Greetings all. I have a Cisco ASA 5510 device running software version 7.1(2), Device Manager version 5.1(2). I have a IDS/IPS security services module (ASA-SSM-10) installed in the ASA.
- Management of the ASA and IDS/IPS SSM is done via the CLI.
- I have a different management IP's assigned to the IDS/IPS SSM and the ASA.
- I have different logins/passwords assigned to the IDS/IPS SSM and the ASA.
My question is...
How do I limit access to the CLI on the IDS/IPS SSM from ASA?
From the ASA CLI, I know it's possible to do a 'session <module number>' and log into the IDS/IPS SSM that way. Assuming I don't know the SSM 'cisco' user password or any other accounts (service, etc..), is there any other way for me to get into the SSM?
Basically, I'm trying to figure out how separation of priviliges works in this instance. Thank you.
Q: How do I limit access to the CLI on the IDS/IPS SSM from ASA?
A: You can create user account separately in ASA/Firewall and IPS/SSM.
Basically, any account created in ASA/firewall can be used in SSM/IPS, unless if you used identical/the same username & password .
Q: Assuming I don't know the SSM 'cisco' user password or any other accounts (service, etc..), is there any other way for me to get into the SSM?
A: Yes, but you only used the following option below as last resort if you lost all means of access - all admin user accounts, including Service Account.
The only way to access the SSM is with recovery process where you have to start everything from scratch. Maybe this is due to security reason (which you're supposed to ensure admin account is maintained correctly).
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...