Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Privilege level on ASA 8.0 to remove capture (no capture)

Hello,

We have a RO user created with privilege level 5 (local authentication and command authorization enabled), it works fine for other commands that are difined in privilege level 5. When we try to enable capture commands for level 5 user, could enable/clear but doesn't allow to remove capture.

bl-asa/cont2# sh curpriv
Username : rouser
Current privilege level : 5
Current Mode/s : P_PRIV
bl-asa/cont2#

bl-asa/cont2# sh cap
capture _ type raw-data [Capturing - 0 bytes]
capture cap_out type raw-data interface outside [Capturing - 0 bytes]
  match ip any host xx.yy.23.116
bl-asa/cont2#

bl-asa/cont2# clear cap cap_out
bl-asa/cont2#

bl-asa/cont2# no cap cap_out
                           ^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
bl-asa/cont2#

Following are the commads that I enabled for capture

privilege cmd level 5 mode exec command capture
privilege show level 5 mode exec command capture
privilege clear level 5 mode exec command capture

Could someone please tell, what should be the privilege that needs to be set to remove the capture or if I have missed anything in the config.

Thanks in advance!

cheers

jav

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Privilege level on ASA 8.0 to remove capture (no capture)

You are hitting a Cisco Bug (CSCsl57533)

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl57533&from=summary

You have to upgrade to any of the following:

1st Found-In
7.2(2)       
           
Fixed-In
8.0(3.11)
8.1(1.2)
7.2(4)
7.2(3.23)
8.0(103.5)
7.0(7.12)
7.1(2.70)                                                          

Please rate if helpful.

Regards

Farrukh

5 REPLIES
New Member

Re: Privilege level on ASA 8.0 to remove capture (no capture)

Hi Jav

  Could you add this following command ad try.

privilege configure level 5 mode exec command capture

Hope it will help

Vijay

PS : privilege

To configure command privilege levels for use with command authorization  (local, RADIUS, and LDAP (mapped) only), use the privilege command in global configuration mode. To disallow the configuration,  use the no form of this command.

privilege [ show | clear | configure ] level level [ mode {enable | configure}] command command

no privilege [ show | clear | configure ] level level [ mode {enable | configure}] command  command

Syntax Description

clear

(Optional) Sets the privilege only for the clear form of the command. If  you do not use the clear, show,  or configure keywords, all forms of the command  are affected.

command command

Specifies the command you are configuring. You can only configure the  privilege level of the main command. For  example, you can configure the level of all aaa commands, but not the level of the aaa authentication command and the aaa authorization command  separately.

Also, you cannot configure the privilege level of subcommands separately  from the main command. For example, you can configure the context command, but not the allocate-interface command, which inherits the settings from the context command.

configure

(Optional) Sets the privilege only for the configure form of the  command. The configure form of the command is typically the form that  causes a configuration change, either as the unmodified command (without  the show or clear prefix) or  as the no form. If you do not use the clear, show, or configure keywords, all forms of the command are affected.

level level

Specifies the privilege level; valid values are from 0 to 15. Lower  privilege level numbers are lower privilege levels.

mode enable

(Optional) If a command can be entered in user EXEC/privileged EXEC mode  as well as configuration mode, and the command performs different  actions in each mode, you can set the privilege level for these modes  separately. The mode enable keyword specifies both  user EXEC mode and privileged EXEC mode.

mode configure

(Optional) If a command can be entered in user EXEC/privileged EXEC mode  as well as configuration mode, and the command performs different  actions in each mode, you can set the privilege level for these modes  separately. The mode configure keyword specifies  configuration mode, accessed using the configure  terminal command.

show

(Optional) Sets the privilege only for the show form of the command. If  you do not use the clear, show,  or configure keywords, all forms of the command  are affected.

New Member

Re: Privilege level on ASA 8.0 to remove capture (no capture)

Hello Vijay,

Thanks for your input, I have already tried that, as suggested in cisco doccument.


privilege cmd level 5 mode exec command capture
privilege show level 5 mode exec command capture
privilege clear level 5 mode exec command capture

but the situation is still the same, cannot remove the capture.


bl-asa/cont2# no cap cap_out
                           ^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
bl-asa/cont2#

cheers

Re: Privilege level on ASA 8.0 to remove capture (no capture)

Does 'no capture' (without the name) work?

Does the 'capture abcd' itself work?

Regards

Farrukh

New Member

Re: Privilege level on ASA 8.0 to remove capture (no capture)

Hello

Tried adding this command


privilege level 5 command cap

bl-asa/cont2#capture match ip  host host
bl-asa/cont2#capture interface

we are able to configure capture and also #clear cap


bl-asa/cont2#no cap --> doesn't work

bl-asa/cont2#no cap ---> works on admin account from privilege 15


thanks in advance!

Re: Privilege level on ASA 8.0 to remove capture (no capture)

You are hitting a Cisco Bug (CSCsl57533)

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl57533&from=summary

You have to upgrade to any of the following:

1st Found-In
7.2(2)       
           
Fixed-In
8.0(3.11)
8.1(1.2)
7.2(4)
7.2(3.23)
8.0(103.5)
7.0(7.12)
7.1(2.70)                                                          

Please rate if helpful.

Regards

Farrukh

1142
Views
0
Helpful
5
Replies