Home / Articles / ASA-PIX / Restrict SSH access on Cisco ASA

Restrict SSH access on Cisco ASA

Did you know that by

Did you know that if you add a user into the local DB on an asa and have “aaa authentication ssh console LOCAL” command your users will have full access into the asa?  Not only will they have VPN access they also have full config t access into the box.  You maybe saying, they don’t because they don’t have the enable password.  That’s not true because if you issue the “login” command and authenticate again you have full access.  To fix this security issue you will need to make sure you are on version 8 of the asa code. 

Issue this command

 aaa authorization exec authentication-server

 then go into the user (for the test I will use a user named test) attributes

username test attributes

then issue

service-type remote-access

now the user only has vpn access and no access into the ASA.  This means he can no longer ssh into the box.


Comment on Restrict SSH access on Cisco ASA

Leave a Reply

Contact Us