01-23-2009 03:57 PM - edited 03-11-2019 07:41 AM
We have IPSEC access to the ASA. The users authenticate using username and password. HTTPS has also been enabled on the ASA. We would like to limit remote management access to the ASA.
1)Are the following configurations accurate?
hostname(config)#ssh 192.x.x.202 255.255.255.0 inside
hostname(config)#ssh 207.x.x.204 255.255.255.240 outside
hostname(config)#http 192.x.x.202 255.255.255.0 inside
hostname(config)#http 207.x.x.202 255.255.255.240 outside
2.Is the enable password the only key feature that keeps remote access users from the management console(s) of the ASA?
Solved! Go to Solution.
02-06-2009 12:39 PM
Said
I believe that there may be some syntax issues in what you are suggesting. If you do enter the command:no ssh 0.0.0.0 0.0.0.0 outside what it would do would be to look for the command:ssh 0.0.0.0 0.0.0.0 outside and if it found the command it would remove the command.
What you are trying to accomplish is to prevent SSH access through the outside interface. To do that just be sure that there is no SSH command that uses the outside parameter. I do not believe that there is any single command that says do not allow any SSH access through the outside interface.
Whether you have enabled SSH on the outside interface or not has no impact on VPN users access to network resources (other than the ASA).
HTH
Rick
01-24-2009 07:35 AM
Hi Said,
1) Yes, these commands are correct assuming the addresses and subnet masks you list indicate addresses you want to allow management access to.
2) No, you can also configure individual accounts for your users who need management access. You can create a user with the following command:
hostname(config)# user
As you can see, you can set privilege levels for each user to determine how much access they are allowed to have. For example, a user with privilege level 15 has full access. A user with level 5 has read-only access and so on. You can achieve a high amount of granularity here as well by specifying which accounts certain privilege levels are able to access (see 'privilege' command reference below).
Once you have your user accounts configured, you simply need to configure the ASA to authenticate management access with the local user account database:
hostname(config)# aaa authentication ssh console LOCAL
hostname(config)# aaa authentication http console LOCAL
Here are some links that describe these commands also:
username:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/uz_72.html#wp1410096
aaa authentication console:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1437931
privilege:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/p_72.html#wp1732123
Hope that helps.
-Mike
01-25-2009 06:14 PM
Mike
I am not sure that we can say that these commands are really correct until we get a better understanding of what Said is really trying to do. He is specifying two addresses that look like host addresses:
192.x.x.202
207.x.x.204
but he is specifying them with subnet masks (and the addresses specified are not the base subnet address for either of the masks)
192.x.x.202 255.255.255.0
207.x.x.204 255.255.255.240
So if Said can clarify what he really wants the restriction to be (is it the specific host or is it the whole subnet, or what) then we are in a better position to say whether the commands are ok or not.
HTH
Rick
01-26-2009 03:01 AM
Rick,
I made up the hosts IPs for security for this question. We want to lock access to remote management of the ASA and the router. My question was how to restrict remote and internal management to specific hosts. If you can assist on the router as well, I would appreciate it.
Thanks.
Said
02-06-2009 08:35 AM
Will the command "no ssh 0.0.0.0 0.0.0.0 outside" allow VPN client users access to network resources? We want to disable management of the networking devices from outside of the network, yet allow access to network resources by VPN Client users.
Thanks.
02-06-2009 12:39 PM
Said
I believe that there may be some syntax issues in what you are suggesting. If you do enter the command:no ssh 0.0.0.0 0.0.0.0 outside what it would do would be to look for the command:ssh 0.0.0.0 0.0.0.0 outside and if it found the command it would remove the command.
What you are trying to accomplish is to prevent SSH access through the outside interface. To do that just be sure that there is no SSH command that uses the outside parameter. I do not believe that there is any single command that says do not allow any SSH access through the outside interface.
Whether you have enabled SSH on the outside interface or not has no impact on VPN users access to network resources (other than the ASA).
HTH
Rick
01-26-2009 03:18 AM
Rick,
The question applies to HTTPS and SSH. Guidance/config for 1. totally locking remote management from outside of the LAN, 2. enabling specific IPs from outside, 3. specific LAN IPs would be appreciated.Thanks.
Said
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: