cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


332
Views
0
Helpful
1
Replies
Beginner

Local ASA passwords to allow ALL show commands, no config

Hi there

Currently have an ASA 5545. What I want to do is allow our support team to perform ALL show commands (up to and including show run) but not enable them to perform ANY configuration changes on the devices (not get into config t). This is to allow them to check ARP tables, routing protocol status, etc

Can anyone advise the syntax to do this? i don't have access to the ASA at the moment and haven't been able to figure it out in IOS, i'm assuming its not too hard...

Everyone's tags (3)
1 REPLY 1
Enthusiast

Local ASA passwords to allow ALL show commands, no config

Assuming AAA authentication, define some users with intermediate privilege levels and assign the commands they can run to that level, e.g.

    username readonly password SomeSecret privilege 2

followed by a tedious number of privilege commands for each of the keywords "show ?" expands to:

privilege show level 2 mode exec command aaa-server

...

privilege show level 2 mode exec command xlate

Anyone knowing a more consise way would be welcome.

-- Jim Leinweber, WI State Lab of Hygiene