Re: restricting user access to ssh

donnie · ‎07-24-2008

Hi all. I have enabled ssh as a form of remote access to my asa5510. However i notice user accounts that were added to my asa5510 for vpn purpose are able to access my firewall using ssh as well. Hence is it possible to restrict to only specific users to access firewall using ssh? Can i configure that using asdm?

Farrukh Haroon · ‎07-26-2008

If both are using the local database (SSH and VPN) I don't think you can restrict based on any particular user. However you can restrict management acecss based on IP addresses, so just add the NetOps/Secops IPs. Also VPN users can be restricted using the vpn-filter command AFAIR. Even if they logon to the level 1 prompt, they would still require the enable password to cause severe damage (But still this is bad for security anyway).

The best approach is to use an external AAA server.

Regards

Farrukh

Marwan ALshawi · ‎07-27-2008

i agrre that with external AAA u gonna have more flexablity

especially when you use downloadable ACL

which gives you the ablity to make restrection to the user level

in addetion try the following

if ur vpn pool 192.168.1.0/24

try to deny ssh traffic fron these IPs

in addetion

try to do the following cmmand

ssh 10.1.1.0 255.255.255.0 inside

assuming that ur inside IPS 10.1.1.0/24

also try to make a split tunneling ACL that ignore SSH traffic

in this case the ssh traffic will not be part of the VPN tunnel

and deny it from outside

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

good luck

Rate, if helpful