How to enable AES-CTR encryption for ASA 5520

tusharp81 · ‎01-20-2014

Dear Team ,

When we see the show ssh sessions on our ASA . it shows output as following

K-ASA# show ssh sessions

SID Client IP Version Mode Encryption Hmac State Username

0 x.x.x.x 2.0 IN aes256-cbc sha1 SessionStarted *******

OUT aes256-cbc sha1 SessionStarted *******

We can observe that in encryption it is using aes256-cbc . Now we want to disable the cbc encryption and enable the CTR encryption for SSH .

For the same we have upgraded the asa OS to 9.1.2 . Kindly confirm how can we enable the same .

Rgds,

Tushar

Marcin Latosiewicz · ‎01-21-2014

Tushar,

It's eabled on the server.

MInd that you need the clien to want to use it :-)

From linux I tested this

ssh -c aes128-ctr bsns-asa5585-60-2 -l cisco

which resulted with

BSNS-ASA5585-60-2# show ssh sessions detail

SSH Session ID : 1

Client IP : 10.48.93.4

Username : cisco

SSH Version : 2.0

State : KeysExchanged

Inbound Statistics

Encryption : aes128-ctr

HMAC : md5

Bytes Received : 272

Outbound Statistics

Encryption : aes128-ctr

HMAC : md5

Bytes Transmitted : 176

Rekey Information

Time Remaining (sec) : 3284

Data Remaining (bytes): 996147024

Last Rekey : 09:00:43.255 UTC Tue Jan 21 2014

Data-Based Rekeys : 0

Time-Based Rekeys : 0

BSNS-ASA5585-60-2#

No special settings on ASA.

M.

tusharp81 · ‎01-21-2014

Thanks a lot . Can u please confirm how we can test the same through putty . Or is there any other client through which we can test this ( through windows machine )

How we can test this ( through which machine have u tested ) .. Also is there any way by which we can disable CBC encryption on ASA 5520

Awaiting your reverts .

Rgds,

Tushar

tusharp81 · ‎01-21-2014

I just want to know if we can disable to CBC on ASA . I have got the ssh client which supports AES-CTR encryption .

We have one other ASA observation after VA test i.e SSH Weak MAC Algorithms Enabled .

Could u please help me in getting this closed ?

Rgds,

Tushar