Controlling What A User Can See in ASDM on an ASA

Dean Romanelli · ‎10-14-2014

Hi All,

I need to set up a restricted account for some junior's on my ASA's, so I have built the following:

aaa authorization command LOCAL

privilege show level 3 mode exec command vpn-sessiondb l2l
privilege show level 3 mode exec command crypto isakmp sa
privilege show level 3 mode exec command processes cpu-usage
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command switch
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command conn all
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command traceroute

username tech password <password> priv 3

enable password <password> level 3

Now I am a command line guy, but other members of my team are more comfortable on the GUI, so I can't just straight up disable HTTP, otherwise I would. With that said, if I create this user account, and a junior logs into an ASA via ASDM, will this control what they can see / what they can & cannot click on in the config tab of ASDM, or is there no way to do this? Further, will this keep them being able to make changes in ASDM?

Vibhor Amrodia · ‎10-14-2014

Hi,

Yes , this configuration will keep them from making any changes on the ASA device.

Thanks and Regards,

Vibhor Amrodia

Dean Romanelli · ‎10-15-2014

Thanks.

Actually, I think I have a great solution to deny them ASDM access while still allowing administrators (we all come from the same address to the WAN) - I will just change the default HTTPS port and not distribute it.

Marvin Rhoads · ‎10-15-2014

So they pass the test to graduate out of junior status if they use nmap to scan the ASA's address and find the non-default port used by https?