cisco防火墙开启ssh登录

设备情况见文末

 

启用AAA认证：从特定版本开始，必须配置本地认证才能使用密码登录

aaa authentication ssh console LOCAL

username admin password 密文 privilege 15

 

授权SSH访问：明确指定哪个IP能从哪个接口进来

ssh 172.20.13.0 255.255.255.0 management

172.20.13.0段地址通过management接口访问进来，management是下面输出中nameif接口，不区分大小写

interface Management0/0
nameif Management
security-level 100
ip address 172.20.13.30 255.255.255.0
management-only
!

 

ssh不能登录的原因可能存在的原因是未建立密钥

验证密钥被SSH服务使用：

  show crypto key mypubkey rsa

确认存在名为<Default-RSA-Key>的密钥。

生成密钥对：这是物理ASA的强制步骤

crypto key generate rsa modulus 2048

如果之前从未生成过，此命令必须执行；如果已存在，ASA会提示覆盖

 

 

设备情况

# show version

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.4(9)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "disk0:/newconfig"

FW-CISCO-TEST up 119 days 23 hours
failover cluster up 119 days 23 hours

Hardware: ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 0027.0d38.00b6, irq 9