How to resolve ssh issue on Cisco ASA

Tested in version 9.6(1)

~# ssh admin@x.x.x.x
Unable to negotiate with x.x.x.x port 22: no matching key exchange method fouer: diffie-hellman-group1-sha1

First method:

 # ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@x.x.x.x
admin@x.x.x.x's password:
Type help or '?' for a list of available commands.
ASA1/act/pri>

Second method:

ASA1/act/pri(config)# ssh key-exchange group ?

configure mode commands/options:
 dh-group1-sha1 Diffie-Hellman group 2
 dh-group14-sha1 Diffie-Hellman group 14

ASA1/act/pri(config)# ssh key-exchange group dh-group14

ASA1/act/pri(config)# wr

Disconnect and reconnect:

# ssh admin@x.x.x.x
admin@x.x.x.x's password:
Type help or '?' for a list of available commands.
ASA1/act/pri> en

 

 

 

Cisco N7K view ACL log

This example displays how view logs of the mgmt0-access ACL:

# sh ip access-lists
IP access list mgmt0-access
 statistics per-entry
 10 permit tcp addrgroup NOC addrgroup RouterBlock eq 22 [match=2611]
 20 permit udp addrgroup NOC addrgroup RouterBlock eq snmp [match=0]
 40 permit udp addrgroup NOC eq ntp addrgroup RouterBlock [match=0]
 50 permit tcp addrgroup NOC eq tacacs addrgroup RouterBlock [match=2055]
60 permit tcp addrgroup NOC addrgroup RouterBlock eq www [match=0]
 500 permit ip addrgroup NOC addrgroup RouterBlock log [match=818]

To view the log, you need to use the following command :

# sh log ip access-list cache
Src IP Dst IP S-Port D-Port Src Intf Protocol
 Hits
--------------------------------------------------------------------------------
----------------
10.200.0.20 10.200.0.11 40196 161 mgmt0 (6)TCP
 65
10.200.0.20 10.200.0.11 56267 80 mgmt0 (6)TCP
 0
Number of cache entries: 2
--------------------------------------------------------------------------------

 

N7K – Configure Tacacs server

Example of configuration for N7K with redundant Tacacs servers

tacacs+ distribute
tacacs-server key 7 "xxxxxxxx"
ip tacacs source-interface mgmt0
tacacs-server host x.x.x.x
tacacs-server host y.y.y.y
tacacs+ commit
aaa group server tacacs+ TACACS+Server
 server x.x.x.x
 server y.y.y.y
aaa authentication login default group TACACS+Server
aaa authorization commands default group TACACS+Server local
aaa accounting default group TACACS+Server

Snmp security

Par défaut, une communauté IMLI est activée sur les routeurs. Elle est non protégé et permet donc de récupérer une minimum d’information sur le type d’équipement.

De la même manière lorsque vous activez une communauté en v2, il y a une v1 d’activer. Pour vérifier cela il suffit d’utiliser la commande suivante :

R1#sh snmp group
groupname: ILMI security model:v1
readview : *ilmi writeview: *ilmi
notifyview: <no notifyview specified>
row status: active<
groupname: ILMI security model:v2c
readview : *ilmi writeview: *ilmi
notifyview: <no notifyview specified>
row status: active
groupname: public security model:v1
readview : v1default writeview: <no writeview specified>
notifyview: <no notifyview specified>
row status: active
groupname: public security model:v2c
readview : v1default writeview: <no writeview specified>
notifyview: <no notifyview specified>
row status: active

Voici la running configuration :

R1#sh run | i snmp
snmp-server community public RO
snmp-server enable traps tty

Pour supprimer ce qui ne nous sert pas :

R1(config)#no snmp-server group ILMI v1
 R1(config)#no snmp-server group ILMI v2c
 R1(config)#no snmp-server group public v1
 R1(config)#do sh snmp-server
 R1#sh snmp group
 *Mar 1 00:04:32.203: %SYS-5-CONFIG_I: Configured from console by console
 R1#sh snmp group
 groupname: public security model:v2c
 readview : v1default writeview: <no writeview specified>
 notifyview: <no notifyview specified>
 row status: active

Il est également souhaitable de filtrer par une ACL.

 

Enforcing minimum password length for switches and routers

Pour obliger a avoir un nombre de caractère minimum pour les users vous pouvez utiliser la commande suivante :

Router(config)#security passwords min-length ?
 <0-16> Minimum length of all user/enable passwords
Router(config)#security passwords min-length 8

Test

Router(config)#username test password toto
% Invalid Password length - must contain 8 to 25 characters. Password configuration failed