user accounts on cisco asa 5510

Unanswered Question
Nov 22nd, 2007

Hi all. I am using ASDM 5.0 GUI for configuring my cisco asa5510 firewall. I have created some user accounts for vpn access purpose only. However these users could login to my asdm and view the configuration though they could not modify as i have set privilege 0 on their accounts. What can i do such that they will not be able to access my asdm while retaining the vpn capability? Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
JORGE RODRIGUEZ Thu, 11/22/2007 - 07:55

Look at ASA statement in CLI or in ASDM Administration section.

Ensure that only access to ASA is set in ASA per host IP or Subnet.

For example, if you want only one or two systems to access ASA via https or telnet you would have the following.

telnet inside

telnet inside

http inside

http inside

Only and 101 will be able to access ASA for admin. the same goes for a subnet


any host within will have access

telnet inside

http inside

or any subnet inside network will have access

telnet inside

http inside

Rate any helpful post



donnie Thu, 11/22/2007 - 12:42

Thanks george. But does it mean that all vpn accounts created are able to login to my ASDM?

JORGE RODRIGUEZ Thu, 11/22/2007 - 15:06

Hi, it means that asa probably have http and telnet as inside, when vpn users connect to asa-vpn server it is assign ip addresses by either DCHP services from ASA or whichever DHCP services you use for your vpn users, those IPs are consider to be inside your network perimeter.. if you post ASA config striping public IP info we can take a look.

Basically the administration access to ASA from inside our outside is determined by the statements http/telnet/ssh and the interface you allow it e.g inside, outside, DMZ etc..

vpn has nothing to do with admin access to ASA.

Pls rate any helpful post



I had a similar problem when using the local database for both SSH and Remote Access authentication. I had the following AAA config:

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

I also had a Remote Access group set to use the local database for XAUTH. The users were set up like this:

username admin password admin privilege 15

username user password password privilege 0

The 'user' account was intended just for remote access, not SSH or ASDM. However, the ASA would still accept this for both. The only limitation was ASDM didn't show much config and SSH would only allow privilege 1 commands. A workaround was to configure local command authorization, as described in the following link:

Although it still allows the user to authenticate for ASDM access, as soon as the GUI loads, an error is shown and no information can be viewed. SSH access does still work at the unprivileged level, however when trying to gain privileged access, the following message appears before rejecting the attempt:

[ user ] You do NOT have enable Admin Rights to the console

Not perfect but it does the job. I'd rather the remote access user be rejected the initial authentication for both SSH and ASDM.



srue Sun, 11/25/2007 - 20:57

the better solution is to lock the user into a specific group:

if you have local user "bob"...

asa(config)# username bob attributes

asa(config-username)# ?


Looks like there is a specific command within user attributes that will lock the user to just Remote Access:

asa(config)#username bob attributes

asa(config-username)# service-type remote-access

However, it only becomes effective when authenticating management access:

aaa authorization exec authentication-server

I'm using version 8.0(3) though, so not sure if this is available in 7.x.

bauer.juergen Tue, 11/27/2007 - 08:30

service-type remote-access seems not to be available on 7.2. :-(

another solution would be to add a vpn-filter to that user that prohibits access to the inside(?) interface.

not nice but maybe it works.


This Discussion