Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Cisco ASA privilege separation for a local user or read only user on ASA

Today I had the need to create a user in Cisco ASA firewall that would have read-only permissions and also could issue
only 2 commands: show run and show conn. Here is how to do it.

We talk here about user with local authentication (with TACACS it is much easier).
Just as in Cisco routers you assign specific command to some privilege level different from its default level , then create user with this privilege level :

1) Assign command to specific privilege level ( I pick here level 3 , but it may be any but 15):

ciscoASA(config)# privilege show level 3 mode exec command running-config
ciscoASA(config)# privilege show level 3 mode exec command conn

2) create username with privilege of the command you want him to give
ciscoASA(config)# username Joedoe password asdlgfuwe privilege 3

Now you have 2 options – create general enable password for this given level (3 here) ,so
any user after successful login can enter > enable 3 and enter it to get to level 3 enable
mode. Or , as I did here, not creating enable level 3 password at all and the user will have to enter its
privilege level using login command.
3) now user can connect by ssh (if allowed by Ip of course) :
#ssh Joedoe@
Joedoe@<enter user’s pass here>
ASA> login
Username: Joedoe
Password: **********
ciscoASA# sh curpriv
Username : Joedoe
Current privilege level : 3
Current Mode/s : P_PRIV

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html" Cisco ASA Configuration Guide 8.0


  1. Doesn’t work for me. I did exactly the same as you, show curpriv show that the user is lvl 3 privilege, but against this, user can change the configuaration and save it.
    Hardvare ASA 5510, Image: asa821-k8

    pls help. I need read only access + show running-config


  2. Lucia – I think you also need to run
    aaa authorization command LOCAL

  3. Hi

    Yes I have also tried but it is not working. I can change te conf of the firewall even at priv level 3. Please let me know the correct solution

  4. I had the same problem but after entering “aaa authorization command LOCAL” as Rob suggested above and saving, it all worked.

  5. HI ,


    Please enter command :aaa authorization command LOCAL” after that it will work


Comments are closed.

© 2016 yurisk.info

Theme by Anders NorenUp ↑