Cisco ASA Firewall – diffie-hellman-group1-sha1

Cisco ASA Firewall – diffie-hellman-group1-sha1

You will get the following error message when SSH to Cisco ASA 5506X Unable to negotiate with 121.121.43.52: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

There is two (2) solutions to overcome this issue

A. Connecting to Cisco ASA 5506X with addtional parameter from SSH Client

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@121.121.43.52

B. Change the group1-sha1 to group14-sha1 in Cisco ASA 5506X (9.8(2))

1.Use only SSH v2 and change to use dh-group14-sha1

ssh version 2
ssh key-exchange group dh-group14-sha1

You can SSH to Cisco ASA Firewall without specify any addtional parameter now

ssh admin@121.121.43.52

Steps to enable SSH to Cisco ASA Firewall (9.8(2))
1. Assign password to enable

enable password P@ssw0rd
  1. Create a username & password for SSH Access
username admin password P@ssw0rd
  1. Configure LOCAL user to authenticate to SSH
aaa authentication ssh console LOCAL
  1. Generate a 2048 RSA Key
crypto key generate rsa modulus 2048
  1. Allow Hosts to access SSH
ssh 172.16.1.0 255.255.255.0 inside

Leave a Comment