7 Replies Latest reply on Nov 1, 2009 3:25 PM by Steve Welsh

    Security restriction on ASA

      I have cat tools working on my ASA, I connect via SSH2 using the username/password pair for the BACKUP user.  I also have the "enable password" field populated with our enable password.

       

      I recently configured my ASA with a custom priv. level for the BACKUP user, limiting their commands to just a "show run"

       

      However, to make this work, the backup user has to do two things. 1. login to the asa via ssh. 2. type login and login again.  How can I get this more secure configuration to work with my cat tools. I went through all the options in "Device Configuration" but dont see anything.

       

      Thanks in advance.

        • Re: Security restriction on ASA
          Steve Welsh

          Hi,

          When you say for your step 2, type login and login again, are you referring to negotiating local (or some other secondary level) device authentication - i.e. responding to username and password prompts, or is this something else?

          Which version of CatTools are your running?

          Steve

            • Re: Security restriction on ASA

              Hi Steve,

              What I mean is that after I ssh and authenticate to the asa with my special user (called bdback), I get dropped into a user mode.  To get into my priv. 2 command mode I have to type login and put in my bdback username and backup1 password a second time , finally I get to my pound prompt: see below.

              login as: bdback
              bdback@10.3.4.2's password:

              fw>
              fw> login
              Username: bdback
              Password: *********
              fw#

               These are the commans set on the ASA to lock down this bdback user and only allow for a "sh run"

              username bdback password o6uLI5dreghe542kWQ encrypted
              aaa authorization command LOCAL
              privilege show level 2 mode exec command running-config

                • Re: Security restriction on ASA

                  forgot to mention I am running cat tools free version 3.4

                    • Re: Security restriction on ASA
                      Steve Welsh

                      Hi,

                      The CatTools Cisco ASA device script doesn't support this type of authentication. 

                      Is there any particular reason why you are using this method as opposed to the Cisco privileged levels for enable mode access (privileged EXEC), which CatTools does support?

                      Steve

                        • Re: Security restriction on ASA
                          Steve Welsh

                          Just to clarify further; this is the method of entering enable mode which is supported by CatTools:

                          login as: bdback
                          bdback@10.3.4.2's password:

                          fw>
                          fw> enable [level]
                          Password: *********
                          fw#

                          (Note: CatTools will also handle Username/Password authentication for enable mode, if this has been configured).

                          Steve

                            • Re: Security restriction on ASA

                              Steve,

                              Seems like a good option.  I confirmed (from CLI) that I can do a "show run" when i do fw> enable 2
                              password ******

                              How do I get this to work in cat tools, i tried some of the options in the "passwords" filed but can't seem to get this working. I am connecting via SSH2 to an ASA.

                                • Re: Security restriction on ASA
                                  Steve Welsh

                                  You should be able to setup your ASA as follows:

                                  In the Passwords tab:

                                  Add your SSH credentials to the SSH Username and SSH Password fields. *

                                  Add the Enable password to the Enable Password field.

                                  Add the enable privilege level (i.e. 2) to the Privilege Level field.

                                  That should do the trick!

                                  * Note: SSH Username and SSH Password fields were added in v3.4.   Previously the AAA Username and AAA Password fields were used for SSH credentials.