Hi all. I am using ASDM 5.0 GUI for configuring my cisco asa5510 firewall. I have created some user accounts for vpn access purpose only. However these users could login to my asdm and view the configuration though they could not modify as i have set privilege 0 on their accounts. What can i do such that they will not be able to access my asdm while retaining the vpn capability? Thanks in advance.
Hi, it means that asa probably have http and telnet as 0.0.0.0 0.0.0.0 inside, when vpn users connect to asa-vpn server it is assign ip addresses by either DCHP services from ASA or whichever DHCP services you use for your vpn users, those IPs are consider to be inside your network perimeter.. if you post ASA config striping public IP info we can take a look.
Basically the administration access to ASA from inside our outside is determined by the statements http/telnet/ssh and the interface you allow it e.g inside, outside, DMZ etc..
I had a similar problem when using the local database for both SSH and Remote Access authentication. I had the following AAA config:
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
I also had a Remote Access group set to use the local database for XAUTH. The users were set up like this:
username admin password admin privilege 15
username user password password privilege 0
The 'user' account was intended just for remote access, not SSH or ASDM. However, the ASA would still accept this for both. The only limitation was ASDM didn't show much config and SSH would only allow privilege 1 commands. A workaround was to configure local command authorization, as described in the following link:
Although it still allows the user to authenticate for ASDM access, as soon as the GUI loads, an error is shown and no information can be viewed. SSH access does still work at the unprivileged level, however when trying to gain privileged access, the following message appears before rejecting the attempt:
[ user ] You do NOT have enable Admin Rights to the console
Not perfect but it does the job. I'd rather the remote access user be rejected the initial authentication for both SSH and ASDM.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...