Teneo !!!

Aaron’s blog on Networking, and Enterprise Technology

Accessing Cisco ASA using SSH

So, I purchased a Cisco ASA 5505 to build a VPN Tunnel from a remote office to my main office. Really simple to do, when you are using Easy VPN . Anyway, I wanted to turn on SSH. So, I enabled SSH on the ASA, and tried to access it:


[apaxson@netutil ~]$ ssh -l username
ssh_exchange_identification: Connection closed by remote host

Hmmmm….. let’s do a debug, and see what happens:


asa# debug ssh
Device ssh opened successfully.
SSH0: SSH client: IP = '' interface # = 1
SSH: unable to retrieve default host public key. Please create a defauth RSA key pair before using SSH
SSH0: Session disconnected by SSH server - error 0x00 "Internal error"

Ahhhh….. we have to create a default RSA key pair. Let’s do that.


asa(config)# ca generate rsa key 1024
WARNING: the 'ca' command syntax has been deprecated
Please use the 'crypto key generate' command.

Okaaaay…… looks like we have to change our ways again.


asa(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...

Okay, so far so good. Let’s try to connect again:


[apaxson@netutil ~]$ ssh -l username
RSA key fingerprint is 9b:99:12:45:6f:7a:bb:37:f4:25:19:1d:d9:0d:62:24.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.


Technorati Tags: , ,

13 responses to “Accessing Cisco ASA using SSH

  1. hot carl March 4, 2008 at 4:01 pm


    i haven’t ran into this just yet, since i’m about to order a pair of asa 5505’s so i’m sure i would have in the next week or two.

    how do you like the asa 5505? i’m getting two — one to “aggregate” a few pix 501’s and the other to deploy at a new location for a vpn link back to here.

  2. jk March 4, 2008 at 7:43 pm

    Suggestion – having trouble with ssh?

    Try ssh -v from your *nix cli. Great for finding out which side is at fault.

  3. Aaron Paxson March 4, 2008 at 9:38 pm

    Hot Carl,

    The ASA’s are incredibly awesome! They are basically a PIX on steroids. I knew the PIX’s would eventually be phased out.

    I currently have 1 ASA5520 at my home office with the CSC module, but plan on buying two more (one as a failover, and one as an isolated VPN box).

    The ASA5505 is perfect for a small office. I also like the two built-in PoE interfaces. It took some getting used to though.

    You no longer have an interface dedicated to “inside” or “outside”. Instead, it’s an 8-port switch that you assign the “inside” vlan.

    I’ve also just used the Easy VPN methodology with the ASA5505. 5 lines of config to build the site-to-site tunnel. Everything else is downloaded from the “vpn server”. Of course, that’s not just limited to the ASA’s.

    The ASA’s rock. But I haven’t used the AIP module.

    Nice site, by the way.


  4. hot carl March 8, 2008 at 1:49 pm

    thanks, aaron.

    the asa’s have a *lot* of functionality i don’t need (and won’t use), but the throughput they can handle if much, much higher than what a 501 can. i’m up to three 501’s now (at our main site) and we’re about to add another — a 501 wouldn’t be up to the job (higher bandwidth requirements).

    the 5505 seemed a good choice to “aggregate” these vpn’s on (ipsec is really all i need). with security plus it looks like i’ll have room for some growth as well. i don’t anticipate adding more sites in the future, but then again two years ago i didn’t imagine we’d have three more today.

    again, thanks for the original tip and if you run into any more please do post ’em!

  5. Neville Chilton April 22, 2009 at 7:37 am

    Just installed CSA, MARS and two asa 5505’s and 1 5510. I used this report to allow MARS to ssh onto the box. great fix thanks

  6. Vitaly August 18, 2009 at 6:51 am

    Thank you for interesting article!

    BTW, Is it possible to add user public key to ASA for passwordless ssh authentication?

    • Aaron Paxson August 18, 2009 at 7:38 am

      Hi Vitaly!

      I’m not sure. I’ve not heard of using a cert in place of password authentication. You *could* use certs as SSL on webvpn, but you would still have to authenticate using username/password.

      The certificate only protects the data, but does not prove the identity of the user. That, is still done by username/password pairs.

  7. Forrest October 17, 2009 at 6:04 pm

    Aaron, just a note to say “thanks” — I Googled for this error message with ASA’s and walla, found my answer at your page. 🙂

    • Forrest October 20, 2009 at 4:39 pm

      On newer versions of the ASA, the above command syntax will not work. The new syntax is:

      crypto key generate rsa modulus 1024

  8. Gaston December 3, 2009 at 3:56 am

    Great info, shows up first with a google search.
    It saved me some minutes.
    Thank you!

  9. Saba March 31, 2011 at 3:45 am

    Great very help full thanks for sharing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: