08-05-2010 01:15 PM - edited 03-10-2019 05:18 PM
I am looking at the local accounts on the firewall and would like to make sure that the users who have local accounts for vpn have not access to the firewall itself via asdm, telnet, ssh for management.
The only aaa command on the firewall is
aaa authentication ssh console LOCAL
With this command, if i change the local account setting to "NO ASDM, SSH, Telnet or Console Access" ( see attached screen shot) will this still allow the users to vpn in and access the network as they should but remove any potential access to the firewall ?
Thank you
Solved! Go to Solution.
08-05-2010 09:54 PM
Hi,
Yes if you select the option " No , ASDM, SSH, TELNET or Console Access " will only block the admin access to the firewall . Here is the CLI equivalent for this option :
myASA(config-username)# service-type ?
username mode commands/options:
admin User is allowed access to the configuration prompt.
nas-prompt User is allowed access to the exec prompt.
remote-access User is allowed network access.
So if you use that last option you will be on third option in the list above which is remote-access. Users will have the option to VPN in but no admin ( ssh, telnet or asdm or console )
Thanks
Waris Hussain.
08-05-2010 09:54 PM
Hi,
Yes if you select the option " No , ASDM, SSH, TELNET or Console Access " will only block the admin access to the firewall . Here is the CLI equivalent for this option :
myASA(config-username)# service-type ?
username mode commands/options:
admin User is allowed access to the configuration prompt.
nas-prompt User is allowed access to the exec prompt.
remote-access User is allowed network access.
So if you use that last option you will be on third option in the list above which is remote-access. Users will have the option to VPN in but no admin ( ssh, telnet or asdm or console )
Thanks
Waris Hussain.
06-26-2019 09:49 AM
Team - Please allow me to resurect this old post, I just applied that configuration but appears not to be working... The user is still able to ssh the ASA. Can someone please share the experience?
Kind Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide