[c-nsp] How to easily and securely pull configuration from a PIX/ASA
Christian Zeng
christian at zengl.net
Sat Dec 8 06:07:08 EST 2007
Hi,
* Tassos Chatzithomaoglou wrote:
> "sh run" is a special case and cannot be used like this. If you move it to level 1, then a user of
> level 1 will be able to see only the part of the config which he can configure with that
> level...which means nothing! You have to change the priv level of all the configure commands that
> are used in the config to the same level as the user.
This is true for IOS, but not the case for PIX/ASA. You can move the sh
run command to one of the unused priv levels:
privilege show level 7 mode exec command running-config
This will print the complete config without moving additional config
mode commands from 15 to 7. No additional access is granted, so
configure mode access is still not possible (ena 15 does still work, iirc).
Username: priv7
Password: *****
Type help or '?' for a list of available commands.
pixfirewall> ena 7
Password: ****** (enable password for level 7)
pixfirewall# sh curp
Username : enable_7
Current privilege level : 7
Current Mode/s : P_PRIV
pixfirewall# conf t
^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
pixfirewall# show run
: Saved
:
PIX Version 7.2(2)
!
hostname pixfirewall
enable password 93fkWsmDm1dopc2h level 7 encrypted
enable password XPPSm.Or8PKz3zl/ encrypted
[...]
username normal password 4ZlAPWH5KYTNKMAZ encrypted
username priv15 password UkOi6bg0MlQFcljE encrypted
username priv7 password HoppQQsJ12XobwfQ encrypted
aaa authentication serial console LOCAL (change serial to SSH or telnet)
aaa authorization command LOCAL
privilege show level 7 mode exec command running-config
Basically, everyone who knows the level 7 enable password can read the
config. Note that after ena 7, there is only the user 'enable_XX'
authenticated.
If you don't want separated enable passwords, you can use the user
password as the enable password and allowing him gaining only access to
the privilege level he is configured for. You then need to assign
privilege levels for every user account:
aaa authentication enable console LOCAL
username priv15 password UkOi6bg0MlQFcljE encrypted privilege 15
username priv7 password HoppQQsJ12XobwfQ encrypted privilege 7
Username: priv7
Password: *****
Type help or '?' for a list of available commands.
pixfirewall> en
Password: ***** (user password)
pixfirewall# show curp
Username : priv7
Current privilege level : 7
Current Mode/s : P_PRIV
pixfirewall#
pixfirewall# ena 15
^
ERROR: % Invalid input detected at '^' marker.
pixfirewall# ?
clear Reset functions
debug Debugging functions (see also 'undebug')
exit Exit from the EXEC
help Interactive help for commands
logout Exit from the EXEC
no Negate a command or set its defaults
ping Send echo messages
quit Exit from the EXEC
show Show running system information
test Test subsystems, memory, interfaces, and configurations
traceroute Trace route to destination
undebug Disable debugging functions (see also 'debug')
pixfirewall# show ?
checksum Display configuration information cryptochecksum
curpriv Display current privilege level
debug Show state of each debugging option
flash: Display information about flash: file system
history Display the session command history
rip IP RIP show commands
running-config Show current operating configuration
sla Service Level Agreement (SLA)
startup-config Show contents of startup configuration
track Tracking information
version Display system software version
pixfirewall# show run
: Saved
:
PIX Version 7.2(2)
!
hostname pixfirewall
enable password XPPSm.Or8PKz3zl/ encrypted
names
!
interface Ethernet0
no nameif
no security-level
no ip address
!
interface Ethernet1
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
username normal password 4ZlAPWH5KYTNKMAZ encrypted
username priv15 password UkOi6bg0MlQFcljE encrypted
username priv7 password HoppQQsJ12XobwfQ encrypted privilege 7
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
privilege show level 7 mode exec command running-config
prompt hostname context
Cryptochecksum:e1779e7fc5b93ce74d5a294d6e836866
: end
Christian
More information about the cisco-nsp
mailing list