access can be taken through (ASDM-a tool).

1. Telnet on ASA:
Telnet is an application layer protocol which uses TCP port number 23.It is used to remote access of a device but it is less used as it is less secure. The packets exchanged between the client and the server are in clear text.
If we want to configure Telnet on ASA, 3 steps have to be followed.

  1. Enable Telnet services –
    By default, a login password is configured on ASA as “cisco”. If we want to change it, use command.



    asa(config)#password GeeksforGeeks 

    Or by using command

    asa(config)#passwd GeeksforGeeks 

    Where GeeksforGeeks is the password we have set.

  2. Assign IP addresses who can initiate Telnet connection –
    In router, if we have enable telnet services and not applied any ACL, any IP address can make telnet connection to the router but in ASA, we have to assign the IP address who can make use of telnet services of ASA.
    It can be done by the command:

    asa(config)#telnet  {source_IP_address} {subnet_ask} {source_interface}   

    Here, we have to first mention the {source_IP_address} by which ASA can accept telnet connection. Of course, it can be one IP address or whole network.Then the subnet mask of {source_IP_address}. Then, we have to mention {source_interface}. It is the interface of ASA through which ASA will be expecting telnet connection.

  3. Set telnet timeout –
    It is the time for which the telnet session can be idle before the ASA terminates the session. It can range from 1 to 2440 minutes. The default timeout is 5 minutes.
    The command used for it is:

    asa(config)#telnet timeout {minutes} 

    Limitations –
    The ASA, having more than one interface Configured,doesn’t allow telnet from the interface having lowest security level.

Configuration example –

Here, is a small topology in which three routers namely Router1 (IP address-10.1.1.1/24),Router2 (IP address-10.1.2.1/24),Router3 (IP address-10.1.3.1/24) is connected to ASA (IP address-10.1.1.2/24 on INSIDE interface and security level – 100, IP address-10.1.2.2/24 on OUTSIDE interface and security level – 0,10.1.3.2/24 on DMZ and security level – 50).

In this task, we will allow telnet on all interfaces (INSIDE, OUTSIDE, DMZ) from Router1 (10.1.1.1/24),Router2 (10.1.2.1/24) and Router3 (10.1.3.1/24) respectively.
Assuming that the IP addressing has already been done on all routers and ASA. Now, enabling telnet for all the routers IP addresses on ASA and giving passwords as GeeksforGeeks.

asa(config)#password GeeksforGeeks
asa(config)#telnet 10.1.1.1 255.255.255.255 INSIDE
asa(config)#telnet timeout 10
asa(config)#telnet 10.1.2.1 255.255.255.255 OUTSIDE
asa(config)#telnet timeout 10
asa(config)#telnet 10.1.3.1 255.255.255.255 DMZ
asa(config)#telnet timeout 10

And telnet ASA by using command


Router#telnet {ASA_interface_IP_address} 

Example –

Router1#telnet 10.1.1.2

Similary,on Router2 and Router3.
Now, in this scenario Router1 and Router3 will able to telnet ASA but Router2 will not able to telnet because ASA interface (OUTSIDE) has the lowest security level.

Note –
If we want to use the local database of the ASA then first we have to create local database by command.

asa(config)#username Cisco password GeeksforGeeks 

And then force the ASA to use local database for login by the command.

asa(config)#aaa authentication telnet console LOCAL

Note that LOCAL is case sensitive.

2. SSH on ASA:
SSH is an application layer protocol used to take remote access of a device. It uses TCP port number 22 and is more secured than Telnet as its packets are encrypted.
SSH is also configured in the same way as telnet but commands are different.
To enable SSH on ASA, there are 2 steps:

  1. Enable SSH services –
    To enable SSH on ASA first generate the crypto key by command.

    asa(config)#crypto key generate rsa modulus {modulus_value} 

    After generating crypto key, create local database on ASA by command.

    asa(config)#username cisco password GeeksforGeeks 

    Where cisco is username and password is GeeksforGeeks.

  2. Tell IP addresses of device which can access ssh on ASA –
    Just like in Telnet, we have to allow some IP address that are allow to access ASA through ssh. It can be done by command :-


    asa(config)#ssh {source_IP_address} {subnet_ask} {source_interface}   

    Here, we have to first mention the {source_IP_address} by which ASA can accept ssh connection.Then the subnet mask of {source_IP_address}. Then, we have to mention {source_interface}. It is the interface of ASA through which ASA will be expecting ssh traffic.

  3. Set SSH timeout –
    It is the time for which the ssh session can be idle before the ASA terminates the session. It can range from 1 to 2440 minutes. The default timeout is 5 minutes.
    The command used for it is:

    asa(config)#ssh timeout {minutes} 

    If we want to use local database for ssh login then use command

    asa(config)#aaa authentication ssh console LOCAL

Configuration example –

Using the same topology in which three routers namely Router1 (IP address-10.1.1.1/24),Router2 (IP address-10.1.2.1/24),Router3 (IP address-10.1.3.1/24) is connected to ASA (IP address-10.1.1.2/24 on INSIDE interface and security level – 100, IP address-10.1.2.2/24 on OUTSIDE interface and security level – 0,10.1.3.2/24 on DMZ and security level – 50).

In this task, we will allow ssh on all interfaces (INSIDE, DMZ) from Router1 (10.1.1.1/24) and Router3 (10.1.3.1/24) respectively.
Assuming that the IP addressing has already been done on all routers and ASA. Now, enabling ssh for all the router’s IP addresses on ASA and giving username as saurabh and password as GeeksforGeeks.

asa(config)#crypto key generate rsa modulus 1024
asa(config)#username saurabh password GeeksforGeeks 
asa(config)#aaa authentication ssh console LOCAL 
asa(config)#ssh 10.1.1.1 255.255.255.255 INSIDE
asa(config)#ssh timeout 10
asa(config)#ssh 10.1.3.1 255.255.255.255 DMZ
asa(config)#telnet timeout 10

And SSH, ASA from Router1 by using command.

Router1#ssh -l saurabh 10.1.1.2 

SSH, ASA from Router2 by using command.

Router3#ssh -l saurabh 10.1.3.2 

Both will be able to ssh ASA and there are no restrictions with ASA like there are, using with telnet.



My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :
Practice Tags :


Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.