I won't be able to answer your question, and I don't think you will find a doc.
I think the reason is that it is not a matter of best practices, it is a matter of necessity. I don't think there is anyone that wants to be able to manage his ASA remotely otherwise, unless he can vpn into it to manage.
The ASA will not allow telnet on the outside lowest security interface anyway, so if you want to manage it you either will use ssh or some kind of vpn. If you don't need to manage it remotely, then best practice is to lock it and disable ssh. In other words I think it is a matter of necessity and not best practice.
Now, to make it more secure the best practise is to allow ssh only for specific management ip addresses that will be used to manage it and also use strong credentials to avoid a password guess attack.
I would be interested if someone has a best practice doc that addresses it.
i know it can be done on my ASA5510 - that's not my porblem - I just need to justify the risks.
I've been trying to hunt down any supporting "Best Practice" documents that state whether it's advisable to allow ssh access from the internet to the outside interface?
Has anyone come across any?
Have to agree with Panos on this one. I would certainly not be comfortable with allowing any IP address to try and use ssh access to the outside interface. As Panos says you should definitely try and lock it down to specific IPs and have an acl on your border router, if you manage it, that only allows ssh from these specific addresses.
Otherwise you can VPN to the ASA or a more likely scenario you can VPN into a device within your internal network and then manage the ASA from either the inside or management interface. I personally prefer that approach because you are not allowing any external management access direct to your firewall whether it be via ssh or vpn.
I would only use ssh if i could
a) tie it down to specific IPs and preferably
b) have a filter list on an upstream router that only allowed those IPs
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...