Can you restrict ASDM so that users can only view parts of the configuration.
Well "Yes you can"
I´ve created a quick and dirty configuration that should reflect this settings.
Update tested on real hardware with real VPN connections (ASA 5505 8.0.3 ASDM 6.2.1) Works quite well, users can´t reset or disconnect only view. Some commands added to view all VPN settings on ASDM.
PIX Version 8.0(3)
!
hostname PIX
domain-name playingwithnetworks.com
enable password 123 encrypted
!
interface Ethernet0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.188.2 255.255.255.0
!
!
!
dns server-group DefaultDNS
domain-name playingwithnetworks.com
pager lines 24
logging enable
logging buffered debugging
logging asdm errors
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-621.bin
!
!
!
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authorization command LOCAL
! THIS IS IMPORTANT IF YOU MISS THIS COMMANDS THE THING WILL NOT WORK
http server enable
http 192.168.188.0 255.255.255.0 inside
!
!
!
username VPNSUPPORT password 123 encrypted priv 2
!
!
privilege show level 2 mode exec command running-config
privilege show level 2 mode exec command version
privilege show level 2 mode exec command interface
privilege show level 2 mode exec command logging
privilege show level 2 mode exec command aaa
privilege show level 2 mode exec command crypto
privilege show level 2 mode exec command vpn-sessiondb
privilege show level 2 mode exec command vpnclient
privilege show level 2 mode exec command vpn
privilege show level 2 mode exec command blocks
privilege show level 2 mode exec command webvpn
privilege show level 2 mode exec command compression
!
prompt hostname context
So this should be enough to show your user VPNSUPPORT information about the status of your VPN connection. If you need further information you could use the following trick: switch on debug:
debug http enabled at level 250
and then click with you low priv user to the location of the ASDM you need. You will get the output of what URL was requested and from this you can see what commands you need to enable
for example if you click on monitor interfaces you will get along with others the debug output:
HTTP: processing GET URL '/admin/exec/show+ipv6+neighbor'
With this information you can now enable show ip6 for level 2 if you need.
Hope that helps
NWG
Posts
