Cisco ASA 1000V ASDM Configuration Guide, 6.7
Configuring Management Access
Downloads: This chapterpdf (PDF - 177.0KB) The complete bookPDF (PDF - 11.09MB) | Feedback

Configuring Management Access

Table Of Contents

Configuring Management Access

Configuring ASA 1000V Access for ASDM, Telnet, or SSH   

Guidelines and Limitations

Configuring Management Access

Using a Telnet Client

Using an SSH Client

Configuring CLI Parameters

Configuring a Login Banner

Customizing a CLI Prompt

Changing the Console Timeout

Configuring File Access

Configuring the FTP Client Mode

Configuring the ASA 1000V as a Secure Copy Server   

Configuring the ASA 1000V as a TFTP Client

Adding Mount Points   

Adding a CIFS Mount Point

Adding an FTP Mount Point

Configuring ICMP Access

Information About ICMP Access

Guidelines and Limitations

Default Settings

Configuring ICMP Access

Configuring Management Access Over an IPsec Site-to-Site Tunnel

Guidelines and Limitations

Configuring the Management Interface

Monitoring Device Access

Feature History for Management Access


Configuring Management Access


This chapter describes how to access the ASA 1000V for system management through Telnet, SSH, and HTTPS (using ASDM) and how to create login banners.

This chapter includes the following sections:

Configuring ASA 1000V Access for ASDM, Telnet, or SSH

Configuring CLI Parameters

Configuring File Access

Configuring ICMP Access

Configuring Management Access Over an IPsec Site-to-Site Tunnel

Monitoring Device Access

Feature History for Management Access


Note To access the ASA 1000V interface for management access, you do not also need an access rule allowing the host IP address. You only need to configure management access according to the sections in this chapter.


Configuring ASA 1000V Access for ASDM, Telnet, or SSH   

This section describes how to allow clients to access the ASA 1000V using ASDM, Telnet, or SSH and includes the following topics:

Guidelines and Limitations

Configuring Management Access

Using a Telnet Client

Using an SSH Client

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

You cannot use Telnet to the lowest security interface unless you use Telnet inside an IPsec site-to-site tunnel.

Management access to an interface other than the one from which you entered the ASA 1000V is not supported. For example, if your management host is located on the outside interface, you can only initiate a management connection directly to the outside interface. The only exception to this rule is through an IPsec site-to-site connection. See the "Configuring Management Access Over an IPsec Site-to-Site Tunnel" section.

The ASA 1000V allows:

A maximum of 5 concurrent Telnet connections.

A maximum of 5 concurrent SSH connections.

A maximum of 5 concurrent ASDM instances.

The ASA 1000V supports the SSH remote shell functionality provided in SSH Versions 1 and 2 and supports DES and 3DES ciphers.

XML management over SSL and SSH is not supported.

The SSH default username is no longer supported. You can no longer connect to the ASA using SSH with the pix or asa username and the login password. To use SSH, you must configure AAA authentication using Configuration > Device Management > Users/AAA > AAA Access > Authentication; then define a local user by choosing Configuration > Device Management > Users/AAA > User Accounts. If you want to use a AAA server for authentication instead of the local database, we recommend also configuring local authentication as a backup method.

Configuring Management Access

To identify the client IP addresses allowed to connect to the ASA 1000V using Telnet, SSH, or ASDM, perform the following steps:

Detailed Steps


Step 1 Choose Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH, and click Add.

The Add Device Access Configuration dialog box appears.

Step 2 Choose the type of session from the three options listed: ASDM/HTTPS, Telnet, or SSH.

Step 3 From the Interface Name drop-down list, choose the Ethernet interface to use for administrative access.

Step 4 In the IP Address field, enter the IP address of the network or host that is allowed access.

Step 5 From the Mask drop-down list, choose the mask associated with the network or host that is allowed access.

Step 6 Click OK.

Step 7 Configure HTTP Settings.

a. Enable HTTP Server—Enable the HTTP server for ASDM access. This is enabled by default.

b. (Optional) Port Number—The default port is 443.

c. (Optional) Idle Timeout—The default idle timeout is 20 minutes.

d. (Optional) Session Timeout—By default, the session timeout is disabled. ASDM connections have no session time limit.

Step 8 (Optional) Configure Telnet Settings.

a. Telnet Timeout—The default timeout value is 5 minutes.

Step 9 (Optional) Configure SSH Settings.

a. Allowed SSH Version(s)—The default value is 1 & 2.

b. SSH Timeout—The default timeout value is 5 minutes.

c. Diffie-Hellman—The default is Diffie-Hellman Key Exchange Group 1. The Diffie-Hellman Key Exchange Group 14 is also supported.

Step 10 Click Apply.

The changes are saved to the running configuration.

Step 11 (Required for SSH) You must also configure SSH authentication.

a. Choose Configuration > Device Management > Users/AAA > AAA Access > Authentication.

b. Check the SSH check box.

c. From the Server Group drop-down list, choose an already configured AAA server group name or the LOCAL database. To add AAA server groups, see the "Configuring AAA Server Groups" section.

d. (Optional) If you chose a AAA server group, you can configure the ASA 1000V to use the local database as a fallback method if the AAA server is unavailable. Check the Use LOCAL when server group fails check box. We recommend that you use the same username and password in the local database as the AAA server because the ASA 1000V prompt does not give any indication of which method is being used.

e. Click Apply.

f. If you chose the LOCAL database, add a local user. Choose Configuration > Device Management > Users/AAA > User Accounts, and then click Add.

The Add User Account-Identity dialog box appears.

g. In the Username field, enter a username from 4 to 64 characters long.

h. In the Password field, enter a password between 3 and 32 characters. Passwords are case-sensitive.

i. In the Confirm Password field, reenter the password.

For information about other fields, see the "Adding a User Account to the Local Database" section.

j. Click OK and then Apply.


Using a Telnet Client

To gain access to the ASA 1000V CLI using Telnet, enter the login password. If you configure Telnet authentication (see the "Configuring Authentication for CLI, ASDM, and enable command Access" section), then enter the username and password defined by the AAA server or local database.

Using an SSH Client

In the SSH client on your management host, enter the username and password. When starting an SSH session, a dot (.) displays on the ASA 1000V console before the following SSH user authentication prompt appears:

hostname(config)#.
 
   

The display of the dot does not affect the functionality of SSH. The dot appears at the console when generating a server key or decrypting a message using private keys during SSH key exchange before user authentication occurs. These tasks can take up to two minutes or longer. The dot is a progress indicator that verifies that the ASA 1000V is busy and has not hung.

Configuring CLI Parameters

This section includes the following topics:

Configuring a Login Banner

Customizing a CLI Prompt

Changing the Console Timeout

Configuring a Login Banner

You can configure a message to display when a user connects to the ASA 1000V, before a user logs in, or before a user enters privileged EXEC mode.

Restrictions

After a banner is added, Telnet or SSH sessions to ASA 1000V may close if:

There is not enough system memory available to process the banner message(s).

A TCP write error occurs when trying to display banner message(s).

Guidelines

From a security perspective, it is important that your banner discourage unauthorized access. Do not use the words "welcome" or "please," as they appear to invite intruders in. The following banner sets the correct tone for unauthorized access:

You have logged in to a secure device. If you are not authorized to access this 
device, log out immediately or risk possible criminal consequences.
 
   

See RFC 2196 for guidelines about banner messages.

To configure a login banner, perform the following steps:

Detailed Steps


Step 1 Choose Configuration > Device Management > Management Access > Command Line (CLI) > Banner, then add your banner text to the field for the type of banner that you are creating for the CLI:

The session (exec) banner appears when a user accesses privileged EXEC mode at the CLI.

The login banner appears when a user logs in to the CLI.

The message-of-the-day (motd) banner appears when a user first connects to the CLI.

The ASDM banner appears when a user connects to ASDM, after user authentication. The user is given two options for dismissing the banner:

Continue—Dismiss the banner and complete login.

Disconnect—Dismiss the banner and terminate the connection.

Only ASCII characters are allowed, including a new line (Enter), which counts as two characters.

Do not use tabs in the banner, because they are not preserved in the CLI version.

There is no length limit for banners other than those for RAM and flash memory.

You can dynamically add the hostname or domain name of the ASA 1000V by including the strings $(hostname) and $(domain).

Step 2 Click Apply.

The new banner is saved to the running configuration.


Customizing a CLI Prompt

The CLI Prompt pane lets you customize the prompt used during CLI sessions. By default, the prompt shows the hostname of the ASA 1000V. You can display the following items in the CLI prompt:

domain

Displays the domain name.

hostname

Displays the hostname.

priority

Displays the failover priority as pri (primary) or sec (secondary).

state

Displays the traffic-passing state of the ASA 1000V. The following values appear for the state:

act—Failover is enabled, and the ASA 1000V is actively passing traffic.

stby— Failover is enabled, and the ASA 1000V is not passing traffic and is in a standby, failed, or another inactive state.

actNoFailover—Failover is not enabled, and the ASA 1000V is actively passing traffic.

stbyNoFailover—Failover is not enabled, and the ASA 1000V is not passing traffic. This condition might occur when there is an interface failure above the threshold on the standby ASA 1000V.


Detailed Steps

To customize the CLI prompt, perform the following steps:


Step 1 Choose Configuration > Device Management > Management Access > CLI Prompt, then do any of the following to customize the prompt:

To add an attribute to the prompt, click the attribute in the Available Prompts list and then click Add. You can add multiple attributes to the prompt. The attribute is moved from the Available Prompts list to the Selected Prompts list.

To remove an attribute from the prompt, click the attribute in the Selected Prompts list and then click Delete. The attribute is moved from the Selected Prompts list to the Available Prompts list.

To change the order in which the attributes appear in the command prompt, click the attribute in the Selected Prompts list and click Move Up or Move Down to change the order.

The prompt is changed and displays in the CLI Prompt Preview field.

Step 2 Click Apply.

The new prompt is saved to the running configuration.


Changing the Console Timeout

The console timeout sets how long a connection can remain in privileged EXEC mode or configuration mode; when the timeout is reached, the session drops into user EXEC mode. By default, the session does not time out. This setting does not affect how long you can remain connected to the console port, which never times out.

To change the console timeout, perform the following steps:

Detailed Steps


Step 1 To define a new timeout value in minutes, choose Configuration > Device Management > Management Access > Command Line (CLI) > Console Timeout.

Step 2 To specify an unlimited amount of time, enter 0. The default value is 0.

Step 3 Click Apply.

The timeout value is changed and the change is saved to the running configuration.


Configuring File Access

This section includes the following topics:

Configuring the FTP Client Mode

Configuring the ASA 1000V as a Secure Copy Server

Configuring the ASA 1000V as a TFTP Client

Adding Mount Points

Configuring the FTP Client Mode

The ASA 1000V can use FTP to upload or download image files or configuration files to or from an FTP server. In passive FTP, the client initiates both the control connection and the data connection. The server, which is the recipient of the data connection in passive mode, responds with the port number to which it is listening for the specific connection.

To configure the FTP client to be in passive mode, perform the following steps:


Step 1 From the Configuration > Device Management > Management Access > File Access > FTP Client pane, check the Specify FTP mode as passive check box.

Step 2 Click Apply.

The FTP client configuration is changed and the change is saved to the running configuration.


Configuring the ASA 1000V as a Secure Copy Server   

You can enable the secure copy server on the ASA 1000V. Only clients that are allowed to access the ASA 1000V using SSH can establish a secure copy connection.

Restrictions

This implementation of the secure copy server has the following limitations:

The server can accept and terminate connections for secure copy, but cannot initiate them.

The server does not have directory support. The lack of directory support limits remote client access to the ASA 1000V internal files.

The server does not support banners.

The server does not support wildcards.

To configure the ASA 1000V as a secure copy server, perform the following steps:

Detailed Steps


Step 1 From the Configuration > Device Management > Management Access > File Access > Secure Copy (SCP) Server pane, check the Enable secure copy server check box.

Step 2 Click Apply.

The changes are saved to the running configuration. The ASA 1000V can function as an SCP server for transferring files to and from the device.


Configuring the ASA 1000V as a TFTP Client

TFTP is a simple client/server file transfer protocol, which is described in RFC 783 and RFC 1350 Rev. 2. You can configure the ASA 1000V as a TFTP client so that it can transfer a copy of its running configuration file to a TFTP server by choosing either File > Save Running Configuration to TFTP Client or Tools > Command Line Interface. In this way, you can back up and propagate configuration files to multiple ASA 1000Vs.

The ASA 1000V supports only one TFTP client. The full path to the TFTP client is specified in Configuration > Device Management > Management Access > File Access > TFTP Client. After the TCP client has been configured in this pane, you can use a colon (:) to specify the IP address in the CLI configure net and copy commands. However, any other authentication or configuration of intermediate devices necessary for communication from the ASA 1000V to the TFTP client is done apart from this function.

To configure the ASA 1000V as a TFTP client for saving configuration files to a TFTP server, perform the following steps:


Step 1 From the Configuration > Device Management > Management Access > File Access > TFTP Client pane, check the Enable check box.

Step 2 From the Interface Name drop-down list, choose the Ethernet interface to use as a TFTP client.

Step 3 In the IP Address field, enter the IP address of the TFTP server on which configuration files will be saved.

Step 4 In the Path field, enter the path to the TFTP server on which configuration files will be saved.

For example: /tftpboot/asa/config3

Step 5 Click Apply.

The changes are saved to the running configuration. This TFTP server will be used to save the ASA 1000V configuration files. For more information, see the "Saving the Running Configuration to a TFTP Server" section.


Adding Mount Points   

This section includes the following topics:

Adding a CIFS Mount Point

Adding an FTP Mount Point

Adding a CIFS Mount Point

To define a Common Internet File System (CIFS) mount point, perform the following steps:


Step 1 From the Configuration > Device Management > Management Access > File Access > Mount-Points pane, click Add > CIFS Mount Point.

The Add CIFS Mount Point dialog box appears.

Step 2 Check the Enable mount point check box.

This option attaches the CIFS file system on the ASA 1000V to the UNIX file tree.

Step 3 In the Mount Point Name field, enter the name of an existing CIFS location.

Step 4 In the Server Name or IP Address field, enter the name or IP address of the server in which the mount point is located.

Step 5 In the Share Name field, enter the name of the folder on the CIFS server.

Step 6 In the NT Domain Name field, enter the name of the NT Domain in which the server resides.

Step 7 In the User Name field, enter the name of the user authorized for file system mounting on the server.

Step 8 In the Password field, enter the password for the user authorized for file system mounting on the server.

Step 9 In the Confirm Password field, reenter the password.

Step 10 Click OK.

The Add CIFS Mount Point dialog box closes.

Step 11 Click Apply.

The mount point is added to the ASA 1000V, and the change is saved to the running configuration.


Adding an FTP Mount Point


Note For an FTP mount point, the FTP server must have a UNIX directory listing style. Microsoft FTP servers have a default of the MS-DOS directory listing style.


To define an FTP mount point, perform the following steps:


Step 1 From the Configuration > Device Management > Management Access > File Access > Mount-Points pane, click Add > FTP Mount Point.

The Add FTP Mount Point dialog box appears.

Step 2 Check the Enable check box.

This option attaches the FTP file system on the ASA 1000V to the UNIX file tree.

Step 3 In the Mount Point Name field, enter the name of an existing FTP location.

Step 4 In the Server Name or IP Address field, enter the name or IP address of the server where the mount point is located.

Step 5 In the Mode field, click the radio button for the FTP mode (Active or Passive). When you choose Passive mode, the client initiates both the FTP control connection and the data connection. The server responds with the number of its listening port for this connection.

Step 6 In the Path to Mount field, enter the directory path name to the FTP file server.

Step 7 In the User Name field, enter the name of the user authorized for file system mounting on the server.

Step 8 In the Password field, enter the password for the user authorized for file system mounting on the server.

Step 9 In the Confirm Password field, reenter the password.

Step 10 Click OK.

The Add FTP Mount Point dialog box closes.

Step 11 Click Apply.

The mount point is added to the ASA 1000V, and the change is saved to the running configuration.


Configuring ICMP Access

By default, you can send ICMP packets to any ASA 1000V interface. This section tells how to limit ICMP management access to the ASA 1000V. You can protect the ASA 1000V from attacks by limiting the addresses of hosts and networks that are allowed to have ICMP access to the ASA 1000V.


Note For allowing ICMP traffic through the ASA 1000V, see Chapter 18 "Configuring Access Rules."


This section includes the following topics:

Information About ICMP Access

Guidelines and Limitations

Default Settings

Configuring ICMP Access

Information About ICMP Access

We recommend that you always grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP path MTU discovery, which can halt IPsec and PPTP traffic. See RFC 1195 and RFC 1435 for details about path MTU discovery.

If you configure ICMP rules, then the ASA 1000V uses a first match to the ICMP traffic followed by an implicit deny all entry. That is, if the first matched entry is a permit entry, the ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, the ASA 1000V discards the ICMP packet and generates a syslog message. An exception is when an ICMP rule is not configured; in that case, a permit statement is assumed.

Guidelines and Limitations

The ASA 1000V does not respond to ICMP echo requests directed to a broadcast address.

The ASA 1000V only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.

Default Settings

By default, you can send ICMP packets to any ASA 1000V interface.

Configuring ICMP Access

To configure ICMP access rules, perform the following steps:

Detailed Steps


Step 1 Choose Configuration > Device Management > Management Access > ICMP, and click Add.

Step 2 If you want to insert a rule into the ICMP table, select the rule that the new rule will precede, and click Insert.

The Create ICMP Rule dialog box appears in the right-hand pane.

Step 3 From the ICMP Type drop-down list, choose the type of ICMP message for this rule.

Step 4 From the Interface list, choose the destination ASA 1000V Ethernet interface to which the rule is to be applied.

Step 5 In the IP Address field, do one of the following:

Add a specific IP address for the host or network.

Click Any Address, then go to Step 8.

Step 6 From the Mask drop-down list, choose the network mask.

Step 7 Click OK.

The Create ICMP Rule dialog box closes.

Step 8 (Optional) To set ICMP unreachable message limits, set the following options. Increasing the rate limit, along with enabling the Decrement time to live for a connection option on the Configuration > Firewall > Service Policy Rules > Rule Actions > Connection Settings dialog box, is required to allow a traceroute through the ASA 1000V that shows the ASA 1000V as one of the hops.

Rate Limit—Sets the rate limit of unreachable messages, between 1 and 100 messages per second. The default is 1 message per second.

Burst Size—Sets the burst rate, between 1 and 10. This keyword is not currently used by the system, so you can choose any value.

Step 9 Click Apply.

The ICMP rule is added to the ASA 1000V, and the change is saved to the running configuration.


Configuring Management Access Over an IPsec Site-to-Site Tunnel

If your IPsec site-to-site tunnel terminates on one interface, but you want to manage the ASA 1000V by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA 1000V from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface.

This section includes the following topics:

Guidelines and Limitations

Configuring the Management Interface

Guidelines and Limitations

You can define only one management access interface.

Configuring the Management Interface

To configure the management interface, perform the following steps.

Detailed Steps


Step 1 From the Configuration > Device Management > Management Access > Management Interface pane, choose the interface with the highest security (the inside interface) from the Management Access Interface drop-down list.

Step 2 Click Apply.

The management interface is assigned, and the change is saved to the running configuration.


Monitoring Device Access

To monitor device access, see the following panes:

Path
Purpose

Monitoring > Properties > Device Access > ASDM/HTTPS/Telnet/SSH Sessions

The top pane lists the connection types, session IDs, and IP addresses for users connected through ASDM, HTTPS, and Telnet sessions. To disconnect a specific session, click Disconnect.

The bottom pane lists the clients, usernames, connection states, software versions, incoming encryption types, outgoing encryption types, incoming HMACs, and outgoing HMACs for users connected through SSH sessions. To disconnect a specific session, click Disconnect.

Monitoring > Properties > Device Access > Authenticated Users

Lists the usernames, IP addresses, dynamic ACLs, inactivity timeouts (if any), and absolute timeouts for users who were authenticated by AAA servers.

Monitoring > Properties > Device Access > AAA Local Locked Out Users

Lists the usernames of locked-out AAA local users, the number of failed attempts to authenticate, and the times that users were locked out. To clear a specific user who has been locked out, click Clear Selected Lockout. To clear all users who have been locked out, click Clear All Lockouts.


Feature History for Management Access

Table 19-1 lists the feature history.

Table 19-1 Feature History for Management Access

Feature Name
Platform Releases
Feature Information

Management access

8.7(1)

For management access through VPN, only IPsec site-to-site tunnels are supported.