Here is how to configure users with different privilege levels for use in ASDM for ASA or PIX considering that AAA is configured to access the box.
- Make ASA take privilege levels into consideration (they are ignored by default, and if no AAA is configured, next step can be skipped):
configuration –> Device Management –> Users/AAA –> AAA Access –> Authorization
enable “enable authorization for ASA commmand access” and set it to “LOCAL”
- to make ASA get the privilege level from ACS
enable “Perform authorization for exec shell access” and set it to “Remote server”
go to Group Setup –> Edit
under “TACACS+” Settings:
- check “Shell (exec)”
- check “Privilege level”
- set “Privilege level” to 5 (or whatever level you want, 5 for read-only, 3 for monitor only)
- create a user and assign to group
if a user doesn’t have the ACS settings, he cant access at all, so this should be configured for all users, even the ones with full access (level 15).
192.168.1.10 can only access battikh.com, everyone else can access anything.
regex battikh battikh\.com
access-list allow_battikh_acl extended permit tcp host 192.168.1.10 any eq 80
access-list allow_battikh_acl extended deny tcp any any eq 80
class-map type inspect http match-all allow-url-class
match not request header host regex battikh
match access-list allow_battikh_acl
policy-map type inspect http allow-url-policy
inspect http allow-url-policy
service-policy allow-user-url-policy interface inside