Based on your description, looks like you want to do it locally on the router. I haven't tested this but I think it will work. Basically, with priv-level 2-14, you can go to the exec mode, which is the minimum requirement for scp to work. Now, "copy" command is a priv-level 15 command. So, you need to bring that command down to level 2-14 level. So, if you can accomplish that then it will work. So, here is what it requires for the user configuration:
Username admin7 priv 7 pass admin7
privilege exec level 7 copy
privilege exec level 7 scp <--This may not be needed
If you can provide me the commands thats getting executed on the router when you pull the config on Linux box, I can help defining the user. Did you try to put the "pull" along with "copy" in your customised priv level to see if that helps.
Only other suggestion I can provide is to add the following into the config:
privilege exec level 5 nvram
privilege exec level 5 scp
Along with :
privilege exec level 5 copy
If that doesn't work, then I guess the best would be contact TAC to open up an enhancement request as it appears that machines are directly talking to the scp server without executing any commands on exec mode. Otherwise, with the above lines it should work.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...