Cisco ASR 1004 - Network Protocols and Cryptographic Settings; Remote Administration Protocols

72 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

Page 19 of 72

3.3 Network Protocols and Cryptographic Settings

3.3.1 Remote Administration Protocols

All TOE administration must be performed through an IPsec tunnel. However, it is

recommended that the interactive interface be over SSH. The following method is used to

configure SSH for use in a secure manner.

To only allow ssh for remote administrator sessions, use the transport input ssh command.

This command disables telnet by only allowing ssh connections for remote administrator access.

3.3.1.1 Steps to configure SSH on router: [10] Cisco IOS Security Command Reference

Guides

1. Generate RSA or ECDSA key material– choose a longer modulus length for the

evaluated configuration (i.e., 2048 for RSA and 256 or 384 for ECDSA):

TOE-common-criteria(config)# crypto key generate rsa

How many bits in the modulus [512]: 2048

or

TOE-common-criteria(config)# crypto key generate ec keysize [256 or 384]

RSA and ECDSA keys are generated in pairs—one public key and one private key. This

command is not saved in the router configuration; however, the keys generated by this

command are saved in the private configuration in NVRAM (which is never displayed to

the user or backed up to another device) the next time the configuration is written to

NVRAM.

Note: Only one set of keys can be configured using the crypto key generate command at

a time. Repeating the command overwrites the old keys.

Note: If the configuration is not saved to NVRAM with a “copy run start”, the generated

keys are lost on the next reload of the router.

Note: If the error “% Please define a domain-name first” is received, enter the command

‘ip domain-name [domain name]’.

Note: to delete a key, an administrator may use the crypto key zeroize <label> command.

2. Enable ssh

TOE-common-criteria# ip ssh authentication-retries 2

3. Configure –ssh timeout

TOE-common-criteria# ip ssh time-out 60

4. Set to use SSH v2

TOE-common-criteria# ip ssh version 2

5. Ensure that the product is configured not to support diffie-hellman-group1-sha1 key

exchange using the following command ‘ip ssh dh min size 2048’:

TOE-common-criteria(config)# ip ssh dh min size 2048

Table of Contents

Other manuals for Cisco ASR 1004

Hardware Installation Guide702 pages

Replacing120 pages

Quick Start Guide38 pages

Install Guide32 pages

Overview And Installation38 pages

Related product manuals

Preview: Cisco ASR 1002

Preview: Cisco ASR 1006

Preview: Cisco ASR 1000

Preview: Cisco ASR 1001-X

Cisco ASR 1001-X

Preview: Cisco ASR 1002-X

Cisco ASR 1002-X

Preview: Cisco ASR 1001-HX

Cisco ASR 1001-HX

Preview: Cisco ASR 1002-HX

Cisco ASR 1002-HX

Preview: Cisco ASR 1000 Series

Cisco ASR 1000 Series

Preview: Cisco ASR1002 - ASR 1002 Router

Cisco ASR1002 - ASR 1002 Router

Preview: ASR1000-RP1 - ASR 1000 Series Route Processor 1 Router

ASR1000-RP1 - ASR 1000 Series Route Processor 1 Router