Cisco Support Community
Community Member

restricting user access to ssh

Hi all. I have enabled ssh as a form of remote access to my asa5510. However i notice user accounts that were added to my asa5510 for vpn purpose are able to access my firewall using ssh as well. Hence is it possible to restrict to only specific users to access firewall using ssh? Can i configure that using asdm?


Re: restricting user access to ssh

If both are using the local database (SSH and VPN) I don't think you can restrict based on any particular user. However you can restrict management acecss based on IP addresses, so just add the NetOps/Secops IPs. Also VPN users can be restricted using the vpn-filter command AFAIR. Even if they logon to the level 1 prompt, they would still require the enable password to cause severe damage (But still this is bad for security anyway).

The best approach is to use an external AAA server.



Re: restricting user access to ssh

i agrre that with external AAA u gonna have more flexablity

especially when you use downloadable ACL

which gives you the ablity to make restrection to the user level

in addetion try the following

if ur vpn pool

try to deny ssh traffic fron these IPs

in addetion

try to do the following cmmand

ssh inside

assuming that ur inside IPS

also try to make a split tunneling ACL that ignore SSH traffic

in this case the ssh traffic will not be part of the VPN tunnel

and deny it from outside

good luck

Rate, if helpful

CreatePlease to create content