Query regarding ability to restricy SSH to version 2 through an ASA

gavinh · ‎05-05-2018

Would anyone be able to advise on how to enforce SSH v2 for connections passing through an ASA firewall? I'm aware of the 'ssh version 2' command, however my understanding is that this relates only to SSH connections to the ASA for management.

I've created a service object 'ssh_version_2' however I've looked at applying this to a policy map but can't see any option to restrict the SSH version.

for info, I'm running 9.8 s/w on new ASA5525 and ASA5545 appliances.

Dennis Mink · ‎05-05-2018

I believe this is what you are after:

https://supportforums.cisco.com/t5/firewalling/how-to-enable-ssh-on-asa-5525/td-p/2009812

Please remember to rate useful posts, by clicking on the stars below.

gavinh · ‎05-05-2018

Hi Dennis,

Thanks for your response however that link appears to relate to restricting SSH version 'to' the ASA whereas my requirement is to restrict SSH to version 2 for any connections 'through' the ASA..

For example -

Client PC--------ASA-------Server

I want to setup the ASA to permit the Client PC to SSH to the Server using SSHv2 only. Any connections which negotiate SSHv1 should be dropped.

Due to Security policy in our environment we only permit SSHv2 on our network.

Thanks

Dennis Mink · ‎05-06-2018

did you add the ssh version 2 command? because that would restrict it to v2 only

Please remember to rate useful posts, by clicking on the stars below.

Marius Gunnerud · ‎05-06-2018

To the best of my knowledge what you are trying to do is not possible. you can match on the port tcp/22 but not on the SSH version. I have also checked if this is possible on Firepower, and it doesn't look to be possible there either.

--
Please remember to select a correct answer and rate helpful posts