How to configure SSH-access to a Cisco ASA using local user database

This configuration will allow you users to connect to the appliance using SSH, and authenticate themselves into enable mode.

!— Configure user
username MyUser password

!— Configure SSH-authentication to query the local user database of the appliance
aaa authentication ssh console LOCAL

!— Access restrictions based on IP
!— ssh <IP> <Mask> <Interface>
ssh 172.10.10.200 255.255.255.255 inside
ssh 172.20.20.0 255.255.255.0 Mgmt

!— Default SSH timeout is 5 minutes, so you may want to increase it a tad
ssh timeout 15

!— DONE… almost.

If you also configure VPN users in local user database, all the users get access to the appliance and you may want to restrict this access.
This is done by command authorization.

!— Command authorization for console connections
aaa authorization exec LOCAL

!— Configure user-access
!— service-type admin gives full access (ASDM, SSH, HTTPS, etc)
!— service-type nas-prompt gives CLI-access
!— service-type remote-access denies all management-access, but may connect using VPN.

username MyUser attributes
service-type admin

!— In order to keep the enable password secret, we want the users to authenticate themselves into elevated mode as well.
aaa authentication enable console LOCAL

5.00 avg. rating (99% score) - 1 vote

Leave a Reply

Your email address will not be published. Required fields are marked *