SecurityGlobal Config

ssh [source] [mask] [intf]

Restricts SSH access to the ASA by specifying allowed source IP addresses or subnets on a given interface.

Overview

The 'ssh' command in global configuration mode on Cisco ASA firewalls is used to define which source IP addresses or networks are permitted to establish SSH connections to the device. This command is a critical component of securing remote management access, as it provides a first line of defense by restricting SSH access at the network layer. Without this restriction, any host that can reach the ASA's management interface could attempt to brute-force credentials or exploit vulnerabilities in the SSH service.

The underlying concept is access control based on source IP address and interface. The ASA maintains a list of allowed SSH sources; when an SSH connection attempt arrives, the ASA checks the source IP against this list. If the source matches any entry (considering the mask), the connection is permitted; otherwise, it is denied. This is similar to an ACL but specifically for SSH traffic. The command is applied per interface, meaning you can allow different sources on different interfaces (e.g., management subnet on the management interface, internal admin subnet on the inside interface).

Use this command when you need to enforce that only specific administrative hosts or networks can manage the ASA via SSH. It is typically one of the first steps in hardening an ASA after initial configuration. In troubleshooting workflows, if SSH access is failing, check the SSH access list with 'show ssh' or 'show running-config | include ssh' to ensure the source IP of the client is permitted. Also verify that the interface specified has an IP address and that the SSH server is enabled (via 'ssh version 2' and proper crypto keys).

Platform-specific behavior: On Cisco ASA, the 'ssh' command is similar to IOS but with the addition of the interface parameter. Unlike IOS where SSH access is controlled by VTY lines and ACLs, ASA uses this dedicated command. Also, ASA supports multiple ssh entries, and the order does not matter; the most specific match (longest prefix) is used. The command does not affect outbound SSH from the ASA (e.g., for SCP or SSH to other devices).

Syntax·Global Config
ssh source_ip_address source_mask interface_name

When to Use This Command

  • Allow only the management subnet to SSH into the ASA for secure remote administration.
  • Restrict SSH access to a specific jump host IP address to reduce attack surface.
  • Permit SSH from multiple subnets by entering multiple ssh commands for different source networks.
  • Combine with AAA authentication to enforce both network-level and user-level access control.

Parameters

ParameterSyntaxDescription
source_ip_addressA.B.C.DThe source IP address or network to be permitted. This can be a host IP or a network address. For a single host, use the host IP with mask 255.255.255.255.
source_maskA.B.C.DThe subnet mask for the source IP address. Use 255.255.255.255 for a single host, or a standard subnet mask (e.g., 255.255.255.0) for a network.
interface_nameWORDThe name of the interface on which the SSH access is allowed. This must be an existing interface with an IP address configured. Common names are 'inside', 'outside', 'management'.

Command Examples

Allow SSH from a single management host

ssh 192.168.1.100 255.255.255.255 management

This command permits SSH access only from host 192.168.1.100 on the management interface. The mask 255.255.255.255 specifies a single host.

Allow SSH from a subnet

ssh 10.10.10.0 255.255.255.0 inside

Permits SSH from the entire 10.10.10.0/24 subnet on the inside interface. Any host in that subnet can initiate SSH to the ASA.

Understanding the Output

The ssh command itself does not produce output when entered. To verify configured SSH access rules, use 'show ssh' or 'show running-config | include ssh'. The 'show ssh' output displays sessions and configured restrictions. A healthy configuration shows the expected source IP/mask and interface. Problem values include missing entries (no SSH allowed) or overly permissive entries (e.g., 0.0.0.0 0.0.0.0) that allow any source.

Configuration Scenarios

Restrict SSH to Management Subnet

A company wants to allow SSH access to the ASA only from the dedicated management subnet 192.168.10.0/24 on the management interface.

Topology

Management subnet: 192.168.10.0/24 | ASA (management interface IP: 192.168.10.1) | Other interfaces (inside, outside)

Steps

  1. 1.Configure the management interface with an IP address.
  2. 2.Generate RSA keys for SSH.
  3. 3.Enable SSH version 2.
  4. 4.Apply the ssh command to allow the management subnet.
Configuration
! Configure management interface
interface management0/0
 ip address 192.168.10.1 255.255.255.0
 no shutdown
!
! Generate RSA keys
crypto key generate rsa modulus 2048
!
! Enable SSH version 2
ssh version 2
!
! Restrict SSH to management subnet
ssh 192.168.10.0 255.255.255.0 management

Verify: Use 'show ssh' to see allowed sources and active sessions. Use 'show running-config | include ssh' to confirm the entry.

Watch out: Ensure the management interface is in the correct security zone and that there is no ACL blocking SSH traffic to the ASA itself.

Troubleshooting with This Command

When SSH access to the ASA fails, the 'ssh' command configuration is a primary suspect. Start by verifying that the SSH server is enabled: check with 'show ssh' – if it returns 'SSH disabled', you need to generate RSA keys and set the SSH version. Next, confirm that the source IP of your client is permitted: use 'show running-config | include ssh' to list all configured ssh entries. If your client's IP is not covered by any entry, add the appropriate ssh command. Also verify that the interface specified in the ssh command is up and has an IP address; use 'show interface ip brief' to check. If the interface is down, SSH cannot be received on it. Additionally, check if there is an ACL applied to the interface that might block SSH (TCP port 22). Use 'show access-list' to inspect ACLs. Finally, ensure that the ASA's time is correct (NTP) because SSH certificate validation may fail if time is off. If multiple ssh entries exist, remember that the most specific match is used; a host entry (255.255.255.255) will override a network entry for that host. If you accidentally allow 0.0.0.0 0.0.0.0, any source is permitted, which is a security risk. To remove an entry, use 'no ssh ...'.

CCNA Exam Tips

1.

Remember that the ssh command in global config restricts inbound SSH; it does not enable the SSH server (use 'ssh version 2' and 'crypto key generate rsa' first).

2.

On the CCNP Security exam, know that multiple ssh entries are allowed and the most specific match wins.

3.

Be aware that the interface must have an IP address and the SSH server must be enabled for the command to take effect.

Common Mistakes

Forgetting to generate RSA keys before configuring SSH, causing SSH to fail.

Using an incorrect mask (e.g., 0.0.0.0) which allows all sources, defeating the purpose.

Applying the command to an interface that does not have an IP address or is not configured for SSH.

Platform Notes

On Cisco ASA, the 'ssh' command is similar to the 'ip ssh' command on IOS routers but with the interface parameter. IOS uses 'ip ssh source-interface' and VTY access-class for source restriction, whereas ASA combines both in one command. On ASA, there is no need to configure VTY lines; the ssh command directly controls access. For other platforms like Cisco IOS-XE, the equivalent is 'ip ssh' and 'access-class' under line vty. On ASA, the command is available in global config mode only. Version differences: ASA 8.4(2) and later support the 'ssh' command with the interface parameter; earlier versions may have slightly different syntax. Always use 'ssh version 2' for better security. The 'ssh' command does not affect SSH from the ASA to other devices (client mode).

Related Commands

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions