[c-nsp] Cisco ASA Management

Victor Cappuccio vcappucc at cisco.com
Mon Sep 14 08:10:25 EDT 2009 

Hello Almog,

There are probably 1000 of ways to access a pix from the outside, one of
those ways is to use SSH.

pixfirewall# conf ter
pixfirewall(config)# int e0
pixfirewall(config-if)# ip add 192.168.1.1 255.255.255.0
pixfirewall(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
pixfirewall(config-if)# no sh
pixfirewall(config-if)# exit
pixfirewall(config)# hostname PIX
PIX(config)# domain-name onmynet.com
PIX(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
PIX(config)# ssh 0.0.0.0 0.0.0.0 outside
PIX(config)# show int ip brief
Interface                  IP-Address      OK? Method Status
Protocol
Ethernet0                  192.168.1.1     YES CONFIG up
up
Ethernet1                  unassigned      YES unset  administratively down
up
Ethernet2                  unassigned      YES unset  administratively down
up
Ethernet3                  unassigned      YES unset  administratively down
up
Ethernet4                  unassigned      YES unset  administratively down
up
PIX(config)# username cisco pass cisco
PIX(config)# %PIX-5-111008: User 'enable_15' executed the 'username cisco
password *' command.
PIX(config)# aaa authentication ssh console LOCAL
PIX(config)# %PIX-5-111008: User 'enable_15' executed the 'aaa
authentication ssh console LOCAL' command.

Now if we try to connect via the outside interface

PIX(config)# %PIX-7-710005: UDP request discarded from 192.168.1.2/138 to
outside:192.168.1.255/138
%PIX-6-302013: Built inbound TCP connection 10 for outside:192.168.1.2/4148
(192.168.1.2/4148) to NP Identity Ifc:192.168.1.1/22 (192.168.1.1/22)
Device ssh opened successfully.
SSH1: SSH client: IP = '192.168.1.2'  interface # = 1
SSH: host key initialised
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-2.0-Cisco-1.25

%PIX-6-315011: SSH session from 192.168.1.2 on interface outside for user
"ciscopix" disconnected by SSH server, reason: "Time-out activated" (0x3c)
%PIX-7-710005: TCP request discarded from 192.168.1.2/4148 to
outside:192.168.1.1/22
SSH1: send SSH message: outdata is NULL
%PIX-6-302014: Teardown TCP connection 9 for outside:192.168.1.2/4088 to NP
Identity Ifc:192.168.1.1/22 duration 0:01:20 bytes 919 TCP FINs

server version string:SSH-2.0-Cisco-1.25SSH1: receive SSH message: 83 (83)
SSH1: client version is - SSH-2.0-PuTTY_Release_0.60

client version string:SSH-2.0-PuTTY_Release_0.60SSH1: begin server key
generation
SSH0: Session disconnected by SSH server - error 0x3c "Time-out activated"
SSH1: complete server key generation, elapsed time = 2970 ms
SSH0: receive SSH message: [no message ID: variable *data is NULL]

SSH2 1: SSH2_MSG_KEXINIT sent
SSH2 1: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes256-cbc hmac-sha1 none
SSH2: kex: server->client aes256-cbc hmac-sha1 none
SSH2 1: expecting SSH2_MSG_KEXDH_INIT
SSH2 1: SSH2_MSG_KEXDH_INIT received
SSH2 1: signature length 143
SSH2: kex_derive_keys complete
SSH2 1: newkeys: mode 1
SSH2 1: SSH2_MSG_NEWKEYS sent
SSH2 1: waiting for SSH2_MSG_NEWKEYS
SSH2 1: newkeys: mode 0
SSH2 1: SSH2_MSG_NEWKEYS receivedSSH(cisco): user authen method is 'use
AAA', aaa server group ID = 1
SSH(cisco): user authen method is 'use AAA', aaa server group ID = 1
%PIX-6-113012: AAA user authentication Successful : local database : user =
cisco
%PIX-6-113008: AAA transaction status ACCEPT : user = cisco
%PIX-6-611101: User authentication succeeded: Uname: cisco
%PIX-6-611101: User authentication succeeded: Uname: cisco
%PIX-6-605005: Login permitted from 192.168.1.2/4148 to
outside:192.168.1.1/ssh for user "cisco"

SSH2 1: authentication successful for cisco
SSH2 1: channel open request
SSH2 1: pty-req request
SSH2 1: requested tty: xterm, height 19, width 91

SSH2 1: shell request
SSH2 1: shell message received
PIX(config)#

This is on my putty client
login as: cisco
cisco at 192.168.1.1's password:
Type help or '?' for a list of available commands.
PIX>
PIX>

Some good links

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918
6a0080094e71.shtml
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/bafw
cfg.htm


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of almog ohayon
Sent: lunes, 14 de septiembre de 2009 14:02
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco ASA Management

Hello Everyone,I want to know if there is a way to get access to internal
Cisco ASA interface from the "Outside world".
I want to achieve something similar to Loopback interface on Cisco routers.

Thanks,
--
Almog.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list