Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1114
Views
0
Helpful
2
Replies
lkadlik
lkadlik Beginner
Beginner
‎08-05-2010 01:15 PM
‎08-05-2010 01:15 PM

block firewall access for local asa vpn accounts

I am looking at the local accounts on the firewall and would like to make sure that the users who have local accounts for vpn have not access to the firewall itself via asdm, telnet, ssh for management.


The only aaa command on the firewall is

aaa authentication ssh console LOCAL


With this command, if i change the local account setting to "NO ASDM, SSH, Telnet or Console Access"  ( see attached screen shot) will this still allow the users to vpn in and access the network as they should but remove any potential access to the firewall ?

Thank you

Labels:
Everyone's tags (7)
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Waris Hussain
Waris Hussain Beginner
Beginner
‎08-05-2010 09:54 PM
‎08-05-2010 09:54 PM

Re: block firewall access for local asa vpn accounts

Hi,

Yes if you select the option " No , ASDM, SSH, TELNET  or Console Access " will only block the admin access to  the firewall  . Here is  the CLI equivalent for this option :


myASA(config-username)# service-type ?

username mode commands/options:
  admin          User is allowed access to the configuration prompt.
  nas-prompt     User is allowed access to the exec prompt.
  remote-access  User is allowed network access.

So if you use that last option you will be on third option in the list above which is remote-access. Users will have the option to VPN in but no admin ( ssh, telnet or asdm or console )

Thanks

Waris Hussain.

View solution in original post

0 Helpful
Reply
2 REPLIES 2
Waris Hussain
Waris Hussain Beginner
Beginner
‎08-05-2010 09:54 PM
‎08-05-2010 09:54 PM

Re: block firewall access for local asa vpn accounts

Hi,

Yes if you select the option " No , ASDM, SSH, TELNET  or Console Access " will only block the admin access to  the firewall  . Here is  the CLI equivalent for this option :


myASA(config-username)# service-type ?

username mode commands/options:
  admin          User is allowed access to the configuration prompt.
  nas-prompt     User is allowed access to the exec prompt.
  remote-access  User is allowed network access.

So if you use that last option you will be on third option in the list above which is remote-access. Users will have the option to VPN in but no admin ( ssh, telnet or asdm or console )

Thanks

Waris Hussain.

View solution in original post

0 Helpful
Reply
Highlighted
alexandro.angel@softtek.com
alexandro.angel@softtek.com Beginner
Beginner
‎06-26-2019 09:49 AM
‎06-26-2019 09:49 AM

Re: block firewall access for local asa vpn accounts

Team - Please allow me to resurect this old post, I just applied that configuration but appears not to be working... The user is still able to ssh the ASA. Can someone please share the experience?

 

Kind Regards,

0 Helpful
Reply
Latest Contents
#CiscoChat Live: Consumer Perspectives on Data Privacy
Created by Kelli Glass on 12-10-2019 11:00 AM
0
0
0
0
Join us live on Thursday, December 12 at 10:00 am PT (and on demand after) for an in-depth look at the latest Cisco Cybersecurity report. The Cisco 2019 Consumer Privacy Survey shows consumers placing a greater premium on data privacy, providing comp... view more
#CiscoChat Live: Consumer Perspectives on Data Privacy
Created by Kelli Glass on 12-10-2019 10:55 AM
0
0
0
0
Join us live on Thursday, December 12 at 10:00 am PT (and on demand after) for an in-depth look at the latest Cisco Cybersecurity report. The Cisco 2019 Consumer Privacy Survey shows consumers placing a greater premium on data privacy, providing comp... view more
How to find/get the registration key from FTD
Created by Eahwar34 on 12-06-2019 03:14 AM
0
0
0
0
We are in need of finding registration key used for our FTD , unfortunately we have forget the key and also it is encrypted . How to find the key from FTD ?
ISE My Devices & Sponsor Portal as a User Change Password Po...
Created by Jason Kunst on 12-05-2019 10:24 AM
0
0
0
0
This is to address those customers coming to ISE from ACS or new to ISE that need a password change portal (UCP) What are the licensing requirements for this solution? My Devices - For using the password change with My Devices you need plus licenses as ... view more
WHITEPAPER - Firepower Threat Defense Cloud Management with ...
Created by Marvin Rhoads on 11-29-2019 07:57 PM
0
10
0
10
  Overview   In this paper we will document the configuration and operation of an integrated solution that includes identity management, firewall, cloud-based management, and cloud-based logging. We will use the following Cisco products: Fu... view more
CreatePlease to create content
Discussion
Blog
Document
Video