Cisco Asa Crypto Key Generate Rsa Command

 admin

This chapter covers the following topics:

As covered in my old post, to enable SSH on the ASA, we’ll need to generate RSA key pair first. Current NIST recommendation is to use 2048-bit or above. In this post, I am going to use 4096-bit key pair. ASA5506(config)# crypto key generate rsa modulus 4096 SSH Version. Configuring the Cisco ASA SSH server to accept only version 2 is best. Sep 12, 2019 Symptom: After applying command crypto key generate rsa modulus 4096 causes ASA failover ASA will not generate key 4096 Conditions: Restrictive polltime (non defailut is configured) as per example failover polltime unit msec 200 holdtime msec 800 failover polltime interface msec 750 holdtime 5 ASA runs software 9.4 or 9.5. Run show crypto key mypubkey rsa to see if you do, in fact, have a key fully generated and registered under a non-default name. If there is, then you can tell the ssh process to use this key with ip ssh rsa keypair-name xxx.If the first command doesn't show anything useful then I'd say you can go ahead and generate a new key. To encrypt the SSH access you need to have an RSA keypair on the firewall, (Note: this is generated from the firewall’s host name, and its domain name, if you ever change either, the keypair will break, and SSH access will cease until the keypair is re-created). Cisco ASA 9.8 CLI Commands. This article is covering most important cisco ASA command of ASA Version 9.8. This article may help network and security guys who deals in day to day troubleshooting call and also help in implementation new setup of cisco ASA firewall in the network. Now at command line you can fix this with a ‘Crypto Key Generate RSA Modulus 2048‘ command, but you can’t get to command line only ASDM. On older versions of the ASDM you could generate the keypair in the Identification Certificates section (well you still can but only if you are also generating a certificate request file).

  • Device access using the CLI
  • Basic ASA configuration
  • Basic FWSM configuration
  • Remote management access to ASA and FWSM
  • IOS Baseline configuration
  • Remote management access to IOS devices
  • Clock synchronization using NTP
  • Obtaining an IP address through the PPPoE client
  • DHCP services
  • 'All rising to great places is by a winding stair.'
  • —Francis Bacon

After the introductory lessons of the first two chapters, it is time to begin the practical work with the Cisco Classic Network Firewalls. This chapter focuses on topics such as IP address assignment, Command Line Interface (CLI) usage and how to prepare the devices to be remotely managed using protocols such as Telnet, Secure Shell (SSH) and HTTPS.

The contents presented are simple, so if you are already familiar with Cisco Classic Firewalls, you can skip this chapter altogether. If you are just beginning, this chapter's topics are relevant and helpful.

Device Access Using the CLI

Even when planning to manage a Cisco Firewall using a Graphical User Interface (GUI), you probably need to take some initial configuration steps via the CLI. The good news, in this case, is that intelligible and intuitive CLIs have always been a recognized asset of Cisco devices. The CLI is typically accessible through a serial console port or by means of terminal access protocols such as Telnet and SSH. In either situation, a terminal emulation program such as TeraTerm, Putty, or HyperTerminal is necessary.

Throughout the book, unless otherwise stated, CLI access is always assumed.

Last year, I wrote a post about securing the Cisco IOS SSH server. It also makes sense to create one for Cisco ASA especially when my old post about enabling SSH on Cisco ASA was back in 2012. That blog post didn’t include the advanced configurations that will improve the security of the Cisco ASA SSH server. With this post, I’d like to share the minimum advanced SSH configurations that network engineers should consider adding to their ASA template.

Enabling Cisco ASA SSH server

Before we can connect to our Cisco ASA via SSH, we need to have a checklist of things we need to configure.

  1. While it’s a good idea to have enable password configured, it is optional for SSH.
  2. You must have at least one user account locally.
  3. Configure ASA’s authentication method. The authentication method can be local, RADIUS, or TACACS+.
  4. Generate RSA key pair.
  5. Configure ACL to allow a specific IP address or range(s).

Setting enable password

My old post covered how to set enable password. It’s the same command on how to set the enable password, but in the newer ASA software, it uses PBKDF2 to encrypt the password compared to the MD5-based hash in older ASA software.

Generating RSA keys

As covered in my old post, to enable SSH on the ASA, we’ll need to generate RSA key pair first. Current NIST recommendation is to use 2048-bit or above. In this post, I am going to use 4096-bit key pair.

SSH Version

Cisco Asa Create Rsa Key

Configuring the Cisco ASA SSH server to accept only version 2 is best practice. The reason for this is because SSHv1 has vulnerabilities. That said, make sure to add this to your ASA template.

SSH Encryption Algorithms

By default, it seems that the ASA’s encryption algorithm is configured to use the medium settings. Unfortunately, I cannot seem to verify it using the show run all command. However, the combination of show ssh and show ssh ciphers does the trick.

The client and server negotiate the encryption algorithm. That said, it is possible that the client would pick a weaker cipher. To avoid that, we’re going to specify the use of a safer cipher. According to this thread, the use of EAX or GCM is preferable when available. If not, the use CTR over CBC mode. By specifying the encryption algorithm, we’re telling ASA to only offer the AES-256-CTR mode to any clients that try to connect to it.

Here’s the verbose output of my SSH to a Cisco ASA using the default SSH cipher encryption.

Let’s configure the ASA to only use AES256 CTR mode.

Here’s the verbose output of my SSH connection to a Cisco ASA device using the SSH cipher encryption configuration mentioned above.

SSH Integrity Algorithm

Cisco Asa Crypto Key Generate Rsa Command

By default, it seems that the ASA’s integrity algorithm is configured to use the medium settings. Unfortunately, I cannot seem to verify it using the show run all command. However, the combination of show ssh and show ssh ciphers does the trick.

The default setting for the ASA SSH integrity algorithm is medium. Which means, it will accept both HMAC-SHA1 and HMAC-SHA1-96. The difference between the two algorithms is the digest length. The HMAC-SHA1-96 is a truncated message digest. From my limited understanding, the HMAC-SHA1-96 is the weakened version of HMAC-SHA1 due to the shortened message digest.

Here’s the verbose output of my SSH to a Cisco ASA using the default SSH integrity algorithm.

Let’s configure the ASA to only use HMAC-SHA1.

Here’s the verbose output of my SSH connection to a Cisco ASA device using the SSH integrity algorithm configuration mentioned above.

SSH Key Exchange

The ASA support two Diffie-Hellman key exchange methods and these are DH Group 1 (768-bit) and DH Group 14 (2048-bit). By default, the ASA is set to use Diffie-Hellman Group 1. Unfortunately, this is below what NIST recommends to use in this day and age.

Here’s a Cisco ASA with default SSH key exchange configuration. I issued the no ssh key-exchange to be sure.

Here’s the verbose output of my SSH connection to a Cisco ASA using the default SSH key exchange.

Let’s configure the ASA to use DH Group 14.

Here’s the verbose output of my SSH connection to the Cisco ASA after changing the key exchange method.

SSH ACL

Restricting remote management to a certain IP address is a best practice. It is also required to add the ACL, or we won’t be able to access the Cisco ASA via SSH. That said, I included the command here.

Final Words

All of the configurations covered here are what I’d say minimum security standard for all Cisco ASA devices. It is, after all, a network security device, so it is a must to secure it properly. Though this post is just a small part of protecting the management plane and network engineers must incorporate other security configurations.

Are you ready to improve your network security?

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you. Java program to generate keys for asymmetric encryption.

NetworkJutsu provides networking and network security consulting services for startups, a more established small and medium-sized business (SMB), or large business throughout the San Francisco Bay Area.

Cisco Asa Crypto Key Generate Rsa Command Code

Want to learn more about ASA?

Cisco Crypto Key Generate Rsa

Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services (3rd Edition)
Cisco ASA for Accidental Administrators: An Illustrated Step-by-Step ASA Learning and Configuration Guide

Disclosure

Cisco Switch Can't Generate Crypto Key Rsa

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.