Every single decent Cisco-device on earth has the ability to make an CLI-user jump to another device with telnet or ssh. Except the ASA. I really wish that this feature could be added. Right now I am troubleshooting a firewall and from where I am right now the only way in is to SSH to the ASA. I can do whatever I want inside the firewall from my SSH-window, but I need to access a router inside of that firewall, and if this feature wasn´t missing i could simply run “ssh ip-address” to jump to the switch´s CLI.
Am I the last CLI-.guy on this planet? Please, Cisco?
Update: Greg Ferro wrote an reply on this and here are my comments:
This could be divided into several different questions.
1) Should we use SSH to manage the firewall? In my opinion CLI is superior to GUI for most tasks. There are exceptions, but for daily maintenance I prefer CLI for several reasons. The alternative ASDM-GUI is equally safe/secure because both SSH and ASDM uses encrypted transports and the authentication-part can be configured equally for both entrance-types.
2) From where should we allow maintance of the firewall? Of course the most obvious answer to this is “from somewhere inside, but not from internet”. Sure, I agree. And you SHOULD lock down from which networks/hosts/directions management of the firewall should be enabled, and you SHOULD lock it down as tight as possible.
But what if you NEED to manage your firewall “from internet”? In most implementations there is some kind of fallback needed so that the administrator can reach the network from abroad and do changes. This can be done in a ton of ways: VPN-client, SSL-portal, Citrix, you name it. The common thing with all these access ways is that they must be enabled “from anywhere”. What´s the point of allowing vpn-client in if you must be at a specific location (from a specific IP) to connect your vpn-client? Or Citrix-session? So this must be enabled from anywhere.
So there are 2 ways to make this “from anywere”-connection secure:
1) It is encrypted. VPN-client-traffic is encrypted. The Citrix access-gateway traffic is encrypted, the VPN-portal is encrypted. And you know what? SSH is encrypted.
2) Authentication is safe enough. Validation of user rights can be done in a number of ways. Most common is of course username/password, but you can any other method available, from soft tokens and hard tokens to biometry or certificates. And you know what? All these authentication methods can be done for both VPN-clients, all other access method mentioned above, as well as for SSH-traffic.
So, what is it that makes people (not only you Greg 🙂 ) so stubornly convinced that SSH-access to the firewall should be avoided? I can see no differences in security between SSH and other access methods.
And a final note: the original post was about SSH:ing FROM the device, not to. Following my dialogue with myself above I come to the conclusion that you CAN allow ssh into the device. Given that, what is so unsafe about giving someone that you trust, using a secure connection, the ability to reach the network behind the device? After all, this user has already God access to the firewall and could alter any configuration in the firewall.