cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5991
Views
0
Helpful
4
Replies

Cisco ASA - Restrict Management (ASDM) Access via "Management Access Rules"

Kevin_W
Level 1
Level 1

Hello,

I tried to restrict the access to a ASA 5510 firewall via the "Management Access Rules". 
For example I made a rule for the interface I normally connect with (e.g. via ASDM or SSH). Here I made a rule to allow the access only from one source (the IP of a test PC). But even from other PC's the access is still possible so I guess the rule does not match or the aspect in the next section has a higher priority.

Additionally I have configured under "ASDM/HTTPS/Telnet/SSH" (under the point "Management Access") that the whole client network (where also the IP of the test PC belongs) is allowed to connect via ASDM/HTTPS.

Background for this:
I want to restrict the ASDM and SSH access after the tests via Active Directory Users. The source IP method is just for verifying.

Maybe you have tipps for that issue or even how I can easily restrict the access via AD users.

Thank you very much


Best regards

2 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Don't use the "management access rule" unless you need access to ASA management from a VPN client that connects via some other interface (i.e. outside) and needs to ssh / http into the inside interface.

See the following notes (taken from http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/access_management.html): 

In addition, management access to an interface other than the one from which you entered the adaptive security appliance is not supported. For example, if your management host is located on the outside interface, you can only initiate a management connection directly to the outside interface. The only exception to this rule is through a VPN connection, and entering the management-access command. For more information about the management-access command, see the Cisco ASA 5500 Series Command Reference.

To access the adaptive security appliance interface for management access, you do not also need an access rule allowing the host IP address. You only need to configure management access according to the sections in this chapter.

View solution in original post

We normally use basic LDAP / AD AAA server for VPN authentication - there are some good articles on using LDAP group memebership in that case. See the following, for example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

If you want to be more granular with respect to Authorization for cli / ASDM users, then you would be better served by activating the NPS role in your AD server and integrating that way. This article shows you how:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

You can do similar Authorization with any RADIUS or TACACS+ server, including Cisco ACS and ISE (all versions as a RADIUS server or version 2.0 as a TACACS server).

Cisco CDA is used for Identity Firewall functions (available since ASA 8.3) such as using username in ACLs or, in the case of the now-end of sales CX module, for getting username-IP mapping from AD to enforce policies using that context-based awareness.

View solution in original post

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

Don't use the "management access rule" unless you need access to ASA management from a VPN client that connects via some other interface (i.e. outside) and needs to ssh / http into the inside interface.

See the following notes (taken from http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/access_management.html): 

In addition, management access to an interface other than the one from which you entered the adaptive security appliance is not supported. For example, if your management host is located on the outside interface, you can only initiate a management connection directly to the outside interface. The only exception to this rule is through a VPN connection, and entering the management-access command. For more information about the management-access command, see the Cisco ASA 5500 Series Command Reference.

To access the adaptive security appliance interface for management access, you do not also need an access rule allowing the host IP address. You only need to configure management access according to the sections in this chapter.

Hi Marvin,

thanks for your answer.

Do you have any advice/best practice to restrict the ASDM/SSH access user-based? 

I have already tested the LDAP functionality. For access via e.g. ASDM you need an active directory account. But I could not create restrictions for only special users or groups. At the tests everyone with an AD account was able to connect (when he/she comes from the right IP subnet which is allowed to connect).

Am I right that I need to configure a Radius Server or a Cisco Server like Cisco Context Directory Agent for that? Are there the same requirements like user-based firewall rules?

Thanks in advance

We normally use basic LDAP / AD AAA server for VPN authentication - there are some good articles on using LDAP group memebership in that case. See the following, for example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

If you want to be more granular with respect to Authorization for cli / ASDM users, then you would be better served by activating the NPS role in your AD server and integrating that way. This article shows you how:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

You can do similar Authorization with any RADIUS or TACACS+ server, including Cisco ACS and ISE (all versions as a RADIUS server or version 2.0 as a TACACS server).

Cisco CDA is used for Identity Firewall functions (available since ASA 8.3) such as using username in ACLs or, in the case of the now-end of sales CX module, for getting username-IP mapping from AD to enforce policies using that context-based awareness.

Thanks,
I will try out that possibilities.

Review Cisco Networking for a $25 gift card