Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ssh on outside interface

i know it can be done on my ASA5510 - that's not my porblem - I just need to justify the risks.

I've been trying to hunt down any supporting "Best Practice" documents that state whether it's advisable to allow ssh access from the internet to the outside interface?

Has anyone come across any?

Thx.

Rob

2 REPLIES
Cisco Employee

Re: ssh on outside interface

Hi  Rob,

I won't be able to answer your question, and I don't think you will find a doc.

I think the reason is that it is not a matter of best practices, it is a matter of necessity. I don't think there is anyone that wants to be able to manage his ASA remotely otherwise, unless he can vpn into it to manage.

The ASA will not allow telnet on the outside lowest security interface anyway, so if you want to manage it you either will use ssh or some kind of vpn. If you don't need to manage it remotely, then best practice is to lock it and disable ssh. In other words I think it is a matter of necessity and not best practice.

Now, to make it more secure the best practise is to allow ssh only for specific management ip addresses that will be used to manage it and also use strong credentials to avoid a password guess attack.

I would be interested if someone has a best practice doc that addresses it.

I hope it helps a little.

Panos

Hall of Fame Super Blue

Re: ssh on outside interface

rbrunne wrote:

i know it can be done on my ASA5510 - that's not my porblem - I just need to justify the risks.

I've been trying to hunt down any supporting "Best Practice" documents that state whether it's advisable to allow ssh access from the internet to the outside interface?

Has anyone come across any?

Thx.

Rob

Rob

Have to agree with Panos on this one. I would certainly not be comfortable with allowing any IP address to try and use ssh access to the outside interface. As Panos says you should definitely try and lock it down to specific IPs and have an acl on your border router, if you manage it, that only allows ssh from these specific addresses.

Otherwise you can VPN to the ASA or a more likely scenario you can VPN into a device within your internal network and then manage the ASA from either the inside or management interface. I personally prefer that approach because you are not allowing any external management access direct to your firewall whether it be via ssh or vpn.

I would only use ssh if i could

a) tie it down to specific IPs and preferably

b) have a filter list on an upstream router that only allowed those IPs

Jon

575
Views
0
Helpful
2
Replies