There are several changes when an ASA is upgraded from 8.2 to 8.4(2). The most notable of these are the ones dealing with the syntax of the NAT configuration. However, there is another gotcha that you might not be expecting. SSH will no longer work with the default username of “pix” like it did prior to the upgrade. This article addresses the simple configuration task of rectifying this issue. Ideally, these tasks would be performed prior to an upgrade to avoid the loss of remote connectivity.
In versions prior to 8.4, the ASA was configured for SSH with the following commands.
ciscoasa(config)# crypto key generate rsa
ciscoasa(config)# passwd <some password>
ciscoasa(config)# ssh x.x.x.x y.y.y.y <interface>
The above configuration does the following:
- Generates a key pair
- Sets a password
- Specifies the interface and SSH Client Source addresses that are acceptable
What is left out of the above is the username. SSH requires a username, unless the user is authenticating themself using an RSA public key. In the configuration above, the default username of “pix” can be sent to the ASA from the SSH client. Version 8.4(2) no longer allows the default username.
To resolve this issue, another authentication method must be configured. To emulate the pre-8.4 behavior, the following can be configured.
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# username pix password <some password>
If this happens to be a fresh 8.4(2) configuration, as opposed to a migrated configuration, the key pair still needs to be generated and ssh permitted on the interface.
ciscoasa(config)# crypto key generate rsa
ciscoasa(config)# ssh x.x.x.x y.y.y.y <interface>
If this is an 8.4(2) or greater implementation that is an upgrade of an ASA that already accepts SSH, there is no need for the above two commands. There would only be a need to enter the username and LOCAL aaa authentication method. Ideally, this would be done prior to an upgrade to avoid any issues with accessing the device remotely.
But that’s the case only when we’re using the default username of ‘pix’, right? In our organization we are using TACACs credentials to ssh into cpe devices from a jump host. So after migrating from 8.2 to 8.4(2) there won’t be any issues in this scenario. Am I correct in understanding this?
There’s a project coming up for migrating more than 100 ASA’s from 8.2 to 8.4(2). And now I’m so sure that there’s going to be at least one of them with this SSH issue.
You are correct. It is an issue only if you are using default usernames in your pre-upgrade environment. I was a bit surprised by this gotcha though. Luckily, I found it prior to doing a remote upgrade.
Pingback: Internets of Interest for 25th January 2012 — My EtherealMind