Posted  by 

Asa 5505 Attempt To Generate Rsa Keys Failed

Asa 5505 Attempt To Generate Rsa Keys Failed 4,7/5 4557 reviews

Welcome back to this series where we cover CCNA Security topics using Cisco Packet Tracer in our labs. In the previous lab, we started looking at the Cisco ASA and we will continue looking at this Cisco appliance in this lab.

  1. How To Generate Rsa Keys
  2. Asa 5505 Attempt To Generate Rsa Keys Failed Update
  3. Asa 5505 Attempt To Generate Rsa Keys Failed Windows 10
  4. Asa 5505 Attempt To Generate Rsa Keys Failed To Start

The lab setup from the last article is as shown below:

Fail to establish SSH session because RSA host key retrieval failed. Now you need to configure the authentication piece of remote access for the connection. On the left side select Users/AAA - AAA Access. Under the Authentication Tab, Check SSH and select Server Group: LOCAL.

In this lab, we will configure routing on the Cisco ASA, look at the Cisco Modular Policy Framework (MPF) and also configure SSH for management access to the Cisco ASA.

Two files are attached to this article:

How to create self-signed certificates An article by Fabio Semperboni Tutorial A digital certificate or identity certificate is an electronic document which uses a digital signature to bind a public key with an identity, information such as the name of a person. To generate a Certificate Signing Request (CSR) for Cisco ASA 5510, a key pair must be created for the server. These two items are a public key and a private key pair and cannot be separated. Like all key pairs the private key once created will remain on the system where the CSR is made. Mar 04, 2008  So, I purchased a Cisco ASA 5505 to build a VPN Tunnel from a remote office to my main office. Really simple to do, when you are using Easy VPN. Anyway, I wanted to turn on SSH. So, I enabled SSH on the ASA, and tried to access it: apaxson@netutil $ ssh -l username. Cisco ASA SSH, Don’t Forget To Generate A Key. It looks like you need to generate an RSA key for SSH: 1. Filed under Cisco, Cisco ASA, Networking, Security.

  • cisco_asa_routing_mpf_mgt_init.pkt: This Packet Tracer file is actually the “final” PKT file from the previous lab.
  • cisco_asa_routing_mpf_mgt_final.pkt: This Packet Tracer file contains the lab setup with the ASA fully configured to meet the lab requirements.

The tasks for this lab are as follows:

  • Configure a loopback interface on the Outside_RTR with an IP address of 8.8.8.8/32.
  • Configure a default route on the ASA pointing to the Outside_RTR. Ensure that you can ping the newly configured loopback on the Outside_RTR from the Cisco ASA.
  • The ‘Inside User’ should be able to initiate connections to the ‘Web Server’ and get a response. You should also ensure that ping from the ‘Inside User’ to the ‘Web Server’ is successful. Do not use an access list to accomplish this.
  • Enable SSH access to the ASA from any IP address on both the inside and outside interfaces. Create a local user on the ASA to be used for authentication with the following credentials: Username – “insideuser” and Password – “userpwd”.

Lab Solutions

Task 1: Loopback Interface Settings

The goal of this task is just to simulate an external host, e.g. a device on the Internet.

Task 2: Default Routing

As I said in the last article, many commands that have “ip” in the Cisco IOS do not have “ip” in the Cisco ASA. The route command, used to configure static/default routes on the Cisco ASA, is an example of this.

Another thing to keep in mind with the Cisco ASA is that you must specify an interface name (e.g. inside, outside) for any route statement. This interface name specifies the interface through which the next hop IP address is reachable.

Finally, instead of specifying “0.0.0.0 0.0.0.0” like we do on the Cisco IOS, we can shorten it to “0 0” on the Cisco ASA. However, this short form is not (yet) implemented in Packet Tracer so we must specify it in its full form.

To test this configuration, we will ping the 8.8.8.8 IP address from the Cisco ASA:

Task 3: Inside to DMZ Communication

In the last lab, we said that due to the license that comes with the Cisco ASA in Packet Tracer (Base License), the 3rd VLAN we created (dmz) will be a restricted VLAN, i.e. it will only be able to initiate a connection to only one other VLAN. In that lab, we restricted the dmz VLAN from initiating a connection to the inside VLAN. Notice the word “initiate” in that sentence? It means that even though the dmz VLAN cannot initiate traffic to the inside, the inside VLAN can actually initiate traffic to the dmz and the dmz will respond.

Since the inside interface is on a higher security interface than the dmz, traffic from the inside to the dmz will be allowed by default. We can confirm this by opening an HTTPS connection from the ‘Inside User’ to the ‘Web Server’:

Note: Even though HTTP is also enabled on the Web Server, http://172.16.10.100 doesn’t work for some reason. I assume it’s some limitation with Packet Tracer. Two services I found to work are HTTPS and SMTP.

However, the task also requires that ping traffic from the ‘Inside User’ to the ‘Web Server’ is successful, so let’s test that:

As you can see, the ping failed. The problem is that, by default, ICMP inspection is not enabled on the Cisco ASA so even though the ping from the inside is getting to the dmz, the return traffic is not permitted. There are two ways around this issue:

  1. Use the Cisco Modular Policy Framework (MPF).

The task specifically said not to use an ACL so we are left with the second option. Although you can configure an ICMP policy on the ASA, an easier option is to copy the default MPF configuration from the Cisco site and edit it to include ICMP inspection. Due to the limitations of Packet Tracer, some of the commands included in the default MPF configuration are not supported so you will end up with a configuration similar to the following:

As you can see, I have enabled ICMP inspection (inspect icmp) under the “global_policy” policy map. Let’s test again:

How To Generate Rsa Keys

Task 4: SSH Access

To enable SSH on the Cisco ASA, there are a couple of things we need to do:

  • Generate an RSA Key Pair. There is a default RSA Key pair on the Cisco ASA called “Default-RSA-Key”.
  • If you will be using local authentication, create username/password combinations.
  • Configure the ASA to use local authentication for SSH connections.
  • Specify what IP addresses can manage the ASA using SSH and through what interface.

We can view the default RSA key pair using the show crypto key mypubkey rsa command:

The other necessary configuration is as follows:

Let’s first test this configuration from the ‘Inside User’ by opening command prompt and typing “ssh –l insideuser 10.0.0.1”:

The SSH connection was successful. Let’s now test from the Outside_RTR:

Great! We have now successfully completed the tasks in this lab.

Asa 5505 Attempt To Generate Rsa Keys Failed Update

Summary

Asa 5505 Attempt To Generate Rsa Keys Failed Windows 10

This brings us to the end of this Packet Tracer lab where we have configured routing, Cisco MPF and also enabled SSH on the Cisco ASA 5505.

In the next article, we will continue with another lab on the Cisco ASA. I hope you have found this lab insightful.

References and Further Reading

Asa 5505 Attempt To Generate Rsa Keys Failed To Start

  • CCNA Security Certification Series- #3 Cisco Firewall Technologies- cont’d: http://resources.intenseschool.com/ccna-security-certification-series-3-cisco-firewall-technologies-contd/
  • CCNA Security Certification Series – #4 Cisco Firewall Technologies – cont’d: http://resources.intenseschool.com/ccna-security-certification-series-4-cisco-firewall-technologies-contd/