How to open an SSH port on a Cisco FWSM/ASA with two-factor authentication

With this method, your SSH port is always closed until someone successfully requests a one-time passcode from the WiKID server, similar to port-knocking, but more secure.

This document was contributed by a WiKID user. This configuration file opens a port for ssh once the user has logged into an https front-end. While this example uses tacacs+, it should also work with radius.

! Step 1: configure wikid
! Step 1a: configure tacacs+ on wikid server

! Step 2: configure Cisco FWSM to use the tacacs+ service provided by wikid
! see also
! http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fwaaa_f.html
!
! Template config for using Wikid 2 facter auth to allow ssh access
! This only covers wikid and ssh, not any other FW configs
! 'outside' is the outside FW interface, and 'dmz' in the protected interface
! I used 'names' for readability
! I use RFC1918 address in this example, but assume no NAT
!
! I have this running in production on two FWSMs with a more complicated config
! I have not tested the exact config below, If you see any errors, please let me know
!

names
! the wikid server
name 192.168.1.10 wikid-server
! the ssh server
name 192.168.1.11 shell-server
!
! define service ports and servers
object-group service ssh tcp
description ssh
port-object eq ssh
object-group network ssh-servers
description ssh servers
network-object host shell-server

object-group service http-only tcp
description http
port-object eq www
object-group service https-only tcp
description https
port-object eq https

object-group network wikid-servers
description wikid servers
network-object host wikid-server

! allow wikid clients to access the wikid server
access-list outside-acl extended permit tcp any object-group wikid-servers object-group http-only
! allow access to https for auth
access-list outside-acl extended permit tcp any object-group ssh-servers object-group https-only
! allow ssh, but also needs AAA below
access-list outside-acl extended permit tcp any object-group ssh-servers object-group ssh
access-group outside-acl in interface outside

! 5 minute timeout to cache wikid response
! once you auth via https://shell-server you have 5 minutes to log into the ssh server
! after that you need a new token
timeout uauth 0:05:00 absolute

!
aaa-server 2factor protocol tacacs+
aaa-server 2factor (dmz) host wikid-server
! key must match wikid server key
key SuperSecret

! allow ssh only after auth with https://shell-server
aaa authentication include ssh outside shell-server 255.255.255.255 0.0.0.0 0.0.0.0 2factor

! you should NOT be running a webserver with ssl support on the shell-server
! the FWSM generates a ssl cert for it's part in the auth process that
! will conflict with the one on the shell server
aaa authentication include https outside shell-server 255.255.255.255 0.0.0.0 0.0.0.0 2factor

! optional as it allows the wikid token to pass in cleartext
! also needs a matching acl above (left as an exercise to the reader)
! aaa authentication include ftp outside shell-server 255.255.255.255 0.0.0.0 0.0.0.0 2factor
! aaa authentication include http outside shell-server 255.255.255.255 0.0.0.0 0.0.0.0 2factor

! as an example of how to allow some hosts to bypass the token auth
! aaa authentication exclude ssh outside shell-server 255.255.255.255 my.home.ip 255.255.255.255 2factor
!

! For the Cisco ASA I think you will need this also
! aaa authentication listener http outside port 1080 redirect
! aaa authentication listener https outside port 1443 redirect

Keywords:

Questions? Feedback?Olark live chat software