Cisco ASA

We always recommend a system administrator defer to the vendor’s official documentation on credential creation. Please follow the vendor’s instructions for configuring the device for access with an ssh key, and then use the Indeni WebGUI to store the Private key in the relevant Credential Profile.

In order for Indeni to run its full set of interrogation and monitoring scripts, a SSH and SNMP user with a role of administrator needs to be used to connect your device. It is highly recommended that a unique Indeni user is created for auditing and security purposes. Before adding any ASA device, make sure both SSH and SNMP credentials are provided in Credentials Set.


Creating a SSH User in local database via CLI

  1. Log in to the Cisco ASA device via SSH
  2. # enable
  3. # config t
  4. # username <username> password <password> privilege 15
  5. This command will create a new user with privilege level 15
  6. After admin user is created, apply the following command to allow the local admin users to enter enable mode by default. This step is required in order for all the scripts to run successfully.
  7. # aaa authorization exec LOCAL auto-enable

NOTE: The ASA support two Diffie-Hellman key exchange methods which are the DH Group 1 (768-bit) and DH Group 14 (2048-bit). By default, the ASA is set to use Diffie-Hellman Group 1. It is recommended to be used the  dh-group14-sha1. The command “ssh key-exchange group dh-group14-sha1” was introduced in 8.4(4.1) and 9.1(2). It can be used to set the default SSH key exchange method to dh-group14-sha1.

Creating a SSH User in local database via ASDM

Creating a SNMPv3 User via CLI

  1. The following example creates a SNMPv3 user with authentication and privacy passwords and limits the SNMP access to a range of IPs. Make sure the Indeni server IP is included in the IP range configured on the device, otherwise Indeni will NOT be able to interrogate the device.
  2. Log in to the Cisco ASA device via SSH
  3. # enable
  4. # config t
  5. # object network indeni-server
  6. # range 192.168.250.0 192.168.250.255
  7. # exit
  8. # snmp-server group SNMPv3Group v3 priv
  9. # snmp-server user indeni SNMPv3Group v3 auth SHA <AuthPassword> priv AES 128 <PrivPassword>
  10. # snmp-server host-group management indeni-server version 3 indeni
  11. # exit