SSH Access
If you enabled management center access on a data interface, such as outside, you should enable SSH on that interface using this procedure. This section describes how to enable SSH connections to one or more data interfaces on the threat defense.
The threat defense uses the CiscoSSH stack, which is based on OpenSSH. CiscoSSH supports FIPS compliance and regular updates, including updates from Cisco and the open source community.
Note | SSH is enabled by default on the Management interface; however, this screen does not affect Management SSH access. |
The Management interface is separate from the other interfaces on the device. It is used to set up and register the device to the management center. SSH for data interfaces shares the internal and external user list with SSH for the Management interface. Other settings are configured separately: for data interfaces, enable SSH and access lists using this screen; SSH traffic for data interfaces uses the regular routing configuration, and not any static routes configured at setup or at the CLI.
For the Management interface, to configure an SSH access list, see the configure ssh-access-list command in the Cisco Secure Firewall Threat Defense Command Reference. To configure a static route, see the configure network static-routes command. By default, you configure the default route through the Management interface at initial setup.
To use SSH, you do not also need an access rule allowing the host IP address. You only need to configure SSH access according to this section.
You can SSH only to a reachable interface (including an interface in a user-defined virtual router); if your SSH host is located on the outside interface, you can only initiate a management connection directly to the outside interface. When you enable SSH in a user-defined virtual router, and you want VPN users to access SSH, be sure to terminate the VPN on the same virtual router. If the VPN is terminated on another virtual router, then you must configure route leaks between the virtual routers.
SSH supports the following ciphers and key exchange:
-
Encryption—aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr
-
Integrity—hmac-sha2-256
-
Key exchange—dh-group14-sha256
Note | After you make three consecutive failed attempts to log into the CLI using SSH, the device terminates the SSH connection. |
Before you begin
-
You can configure SSH internal users at the CLI using the configure user add command; see Add an Internal User at the CLI. By default, there is an admin user for which you configured the password during initial setup. You can also configure external users on LDAP or RADIUS by configuring External Authentication in platform settings. See External Authentication.
-
You need network objects that define the hosts or networks you will allow to make SSH connections to the device. You can add objects as part of the procedure, but if you want to use object groups to identify a group of IP addresses, ensure that the groups needed in the rules already exist. Select to configure objects.
NoteYou cannot use the system-provided any network object. Instead, use any-ipv4 or any-ipv6.
Procedure
Step 1 | Choose and create or edit the threat defense policy. |
Step 2 | Select SSH Access. |
Step 3 | Identify the interfaces and IP addresses that allow SSH connections. Use this table to limit which interfaces will accept SSH connections, and the IP addresses of the clients who are allowed to make those connections. You can use network addresses rather than individual IP addresses. |
Step 4 | Click Save. You can now go to and deploy the policy to assigned devices. The changes are not active until you deploy them. |