From: Godswill Oletu (oletu@inbox.lv)
Date: Tue Sep 20 2005 - 03:55:07 GMT-3
Try...
username admin1 password cisco1 privilege 7
username admin2 password cisco2 privilege 7
...
...
username admin7 password cisco7 privilege 7
privilege show level 7 command crypto isa sa
privilege show level 7 command interface
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/sysmgmt.htm#xtocid2
HTH
----- Original Message -----
From: "Mohamed.N" <mohamed_n@sifycorp.com>
To: <ccielab@groupstudy.com>
Sent: Tuesday, September 20, 2005 2:39 AM
Subject: Re: OT:PIX read only user addition
>I am not using tacacs , iam doing locally.
> I have attached the configs, please help me
> I have removed the ACLs and some other unwanted commands for simplicity.
>
> I have some 6 or 7 users, who are administrators.They will login using
> their
> username and password,locally and not TACACS/RADIUS.
>
> I want to create a user, who should can do only these commands
>
> show crypto isa sa
> show interface
>
> I dont want that user to go to config mode, to save the config or any
> other
> critical thing that could bring the firewall down.
>
> Thanks a lot
> Mohamed.
>
> ----- Original Message -----
> From: "Todd Veillette" <tveillette@myeastern.com>
> To: "Mohamed.N" <mohamed_n@sifycorp.com>; <ccielab@groupstudy.com>
> Sent: Tuesday, September 20, 2005 8:04 AM
> Subject: Re: OT:PIX read only user addition
>
>
>> Do you have Tacacs+ or are you doing this all locally? You need to
>> authorization set up for the 15 and the 2 users.
>>
>> -TV
>>
>> ----- Original Message -----
>> From: "Mohamed.N" <mohamed_n@sifycorp.com>
>> To: <ccielab@groupstudy.com>
>> Sent: Monday, September 19, 2005 8:35 AM
>> Subject: Re: OT:PIX read only user addition
>>
>>
>> > Hi John,
>> > I already tried with that page,
>> > iam not getting desired results.
>> > If i configure a user in level 2,most of the commands are
>> > accesible.Even
> a
>> > level 2 user can delete other users in higher level.
>> > This is not exactly i want.
>> > I want the user to see the output of only 2 commands.
>> > The user should not be able to goto configure mode,shouldnot be able to
>> > save
>> > the configs etc.
>> >
>> > In router,we can type "enable 2 " , but in PIX it is not accepting,it
> says
>> > once AAA server is configured,we cant use enable 2!!!
>> >
>> > Regards
>> > Mohamed
>> > ----- Original Message -----
>> > From: "john matijevic" <john.matijevic@gmail.com>
>> > To: "Mohamed.N" <mohamed_n@sifycorp.com>
>> > Cc: <ccielab@groupstudy.com>
>> > Sent: Monday, September 19, 2005 4:06 PM
>> > Subject: Re: OT:PIX read only user addition
>> >
>> >
>> >> Hello Mohamed,
>> >> I gather the following information off of Cisco web site:
>> >> Understanding Privilege Settings
>> >>
>> >> Most commands in the PIX are at level 15, although a few are at level
> 0.
>> > To
>> >> show current settings for all commands, issue the following command.
>> >>
>> >> *show privilege all*
>> >>
>> >> Most commands are at level 15 by default, as shown in the following
>> > example.
>> >>
>> >> *privilege configure level 15 command route*
>> >>
>> >> A few are at level 0, as shown in the following example.
>> >>
>> >> *privilege show level 0 command curpriv*
>> >>
>> >> The following examples address the *clock* command. To determine the
>> > current
>> >> settings for the *clock* command, issue the following command.
>> >>
>> >> *show privilege command clock*
>> >>
>> >> The output of the *show privilege command clock* command shows us the
>> > *clock
>> >> * command exists in the following three forms.
>> >>
>> >> *!--- Users at level 15 can issue the show clock command.**privilege
>> >> show level 15 command clock**!--- Users at level 15 can issue the
>> >> clear clock command.**Privilege clear level 15 command clock**!---
>> >> Users at level 15 can configure the clock
>> >> !--- (for example, clock set 12:00:00 Jan 01 2001).**privilege
>> >> configure level 15 command clock*
>> >>
>> >> see the following link for additional details:
>> >>
>> >>
>> >
> http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_
>> >> note09186a00800949d6.shtml
>> >> Sincerely,
>> >> John
>> >>
>> >>
>> >> On 9/19/05, Mohamed.N <mohamed_n@sifycorp.com> wrote:
>> >> >
>> >> > Hi All,
>> >> > Sorry for OT.But i spent lot of time in this.
>> >> > I want to add a user in pix, who can do only this 2 commands
>> >> > show crypto isakmp sa
>> >> > show interface
>> >> > This user should not save the config,goto config mode or be able to
> do
>> > any
>> >> > config changes.
>> >> >
>> >> > I tried searching many pages.
>> >> > I tried using these commands
>> >> >
>> >> > enable password XXXX level 2
>> >> > username user pass XXXX priv 2
>> >> > privilege show level 2 command crypto
>> >> > privilege show level 2 command interface
>> >> >
>> >> > But there is no restriction.If i choose level 1 or 0,i am unable to
>> >> > goto
>> >> > enable mode at all,so i cant use the commands show crypto
>> >> >
>> >> > Also i want to know what is difference between level 1 ,level 2 like
>> >> > that..and
>> >> > what significance it has in controlling the access to PIX ?
>> >> >
>> >> >
>> >> > Regards
>> >> > N Mohamed
>> >> > Senior Network Engineer
>> >> > Technology-MIITS
>> >> > Sify Ltd
>> >> > Phone : +91-44-22540777 extn: 2082
>> >> > Mobile : +91-98401-27734
>> >> > Email : mohamed_n@sifycorp.com
>> >> > ********** DISCLAIMER **********
>> >> > Information contained and transmitted by this E-MAIL is proprietary
> to
>> >> > Sify Limited and is intended for use only by the individual or
>> >> > entity
>> >> > to
>> >> > which it is addressed, and may contain information that is
> privileged,
>> >> > confidential or exempt from disclosure under applicable law. If this
> is
>> > a
>> >> > forwarded message, the content of this E-MAIL may not have been sent
>> > with
>> >> > the authority of the Company. If you are not the intended recipient,
> an
>> >> > agent of the intended recipient or a person responsible for
> delivering
>> > the
>> >> > information to the named recipient, you are notified that any use,
>> >> > distribution, transmission, printing, copying or dissemination of
> this
>> >> > information in any way or in any manner is strictly prohibited. If
> you
>> >> > have
>> >> > received this communication in error, please delete this mail &
> notify
>> > us
>> >> > immediately at admin@sifycorp.com
>> >> >
>> >> > www.sify.com <http://www.sify.com> - your homepage on the internet
> for
>> >> > news, sports, finance,
>> >> > astrology, movies, entertainment, food, languages etc
>> >> >
>> >> >
> _______________________________________________________________________
>> >> > Subscription information may be found at:
>> >> > http://www.groupstudy.com/list/CCIELab.html
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> John Matijevic, CCIE #13254
>> >> U.S. Installation Group
>> >> Senior Network Engineer
>> >> 954-969-7160 ext. 1147 (office)
>> >> 305-321-6232 (cell)
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
> INMAA-TDL-MIITS-PIX# sh run
> : Saved
> :
> PIX Version 6.3(4)
> interface ethernet0 100basetx
> interface ethernet1 100basetx
> interface ethernet2 auto
> interface ethernet2 vlan75 logical
> interface ethernet2 vlan114 logical
> interface ethernet2 vlan119 logical
> interface ethernet2 vlan689 logical
> interface ethernet3 auto
> interface ethernet3 vlan18 logical
> interface ethernet4 auto shutdown
> interface ethernet5 auto shutdown
> interface ethernet6 auto shutdown
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 VLANS security99
> nameif ethernet3 Server_LAN security6
> nameif ethernet4 intf4 security8
> nameif ethernet5 intf5 security10
> nameif ethernet6 intf6 security12
> nameif vlan75 MIITS-SUNCHEM security90
> nameif vlan114 MIITS-OAServer security40
> nameif vlan119 VIACOM-LAN security80
> nameif vlan689 GM-LAN security79
> nameif vlan18 VIACOM-SERVER security70
> enable password kmePnGUYNDyhyKcU encrypted
> passwd kmePnGUYNDyhyKcU encrypted
> hostname INMAA-TDL-MIITS-PIX
> domain-name pix.com
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> object-group network grplan1
>
> pager lines 24
> logging on
> logging timestamp
> logging buffered notifications
> logging facility 19
>
> mtu outside 1500
> mtu inside 1500
> mtu VLANS 1500
> mtu Server_LAN 1500
> mtu intf4 1500
> mtu intf5 1500
> mtu intf6 1500
> ip address outside A.A.64.74 255.255.255.248
> ip address inside A.A.114.195 255.255.255.192
> no ip address VLANS
> no ip address Server_LAN
> no ip address intf4
> no ip address intf5
> no ip address intf6
> ip address MIITS-SUNCHEM 10.75.192.1 255.255.224.0
> ip address MIITS-OAServer 192.168.99.1 255.255.255.0
> ip address VIACOM-LAN 172.18.3.1 255.255.255.0
> ip address GM-LAN 192.168.97.1 255.255.255.128
> ip address VIACOM-SERVER A.A.110.1 255.255.255.192
> ip audit info action alarm
> ip audit attack action alarm
> failover
> failover timeout 0:00:00
> failover poll 15
> failover ip address outside A.A.64.78
> failover ip address inside A.A.114.194
> no failover ip address VLANS
> no failover ip address Server_LAN
> no failover ip address intf4
> no failover ip address intf5
> no failover ip address intf6
> failover ip address MIITS-SUNCHEM 10.75.192.252
> failover ip address MIITS-OAServer 192.168.99.252
> failover ip address VIACOM-LAN 172.18.3.252
> failover ip address GM-LAN 192.168.97.2
> failover ip address VIACOM-SERVER A.A.110.62
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 A.A.114.192 255.255.255.192 0 0
> nat (MIITS-SUNCHEM) 1 access-list intra_nat 0 0
> nat (MIITS-SUNCHEM) 0 10.75.192.0 255.255.224.0 0 0
> nat (VIACOM-LAN) 1 access-list intra_nat 0 0
> nat (VIACOM-LAN) 0 172.18.3.0 255.255.255.0 0 0
> nat (GM-LAN) 1 access-list intra_nat 0 0
> nat (GM-LAN) 0 192.168.97.0 255.255.255.128 0 0
> nat (VIACOM-SERVER) 1 access-list intra_nat 0 0
> nat (VIACOM-SERVER) 0 A.A.110.0 255.255.255.192 0 0
> static (VIACOM-SERVER,outside) A.A.110.18 A.A.110.18 netmask
> 255.255.255.255 0
> 0
> static (VIACOM-SERVER,outside) A.A.110.17 A.A.110.17 netmask
> 255.255.255.255 0
> 0
> static (MIITS-SUNCHEM,VIACOM-LAN) 10.75.192.20 10.75.192.20 netmask
> 255.255.255.255 0 0
> static (VIACOM-SERVER,outside) A.A.110.25 A.A.110.25 netmask
> 255.255.255.255 0
> 0
> static (VIACOM-SERVER,outside) A.A.110.26 A.A.110.26 netmask
> 255.255.255.255 0
> 0
> static (MIITS-SUNCHEM,GM-LAN) 10.75.192.20 10.75.192.20 netmask
> 255.255.255.255 0 0
> static (VIACOM-SERVER,GM-LAN) A.A.110.0 A.A.110.0 netmask 255.255.255.192
> 0 0
> static (VIACOM-SERVER,outside) A.A.110.0 A.A.110.0 netmask 255.255.255.192
> 0 0
> static (MIITS-OAServer,outside) A.A.64.77 192.168.99.2 netmask
> 255.255.255.255
> 0 0
> static (inside,outside) A.A.114.202 A.A.114.202 netmask 255.255.255.255 0
> 0
> static (inside,MIITS-SUNCHEM) 10.75.192.30 10.75.192.30 netmask
> 255.255.255.255 0 0
> static (inside,MIITS-SUNCHEM) A.A.114.200 A.A.114.200 netmask
> 255.255.255.255
> 0 0
> access-group miits_out in interface outside
> access-group miits_in in interface inside
> access-group miits_sunchem in interface MIITS-SUNCHEM
> access-group servicedesk_out in interface VIACOM-LAN
> access-group gm_out in interface GM-LAN
> access-group viacomserv_out in interface VIACOM-SERVER
> route outside 0.0.0.0 0.0.0.0 A.A.64.73 1
> route outside 10.0.0.0 255.0.0.0 A.A.64.73 1
> route outside 128.107.0.0 255.255.0.0 A.A.64.73 1
> route outside 128.110.0.0 255.255.0.0 A.A.64.73 1
> route outside 172.21.0.0 255.255.0.0 A.A.64.73 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> aaa authentication telnet console LOCAL
> aaa authentication enable console LOCAL
> no snmp-server location
> no snmp-server contact
> snmp-server community
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set trset esp-des esp-md5-hmac
> crypto ipsec transform-set gmvashi esp-3des esp-md5-hmac
> crypto ipsec transform-set dr-mgmt esp-3des esp-md5-hmac
> crypto ipsec transform-set gmrva esp-3des esp-md5-hmac
> crypto map crymap 1 ipsec-isakmp
> crypto map crymap 1 match address viacom-ipsec
> crypto map crymap 1 set peer .235.141
> crypto map crymap 1 set transform-set trset
> crypto map crymap 2 ipsec-isakmp
> crypto map crymap 2 match address gm-vashi-ipsec
> crypto map crymap 2 set peer A.A.24.195
> crypto map crymap 2 set transform-set gmvashi
> crypto map crymap 3 ipsec-isakmp
> crypto map crymap 3 match address dr-mgmt-ipsec
> crypto map crymap 3 set peer .5.205
> crypto map crymap 3 set transform-set dr-mgmt
> crypto map crymap 4 ipsec-isakmp
> crypto map crymap 4 match address gmripsec
> crypto map crymap 4 set peer .29.146
> crypto map crymap 4 set transform-set gmrva
> crypto map crymap interface outside
> isakmp enable outside
> isakmp key ******** address .235.141 netmask 255.255.255.255
> isakmp key ******** address A.A.24.195 netmask 255.255.255.255
> isakmp key ******** address .5.205 netmask 255.255.255.255
> isakmp key ******** address .29.146 netmask 255.255.255.255
> isakmp policy 1 authentication pre-share
> isakmp policy 1 encryption 3des
> isakmp policy 1 hash md5
> isakmp policy 1 group 1
> isakmp policy 1 lifetime 86400
> isakmp policy 2 authentication pre-share
> isakmp policy 2 encryption 3des
> isakmp policy 2 hash md5
> isakmp policy 2 group 2
> isakmp policy 2 lifetime 86400
> telnet A.A.114.192 255.255.255.192 inside
> telnet 10.75.192.0 255.255.224.0 MIITS-SUNCHEM
> telnet 192.168.99.2 255.255.255.255 MIITS-OAServer
> telnet 192.168.97.0 255.255.255.128 GM-LAN
> telnet timeout 3
> ssh A.A.111.250 255.255.255.255 outside
> ssh timeout 10
> console timeout 0
> dhcprelay server 192.168.99.2 MIITS-OAServer
> dhcprelay enable inside
> dhcprelay enable MIITS-SUNCHEM
> dhcprelay enable VIACOM-LAN
> dhcprelay enable GM-LAN
> username partha_s password zdr9SRpu6vmh0PLq encrypted privilege 15
> username srinivasan_v password BN8kesEvEhELYBKH encrypted privilege 15
> username lnarayanan_p password Z7ybOCOVcOEG0OsW encrypted privilege 15
> username mohamed_n password LmEgjp4aVj.y6i3a encrypted privilege 15
> username zhuhair_i password 3V2TCjO3u0dZLViA encrypted privilege 15
> username back_app password 8Sbfi5ITT2yqDdoT encrypted privilege 15
> username vengada_subbu password i9o//ouW9FWBg78D encrypted privilege 15
>
> terminal width 80
> banner motd
> +---------------------------------------------------------------+
> banner motd | This system is for the use of authorized users only.
> |
> banner motd |Individuals using this system without authority or in excess
> |
> banner motd |of their authority, are subject to having all of the
> activities|
> banner motd |on this system monitored and recorded by system personnel.
> |
> banner motd |
> |
> banner motd | In the course of monitoring individuals improperly using
> |
> banner motd |system, or in the course of system maintenance, the
> activities |
> banner motd |of authorized users may also be monitored.
> |
> banner motd |
> |
> banner motd | Anyone using this system expressly consents to such
> |
> banner motd |monitoring and is advised if such monitoring reveals possible
> |
> banner motd |evidence of criminal activity, system personnel may provide
> |
> banner motd |the evidence to law enforcement officials.
> |
> banner motd
> +---------------------------------------------------------------+
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3