Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
5
Helpful
6
Replies

Configuring secure remote access to ASA

Go to solution
saidfrh
Level 1
Level 1

‎01-23-2009 03:57 PM - edited ‎03-11-2019 07:41 AM

We have IPSEC access to the ASA. The users authenticate using username and password. HTTPS has also been enabled on the ASA. We would like to limit remote management access to the ASA.

1)Are the following configurations accurate?

hostname(config)#ssh 192.x.x.202 255.255.255.0 inside

hostname(config)#ssh 207.x.x.204 255.255.255.240 outside

hostname(config)#http 192.x.x.202 255.255.255.0 inside

hostname(config)#http 207.x.x.202 255.255.255.240 outside

2.Is the enable password the only key feature that keeps remote access users from the management console(s) of the ASA?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to saidfrh

‎02-06-2009 12:39 PM

Said

I believe that there may be some syntax issues in what you are suggesting. If you do enter the command:no ssh 0.0.0.0 0.0.0.0 outside what it would do would be to look for the command:ssh 0.0.0.0 0.0.0.0 outside and if it found the command it would remove the command.

What you are trying to accomplish is to prevent SSH access through the outside interface. To do that just be sure that there is no SSH command that uses the outside parameter. I do not believe that there is any single command that says do not allow any SSH access through the outside interface.

Whether you have enabled SSH on the outside interface or not has no impact on VPN users access to network resources (other than the ASA).

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
6 Replies 6

Go to solution
robertson.michael
Level 3
Level 3

‎01-24-2009 07:35 AM

Hi Said,

1) Yes, these commands are correct assuming the addresses and subnet masks you list indicate addresses you want to allow management access to.

2) No, you can also configure individual accounts for your users who need management access. You can create a user with the following command:

hostname(config)# user password privilege

As you can see, you can set privilege levels for each user to determine how much access they are allowed to have. For example, a user with privilege level 15 has full access. A user with level 5 has read-only access and so on. You can achieve a high amount of granularity here as well by specifying which accounts certain privilege levels are able to access (see 'privilege' command reference below).

Once you have your user accounts configured, you simply need to configure the ASA to authenticate management access with the local user account database:

hostname(config)# aaa authentication ssh console LOCAL

hostname(config)# aaa authentication http console LOCAL

Here are some links that describe these commands also:

username:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/uz_72.html#wp1410096

aaa authentication console:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1437931

privilege:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/p_72.html#wp1732123

Hope that helps.

-Mike

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to robertson.michael

‎01-25-2009 06:14 PM

Mike

I am not sure that we can say that these commands are really correct until we get a better understanding of what Said is really trying to do. He is specifying two addresses that look like host addresses:

192.x.x.202

207.x.x.204

but he is specifying them with subnet masks (and the addresses specified are not the base subnet address for either of the masks)

192.x.x.202 255.255.255.0

207.x.x.204 255.255.255.240

So if Said can clarify what he really wants the restriction to be (is it the specific host or is it the whole subnet, or what) then we are in a better position to say whether the commands are ok or not.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
saidfrh
Level 1
Level 1
In response to Richard Burts

‎01-26-2009 03:01 AM

Rick,

I made up the hosts IPs for security for this question. We want to lock access to remote management of the ASA and the router. My question was how to restrict remote and internal management to specific hosts. If you can assist on the router as well, I would appreciate it.

Thanks.

Said

0 Helpful

Go to solution
saidfrh
Level 1
Level 1
In response to saidfrh

‎02-06-2009 08:35 AM

Will the command "no ssh 0.0.0.0 0.0.0.0 outside" allow VPN client users access to network resources? We want to disable management of the networking devices from outside of the network, yet allow access to network resources by VPN Client users.

Thanks.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to saidfrh

‎02-06-2009 12:39 PM

Said

I believe that there may be some syntax issues in what you are suggesting. If you do enter the command:no ssh 0.0.0.0 0.0.0.0 outside what it would do would be to look for the command:ssh 0.0.0.0 0.0.0.0 outside and if it found the command it would remove the command.

What you are trying to accomplish is to prevent SSH access through the outside interface. To do that just be sure that there is no SSH command that uses the outside parameter. I do not believe that there is any single command that says do not allow any SSH access through the outside interface.

Whether you have enabled SSH on the outside interface or not has no impact on VPN users access to network resources (other than the ASA).

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
saidfrh
Level 1
Level 1
In response to Richard Burts

‎01-26-2009 03:18 AM

Rick,

The question applies to HTTPS and SSH. Guidance/config for 1. totally locking remote management from outside of the LAN, 2. enabling specific IPs from outside, 3. specific LAN IPs would be appreciated.Thanks.

Said

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card