restricting user access to ssh

Unanswered Question
Jul 24th, 2008

Hi all. I have enabled ssh as a form of remote access to my asa5510. However i notice user accounts that were added to my asa5510 for vpn purpose are able to access my firewall using ssh as well. Hence is it possible to restrict to only specific users to access firewall using ssh? Can i configure that using asdm?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Sat, 07/26/2008 - 22:48

If both are using the local database (SSH and VPN) I don't think you can restrict based on any particular user. However you can restrict management acecss based on IP addresses, so just add the NetOps/Secops IPs. Also VPN users can be restricted using the vpn-filter command AFAIR. Even if they logon to the level 1 prompt, they would still require the enable password to cause severe damage (But still this is bad for security anyway).


The best approach is to use an external AAA server.


Regards


Farrukh

Marwan ALshawi Sun, 07/27/2008 - 20:25

i agrre that with external AAA u gonna have more flexablity

especially when you use downloadable ACL

which gives you the ablity to make restrection to the user level

in addetion try the following

if ur vpn pool 192.168.1.0/24

try to deny ssh traffic fron these IPs

in addetion

try to do the following cmmand

ssh 10.1.1.0 255.255.255.0 inside


assuming that ur inside IPS 10.1.1.0/24


also try to make a split tunneling ACL that ignore SSH traffic

in this case the ssh traffic will not be part of the VPN tunnel

and deny it from outside


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml



good luck


Rate, if helpful

Actions

This Discussion