I am looking at the local accounts on the firewall and would like to make sure that the users who have local accounts for vpn have not access to the firewall itself via asdm, telnet, ssh for management.
The only aaa command on the firewall is
aaa authentication ssh console LOCAL
With this command, if i change the local account setting to "NO ASDM, SSH, Telnet or Console Access" ( see attached screen shot) will this still allow the users to vpn in and access the network as they should but remove any potential access to the firewall ?
Yes if you select the option " No , ASDM, SSH, TELNET or Console Access " will only block the admin access to the firewall . Here is the CLI equivalent for this option :
myASA(config-username)# service-type ?
username mode commands/options:
admin User is allowed access to the configuration prompt.
nas-prompt User is allowed access to the exec prompt.
remote-access User is allowed network access.
So if you use that last option you will be on third option in the list above which is remote-access. Users will have the option to VPN in but no admin ( ssh, telnet or asdm or console )