How to disable AES CBC encryption on ASA 5545

dheeraj_singh · ‎05-20-2014

Hi ,

In our environment having ASA 5545 ( IOS Ver 9.1) Firewall and In there AES 256 CBC cipher encryption is enabled for SSH user access.

we need to disable CBC cipher encryption and enable the CTR Cipher encryption for SSH users.

Kindly help me for the same .

Thanks,

Dheeraj

Marvin Rhoads · ‎05-20-2014

AES256-ctr was just added in ASA software version 9.1(2). I don't believe the ssh encryption type is configurable in the ASA ssh server. You need to specify it in the client - I did verify it will connect when yo do that (see output below).

SSL encyption ciphers can be specified to exclude the weak ciphersuites.

# sh ssh session det

SSH Session ID : 1 Client IP : <deleted> Username : <deleted> SSH Version : 2.0 State : SessionStarted Inbound Statistics Encryption : aes256-ctr HMAC : sha1 Bytes Received : 1824 Outbound Statistics Encryption : aes256-ctr HMAC : sha1 Bytes Transmitted : 5632 Rekey Information Time Remaining (sec) : 3277 Data Remaining (bytes): 996142580 Last Rekey : 07:12:38.807 UTC Tue May 20 2014 Data-Based Rekeys : 0 Time-Based Rekeys : 0