I have access to a couple of ASA firewalls with only ASDM access to all. I have tried to SSH to them but unable to do so despite having the correct configuration, None of the firewalls currently have a crypto key generated (i used 'show crypto key generate rsa mypubkey' using cli option in asdm). How about Cisco ASA? Today, I had to learn how to do it using CLI and not ASDM since I couldn’t find where the equivalent of aaa authentication ssh console LOCAL and crypto key gen rsa mod 4096 in the ASDM. Since I am really new to Cisco ASA, I am not well-versed in issuing commands under CLI. Because SSH uses RSA public keys to encrypt the sessions, you need to have consistent timing information. Example 3-16 shows not only how to manually adjust and verify timing information, but also how to create a domain name and generate RSA keys. Example 3-17 shows how to visualize SSH-related information in the Running-config.

See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).

ASA Configuration

Create a Crypto Keypair

Create a CA Trustpoint

Authenticate the Trustpoint

In this example the ASA will enrol with a Windows Certificate Authority.

• Open the CA’s Trusted Root certificate in notepad
  
• Copy the contents on the certificate
  
• On the ASA run the command crypto ca authenticate LAB_PKI
  
• When prompted paste the contents of the CA Trusted Root certificate
  
• Type quit at the end
  
• Enter yes to import the certificate
  

EnrolL ASA for Identity Certificate

The ASA will create a CSR, which will need to be signed by the Windows CA and the signed certificate imported.

• On the ASA run the command crypto ca enroll LAB_PKI
  
• When prompted copy the contents of the CSR
  

• Complete the Certificate Signing Request
  
• On the Window CA open the Web page to sign certificates, click Request a certificate
  

• Click advanced certificate request
  

• Paste the CSR generated on the ASA in the previous step above
  
• Select the Certificate Template Web Server
  
• Click Submit
  

• Select Base 64 encoded
  
• Click Download certificate, save the file to a file for use in the next step
  

• On the ASA, run the command crypto ca import LAB_PKI certificate. LAB_PKI equals the name of the trustpoint previously defined.
  
• When prompted paste the contents of the saved file (generated in the previous step)
  

• Type quit at the end
  
• Verify the Identity and Trusted Root Certificates imported successfully by running the command show crypto ca certificates
  
• In the screenshot below the first certificate is the Identity Certificate (note the Subject name of the ASA). The second certificate is the Trusted Root certificate (note the subject name = lab=PKI-CA).
  

Enable the Certificate Trustpoint on the OUTSIDE interface

Enable the Certificate Trustpoint for Remote Access

Microsoft office professional plus 2010 activation key generator. Define IKEv2 Policy

Define IPSec Transform Sets

Define Crypto Map

Reference the previously created IPSec Transform Sets. Enable Crypto Map on OUTSIDE interface

Modify Group Policy to enable IKEv2

Enable AAA and Certificate authentication

For additional security double authentication will be configured to require certificate and username/password. The certificate will be authenticated against the ASA, the UN/PW will be authenticated against the RADIUS server (defined in the previous post).

Enable AAA accounting (if not already enabled)

AAA accounting should be enabled to keep track of the connections.

ISE Configuration

The ISE Authorization Policy as defined in the previous post needs modifying to add a new rule for clients connecting with IPSec. Using this attribute is optional, but can be used to distinguish between different connections types if required.

• Create a new Authorization rule called AnyConnect IPSec VPN
• Define Conditions: Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name CONTAINS TG-1 AND Cisco-VPN3000:CVPN3000/ASA/PIX7x-Client-Type EQUALS AnyConnect-Client-IPSec-VPN
• Permissions: VPN_Permit_DACL

Testing & Verification

You will need to create a AnyConnect Profile, download the AnyConnect Profile Editor

• Open the VPN Profile Editor
  
• Navigate to the Server List and click Add
  
• Define a display name for the connection e.g ASA IKEv2/IPSec VPN
  
• Define the FQDN
  
• Define the User Group, this represents the Tunnel-Group on the ASA, in this instance the name is TG-1 (as defined in the previous post)
  
• Set the Primary Protocol to IPSec
  

• Click Save and ensure the file is saved to the folder location:
  
  • C:ProgramDataCiscoCisco AnyConnect Secure Mobility ClientProfile
    

• Restart the Cisco AnyConnect services or reboot
• Open the Cisco AnyConnect Secure Mobility Client, this should display the new connection
  

• 
  

The Windows computer has a User and Computer certificate issued by the same Windows CA that signed the certificate in use on the ASA, and therefore they should mutually trust each other and successfully authenticate.

• On the ASA run the command debug aaa authentication
  
• On the PC connect to the VPN and enter and username/password when prompted. Certificate authentication, if successful should be transparent
  

From the ASA debugs you can see the certificate authentication was successful

Authentication using Username/Password was also successful. You can see from the debug output aaa authentication was successful, a DACL was downloaded, aaa accounting was successful and the client was successfully assigned an IP address from the local pool.

• On the ASA run the command show vpn-session detail anyconnect
  

You will be able to confirm the Username, Assigned IP address, IKEv2 encryption algorithm used, authentication method, group-policy and tunnel-group etc.

Did you type the 'http server enable' command and then tell it from the 10.10.50.X network?

Also SSH requires a CRYPTO KEY to be generated before it works. and it also needs to be 'allowed' see EXAMPLE below

** Access Lists will not be needed to access it.

Step 1 To identify the IP addresses from which the ASA accepts HTTPS connections, enter the following command for each address or subnet:

hostname(config)# http source_IP_address mask source_interface

Step 2 To enable the HTTPS server, enter the following command:

hostname(config)# http server enable [port]

By default, the port is 443. If you change the port number, be sure to include the new port in the ASDM access URL. For example, if you change it to port 444, enter:

Step 3 To specify the location of the ASDM image, enter the following command:

hostname(config)# asdm image disk0:/asdmfile

For example, to enable the HTTPS server and let a host on the inside interface with an address of 192.168.1.2 access ASDM, enter the following commands:

Configuring SSH Access

To configure SSH access to the ASA, follow these steps:

Step 1 To generate an RSA key pair, which is required for SSH, enter the following command:

hostname(config)# crypto key generate rsa modulus modulus_size

The modulus (in bits) is 512, 768, 1024, or 2048. The larger the key modulus size you specify, the longer it takes to generate an RSA. We recommend a value of 1024.

Step 2 To save the RSA keys to persistent Flash memory, enter the following command:

hostname(config)# write mem

Step 3 To identify the IP addresses from which the ASA accepts connections, enter the following command for each address or subnet:

hostname(config)# ssh source_IP_address mask source_interface

The ASA accepts SSH connections from all interfaces, including the one with the lowest security level.

Step 4 (Optional) To set the duration for how long an SSH session can be idle before the ASA disconnects the session, enter the following command:

hostname(config)# ssh timeout minutes

Set the timeout from 1 to 60 minutes. The default is 5 minutes. The default duration is too short in most cases and should be increased until all pre-production testing and troubleshooting has been completed.

Left 4 dead 2 cd key generator download. For example, to generate RSA keys and let a host on the inside interface with an address of 192.168.1.2 access the ASA, enter the following command:

hostname(config)# crypto key generate rsa modulus 1024 hostname(config)# write mem hostname(config)# ssh 192.168.1.2 255.255.255.255 inside hostname(config)# ssh 192.168.1.2 255.255.255.255 inside hostname(config)# ssh timeout 30

To allow all users on the 192.168.3.0 network to access the ASA on the inside interface, the following command:

hostname(config)# ssh 192.168.3.0 255.255.255.0 inside

By default SSH allows both version one and version two. To specify the version number enter the following command:

hostname(config)# ssh version version_number

hostname(config)# crypto key generate rsa modulus 1024 hostname(config)# write mem hostname(config)# http server enable hostname(config)# http 192.168.1.2 255.255.255.255 inside

To allow all users on the 192.168.3.0 network to access ASDM on the inside interface, enter the following command:

hostname(config)# http 192.168.3.0 255.255.255.0 inside

Crypto Key Generate Rsa Via Asdm

John Nikolatos

Crypto Key Generate Rsa Ssh

NIKTEK LLC