SSH to Cisco ASA fails, unable to negotiate, no matching key exchange method found.

Short story: With SSH-clients based on OpenSSH 7.0 (like my OSX Mac) I cannot connect with SSH to a Cisco Firewall. To connect anyway I must add the parameter -oKexAlgorithms=+diffie-hellman-group1-sha1 to ssh.

sha1 is deprecated as hash algoritm and should not be used. In some Cisco ASA firewalls running older code you might find that connecting with ssh to the device gives you an error message similar to this:

bash>ssh jimmy@10.192.168.1
Unable to negotiate with 10.192.168.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
bash>

The quick fix to this is to temporary accept sha1 in your ssh client. In OSX you add the parameter -oKexAlgorithms=+diffie-hellman-group1-sha1 to make the client accept sha1:

bash>ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 jimmy@10.192.168.1
jimmy@10.192.168.1's password: 
Type help or '?' for a list of available commands.
5506> 

The permanent and much better solution is of course to tell the ASA not to use sha1. Unfortunately this is not possible. As a sidenote there is a new feature that comes with version 9.6(1) and 9.1(7).

There must be a ssh cipher configuration command available, if not, upgrade. Like in my box running 9.5(2):

5506(config)# ssh ci?
ERROR: % Unrecognized command
5506(config)# ssh ci

After upgrading to 9.6(1) I am able to select ssh cipher parameters both for integrity (hash) and encryption:

5506(config)# ssh cipher integrity ?

configure mode commands/options:
  all     Specify all ciphers
  custom  Choose a custom cipher integrity configuration string.
  fips    Specify only FIPS-compliant MACs
  high    Specify only high-strength MACs
  low     Specify low, medium, and high strength MACs
  medium  Specify medium and high strength MACs (default)
5506(config)# ssh cipher encryption ?

configure mode commands/options:
  all     Specify all ciphers
  custom  Choose a custom cipher encryption configuration string.
  fips    Specify only FIPS-compliant ciphers
  high    Specify only high-strength ciphers
  low     Specify low, medium, and high strength ciphers
  medium  Specify medium and high strength ciphers (default)
5506(config)#

It is not obvious what these cipher suites means but there is a command “show ssh ciphers” available:

5506(config)# sh ssh ciphers 
Available SSH Encryption and Integrity Algorithms
Encryption Algorithms:
	all:	 3des-cbc     aes128-cbc   aes192-cbc   aes256-cbc   aes128-ctr   aes192-ctr   aes256-ctr  
	low:	 3des-cbc     aes128-cbc   aes192-cbc   aes256-cbc   aes128-ctr   aes192-ctr   aes256-ctr  
	medium:	 3des-cbc     aes128-cbc   aes192-cbc   aes256-cbc   aes128-ctr   aes192-ctr   aes256-ctr  
	fips:	 aes128-cbc   aes256-cbc  
	high:	 aes256-cbc   aes256-ctr  
Integrity Algorithms:
	all:	 hmac-sha1    hmac-sha1-96 hmac-md5     hmac-md5-96 
	low:	 hmac-sha1    hmac-sha1-96 hmac-md5     hmac-md5-96 
	medium:	 hmac-sha1    hmac-sha1-96
	fips:	 hmac-sha1   
	high:	 hmac-sha1   
5506(config)# 

But Wooooot??? Only sha1 algorithms available? That was unexpected. Let´s try the highest protocol suite available:

5506(config)# ssh cipher encryption high
5506(config)# ssh cipher integrity high
5506(config)# exit
5506# wr mem

After a restart (just to be sure) I still cannot connect from my Mac:

bash>ssh jimmy@10.192.168.1
Unable to negotiate with 10.192.168.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
bash>

Let´ see how the SSH negotiation looks like. It is Wireshark´O-clock!

This image (click for larger version) shows that the ASA requests DH group 1 with sha1 as the only acceptable protocol for key exchange:

 

Wireshark screendump of packet sent from ASA to the client containing the SSH Key exchange offer

Wireshark screendump of packet sent from ASA to the client containing the SSH Key exchange offer

And this image (click for a larger version) shows the reply from the client which is a bit more flexible, offering a lot of different protocols for key exchange, including “diffie-hellman-group-exchange-sha1” which sounds pretty close to “diffie-hellman-group1-sha1” if you ask me.

 

Reply packet from client to ASA

Reply packet from client to ASA

If someone can tell me the difference between “diffie-hellman-group-exchange-sha1” and “diffie-hellman-group1-sha1”, please write a comment. In the meantime while waiting for Cisco to update the ssh protocol suite in the ASA, use the workaround-parameter stated above.

 

Update:

Cisco have noticed, waiting for more feedback…

 

Update2: An answer from Ciscos supportforum:

 

screenshot-2016-12-02-18-58-58

 

It seems that this is unresolved from Ciscos side right now…

Tagged with: , , , , , , , , , ,
Posted in Cisco Networking, Cisco Security

Cisco ASA CLI backup command

There is a new command in Cisco ASA firewall that makes a full backup of the firewall, from CLI! Until recently we have been forced to use ASDM to download a full zip backup file from the device or CLI to just do a “show run”.

The command “backup location url” creates a full backup zip file of the device, including files on flash, certificates, startup and running-config and more, and sends this to the url. This is good news!

In the video I show how it works.

 

Tagged with: , , , , , ,
Posted in Cisco Security

Cisco ASA firewall and ICMP traffic

In this video I explain how ICMP Traffick (like pings, echo, echo-reply) is handled in the firewall.

The ICMP packets are being handled in 3 different ways depending if the traffic is to the box, from the box or thru the box.

Certain parts of the configuration needs to be taken care of depending of what you want to achieve, especially access-lists, the global icmp permit and icmp deny command as well as the fixup procol icmp modular policy framework command.

TO firewall
no acl can block
“icmp deny…” command to block
Only ping closest interface without NAT voodoo

FROM firewall
no acl can block
uses closest if as source by default
no nat is ever applied

THRU firewall
like all other transit traffic
acl and nat config applies
stateful if “fixup protocol icmp”

 

Please look at the video for further explanations

Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Cisco Security, Security

Cisco ASA builtin scp server

The Cisco ASA contains a builtin scp server. By enabling that you can use the scp protocol to transfer files to and from the server using an scp client.

scp is a secure file transfer protocol. It is almost like ftp but it runs over ssh. So in order to enable the scp server in the firewall you must first enable ssh access from the client to the firewall (creating rsa keys, allowing source ip to manage firewall using ssh and so on). When that is done the scp server can be enabled with the command… “scp server enable” (duh!).

Now you can use the scp client in your machine to copy files to and from the firewall flash in a secure way!

Look at this video where I explain and demonstrate the feature.

Tagged with: , , , , , , , , , , , , ,
Posted in Cisco Networking, Cisco Security

Cisco ASA 5506-x Firepower reimage process

Installing a new Firepower image on Cisco ASA 5506 seems to take forever. Sometimes we get output to see that the process is still running, and sometimes not. I have actually recorded the entire process and shrinked down the progress from almost 2 hours to less than 4 minutes.

I think that watching this video will help anyone in the need to reimage FirePower to understand the different stages of the process.

Posted in Cisco Security, Security

Signuppp

[mc4wp_form id="2457"]
Website Security Test