cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1114
Views
0
Helpful
2
Replies
Beginner

block firewall access for local asa vpn accounts

I am looking at the local accounts on the firewall and would like to make sure that the users who have local accounts for vpn have not access to the firewall itself via asdm, telnet, ssh for management.


The only aaa command on the firewall is

aaa authentication ssh console LOCAL


With this command, if i change the local account setting to "NO ASDM, SSH, Telnet or Console Access"  ( see attached screen shot) will this still allow the users to vpn in and access the network as they should but remove any potential access to the firewall ?

Thank you

Everyone's tags (7)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: block firewall access for local asa vpn accounts

Hi,

Yes if you select the option " No , ASDM, SSH, TELNET  or Console Access " will only block the admin access to  the firewall  . Here is  the CLI equivalent for this option :


myASA(config-username)# service-type ?

username mode commands/options:
  admin          User is allowed access to the configuration prompt.
  nas-prompt     User is allowed access to the exec prompt.
  remote-access  User is allowed network access.

So if you use that last option you will be on third option in the list above which is remote-access. Users will have the option to VPN in but no admin ( ssh, telnet or asdm or console )

Thanks

Waris Hussain.

View solution in original post

2 REPLIES 2
Beginner

Re: block firewall access for local asa vpn accounts

Hi,

Yes if you select the option " No , ASDM, SSH, TELNET  or Console Access " will only block the admin access to  the firewall  . Here is  the CLI equivalent for this option :


myASA(config-username)# service-type ?

username mode commands/options:
  admin          User is allowed access to the configuration prompt.
  nas-prompt     User is allowed access to the exec prompt.
  remote-access  User is allowed network access.

So if you use that last option you will be on third option in the list above which is remote-access. Users will have the option to VPN in but no admin ( ssh, telnet or asdm or console )

Thanks

Waris Hussain.

View solution in original post

Highlighted

Re: block firewall access for local asa vpn accounts

Team - Please allow me to resurect this old post, I just applied that configuration but appears not to be working... The user is still able to ssh the ASA. Can someone please share the experience?

 

Kind Regards,