From: Godswill Oletu (oletu@inbox.lv)
Date: Tue Sep 20 2005 - 04:04:06 GMT-3
Try these, if you have problem accessing the privilege mode of the PIX
firewall, where you can issue the permitted commands:
privilege show level 7 mode enable command crypto isa sa
privilege show level 7 mode enable command interface
HTH
Godswill Oletu
----- Original Message -----
From: "Godswill Oletu" <oletu@inbox.lv>
To: "Mohamed.N" <mohamed_n@sifycorp.com>; <ccielab@groupstudy.com>
Sent: Tuesday, September 20, 2005 2:55 AM
Subject: Re: OT:PIX read only user addition
> Try...
>
> username admin1 password cisco1 privilege 7
> username admin2 password cisco2 privilege 7
> ...
> ...
> username admin7 password cisco7 privilege 7
> privilege show level 7 command crypto isa sa
> privilege show level 7 command interface
>
> http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/sysmgmt.htm#xtocid2
>
> HTH
>
>
>
> ----- Original Message -----
> From: "Mohamed.N" <mohamed_n@sifycorp.com>
> To: <ccielab@groupstudy.com>
> Sent: Tuesday, September 20, 2005 2:39 AM
> Subject: Re: OT:PIX read only user addition
>
>
>>I am not using tacacs , iam doing locally.
>> I have attached the configs, please help me
>> I have removed the ACLs and some other unwanted commands for simplicity.
>>
>> I have some 6 or 7 users, who are administrators.They will login using
>> their
>> username and password,locally and not TACACS/RADIUS.
>>
>> I want to create a user, who should can do only these commands
>>
>> show crypto isa sa
>> show interface
>>
>> I dont want that user to go to config mode, to save the config or any
>> other
>> critical thing that could bring the firewall down.
>>
>> Thanks a lot
>> Mohamed.
>>
>> ----- Original Message -----
>> From: "Todd Veillette" <tveillette@myeastern.com>
>> To: "Mohamed.N" <mohamed_n@sifycorp.com>; <ccielab@groupstudy.com>
>> Sent: Tuesday, September 20, 2005 8:04 AM
>> Subject: Re: OT:PIX read only user addition
>>
>>
>>> Do you have Tacacs+ or are you doing this all locally? You need to
>>> authorization set up for the 15 and the 2 users.
>>>
>>> -TV
>>>
>>> ----- Original Message -----
>>> From: "Mohamed.N" <mohamed_n@sifycorp.com>
>>> To: <ccielab@groupstudy.com>
>>> Sent: Monday, September 19, 2005 8:35 AM
>>> Subject: Re: OT:PIX read only user addition
>>>
>>>
>>> > Hi John,
>>> > I already tried with that page,
>>> > iam not getting desired results.
>>> > If i configure a user in level 2,most of the commands are
>>> > accesible.Even
>> a
>>> > level 2 user can delete other users in higher level.
>>> > This is not exactly i want.
>>> > I want the user to see the output of only 2 commands.
>>> > The user should not be able to goto configure mode,shouldnot be able
>>> > to
>>> > save
>>> > the configs etc.
>>> >
>>> > In router,we can type "enable 2 " , but in PIX it is not accepting,it
>> says
>>> > once AAA server is configured,we cant use enable 2!!!
>>> >
>>> > Regards
>>> > Mohamed
>>> > ----- Original Message -----
>>> > From: "john matijevic" <john.matijevic@gmail.com>
>>> > To: "Mohamed.N" <mohamed_n@sifycorp.com>
>>> > Cc: <ccielab@groupstudy.com>
>>> > Sent: Monday, September 19, 2005 4:06 PM
>>> > Subject: Re: OT:PIX read only user addition
>>> >
>>> >
>>> >> Hello Mohamed,
>>> >> I gather the following information off of Cisco web site:
>>> >> Understanding Privilege Settings
>>> >>
>>> >> Most commands in the PIX are at level 15, although a few are at level
>> 0.
>>> > To
>>> >> show current settings for all commands, issue the following command.
>>> >>
>>> >> *show privilege all*
>>> >>
>>> >> Most commands are at level 15 by default, as shown in the following
>>> > example.
>>> >>
>>> >> *privilege configure level 15 command route*
>>> >>
>>> >> A few are at level 0, as shown in the following example.
>>> >>
>>> >> *privilege show level 0 command curpriv*
>>> >>
>>> >> The following examples address the *clock* command. To determine the
>>> > current
>>> >> settings for the *clock* command, issue the following command.
>>> >>
>>> >> *show privilege command clock*
>>> >>
>>> >> The output of the *show privilege command clock* command shows us the
>>> > *clock
>>> >> * command exists in the following three forms.
>>> >>
>>> >> *!--- Users at level 15 can issue the show clock command.**privilege
>>> >> show level 15 command clock**!--- Users at level 15 can issue the
>>> >> clear clock command.**Privilege clear level 15 command clock**!---
>>> >> Users at level 15 can configure the clock
>>> >> !--- (for example, clock set 12:00:00 Jan 01 2001).**privilege
>>> >> configure level 15 command clock*
>>> >>
>>> >> see the following link for additional details:
>>> >>
>>> >>
>>> >
>> http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_
>>> >> note09186a00800949d6.shtml
>>> >> Sincerely,
>>> >> John
>>> >>
>>> >>
>>> >> On 9/19/05, Mohamed.N <mohamed_n@sifycorp.com> wrote:
>>> >> >
>>> >> > Hi All,
>>> >> > Sorry for OT.But i spent lot of time in this.
>>> >> > I want to add a user in pix, who can do only this 2 commands
>>> >> > show crypto isakmp sa
>>> >> > show interface
>>> >> > This user should not save the config,goto config mode or be able to
>> do
>>> > any
>>> >> > config changes.
>>> >> >
>>> >> > I tried searching many pages.
>>> >> > I tried using these commands
>>> >> >
>>> >> > enable password XXXX level 2
>>> >> > username user pass XXXX priv 2
>>> >> > privilege show level 2 command crypto
>>> >> > privilege show level 2 command interface
>>> >> >
>>> >> > But there is no restriction.If i choose level 1 or 0,i am unable to
>>> >> > goto
>>> >> > enable mode at all,so i cant use the commands show crypto
>>> >> >
>>> >> > Also i want to know what is difference between level 1 ,level 2
>>> >> > like
>>> >> > that..and
>>> >> > what significance it has in controlling the access to PIX ?
>>> >> >
>>> >> >
>>> >> > Regards
>>> >> > N Mohamed
>>> >> > Senior Network Engineer
>>> >> > Technology-MIITS
>>> >> > Sify Ltd
>>> >> > Phone : +91-44-22540777 extn: 2082
>>> >> > Mobile : +91-98401-27734
>>> >> > Email : mohamed_n@sifycorp.com
>>> >> > ********** DISCLAIMER **********
>>> >> > Information contained and transmitted by this E-MAIL is proprietary
>> to
>>> >> > Sify Limited and is intended for use only by the individual or
>>> >> > entity
>>> >> > to
>>> >> > which it is addressed, and may contain information that is
>> privileged,
>>> >> > confidential or exempt from disclosure under applicable law. If
>>> >> > this
>> is
>>> > a
>>> >> > forwarded message, the content of this E-MAIL may not have been
>>> >> > sent
>>> > with
>>> >> > the authority of the Company. If you are not the intended
>>> >> > recipient,
>> an
>>> >> > agent of the intended recipient or a person responsible for
>> delivering
>>> > the
>>> >> > information to the named recipient, you are notified that any use,
>>> >> > distribution, transmission, printing, copying or dissemination of
>> this
>>> >> > information in any way or in any manner is strictly prohibited. If
>> you
>>> >> > have
>>> >> > received this communication in error, please delete this mail &
>> notify
>>> > us
>>> >> > immediately at admin@sifycorp.com
>>> >> >
>>> >> > www.sify.com <http://www.sify.com> - your homepage on the internet
>> for
>>> >> > news, sports, finance,
>>> >> > astrology, movies, entertainment, food, languages etc
>>> >> >
>>> >> >
>> _______________________________________________________________________
>>> >> > Subscription information may be found at:
>>> >> > http://www.groupstudy.com/list/CCIELab.html
>>> >> >
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> John Matijevic, CCIE #13254
>>> >> U.S. Installation Group
>>> >> Senior Network Engineer
>>> >> 954-969-7160 ext. 1147 (office)
>>> >> 305-321-6232 (cell)
>>> >>
>>> >> _______________________________________________________________________
>>> >> Subscription information may be found at:
>>> >> http://www.groupstudy.com/list/CCIELab.html
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>> INMAA-TDL-MIITS-PIX# sh run
>> : Saved
>> :
>> PIX Version 6.3(4)
>> interface ethernet0 100basetx
>> interface ethernet1 100basetx
>> interface ethernet2 auto
>> interface ethernet2 vlan75 logical
>> interface ethernet2 vlan114 logical
>> interface ethernet2 vlan119 logical
>> interface ethernet2 vlan689 logical
>> interface ethernet3 auto
>> interface ethernet3 vlan18 logical
>> interface ethernet4 auto shutdown
>> interface ethernet5 auto shutdown
>> interface ethernet6 auto shutdown
>> nameif ethernet0 outside security0
>> nameif ethernet1 inside security100
>> nameif ethernet2 VLANS security99
>> nameif ethernet3 Server_LAN security6
>> nameif ethernet4 intf4 security8
>> nameif ethernet5 intf5 security10
>> nameif ethernet6 intf6 security12
>> nameif vlan75 MIITS-SUNCHEM security90
>> nameif vlan114 MIITS-OAServer security40
>> nameif vlan119 VIACOM-LAN security80
>> nameif vlan689 GM-LAN security79
>> nameif vlan18 VIACOM-SERVER security70
>> enable password kmePnGUYNDyhyKcU encrypted
>> passwd kmePnGUYNDyhyKcU encrypted
>> hostname INMAA-TDL-MIITS-PIX
>> domain-name pix.com
>> fixup protocol dns maximum-length 512
>> fixup protocol ftp 21
>> fixup protocol h323 h225 1720
>> fixup protocol h323 ras 1718-1719
>> fixup protocol http 80
>> fixup protocol rsh 514
>> fixup protocol rtsp 554
>> fixup protocol sip 5060
>> fixup protocol sip udp 5060
>> fixup protocol skinny 2000
>> fixup protocol smtp 25
>> fixup protocol sqlnet 1521
>> fixup protocol tftp 69
>> names
>> object-group network grplan1
>>
>> pager lines 24
>> logging on
>> logging timestamp
>> logging buffered notifications
>> logging facility 19
>>
>> mtu outside 1500
>> mtu inside 1500
>> mtu VLANS 1500
>> mtu Server_LAN 1500
>> mtu intf4 1500
>> mtu intf5 1500
>> mtu intf6 1500
>> ip address outside A.A.64.74 255.255.255.248
>> ip address inside A.A.114.195 255.255.255.192
>> no ip address VLANS
>> no ip address Server_LAN
>> no ip address intf4
>> no ip address intf5
>> no ip address intf6
>> ip address MIITS-SUNCHEM 10.75.192.1 255.255.224.0
>> ip address MIITS-OAServer 192.168.99.1 255.255.255.0
>> ip address VIACOM-LAN 172.18.3.1 255.255.255.0
>> ip address GM-LAN 192.168.97.1 255.255.255.128
>> ip address VIACOM-SERVER A.A.110.1 255.255.255.192
>> ip audit info action alarm
>> ip audit attack action alarm
>> failover
>> failover timeout 0:00:00
>> failover poll 15
>> failover ip address outside A.A.64.78
>> failover ip address inside A.A.114.194
>> no failover ip address VLANS
>> no failover ip address Server_LAN
>> no failover ip address intf4
>> no failover ip address intf5
>> no failover ip address intf6
>> failover ip address MIITS-SUNCHEM 10.75.192.252
>> failover ip address MIITS-OAServer 192.168.99.252
>> failover ip address VIACOM-LAN 172.18.3.252
>> failover ip address GM-LAN 192.168.97.2
>> failover ip address VIACOM-SERVER A.A.110.62
>> pdm history enable
>> arp timeout 14400
>> global (outside) 1 interface
>> nat (inside) 0 A.A.114.192 255.255.255.192 0 0
>> nat (MIITS-SUNCHEM) 1 access-list intra_nat 0 0
>> nat (MIITS-SUNCHEM) 0 10.75.192.0 255.255.224.0 0 0
>> nat (VIACOM-LAN) 1 access-list intra_nat 0 0
>> nat (VIACOM-LAN) 0 172.18.3.0 255.255.255.0 0 0
>> nat (GM-LAN) 1 access-list intra_nat 0 0
>> nat (GM-LAN) 0 192.168.97.0 255.255.255.128 0 0
>> nat (VIACOM-SERVER) 1 access-list intra_nat 0 0
>> nat (VIACOM-SERVER) 0 A.A.110.0 255.255.255.192 0 0
>> static (VIACOM-SERVER,outside) A.A.110.18 A.A.110.18 netmask
>> 255.255.255.255 0
>> 0
>> static (VIACOM-SERVER,outside) A.A.110.17 A.A.110.17 netmask
>> 255.255.255.255 0
>> 0
>> static (MIITS-SUNCHEM,VIACOM-LAN) 10.75.192.20 10.75.192.20 netmask
>> 255.255.255.255 0 0
>> static (VIACOM-SERVER,outside) A.A.110.25 A.A.110.25 netmask
>> 255.255.255.255 0
>> 0
>> static (VIACOM-SERVER,outside) A.A.110.26 A.A.110.26 netmask
>> 255.255.255.255 0
>> 0
>> static (MIITS-SUNCHEM,GM-LAN) 10.75.192.20 10.75.192.20 netmask
>> 255.255.255.255 0 0
>> static (VIACOM-SERVER,GM-LAN) A.A.110.0 A.A.110.0 netmask 255.255.255.192
>> 0 0
>> static (VIACOM-SERVER,outside) A.A.110.0 A.A.110.0 netmask
>> 255.255.255.192 0 0
>> static (MIITS-OAServer,outside) A.A.64.77 192.168.99.2 netmask
>> 255.255.255.255
>> 0 0
>> static (inside,outside) A.A.114.202 A.A.114.202 netmask 255.255.255.255 0
>> 0
>> static (inside,MIITS-SUNCHEM) 10.75.192.30 10.75.192.30 netmask
>> 255.255.255.255 0 0
>> static (inside,MIITS-SUNCHEM) A.A.114.200 A.A.114.200 netmask
>> 255.255.255.255
>> 0 0
>> access-group miits_out in interface outside
>> access-group miits_in in interface inside
>> access-group miits_sunchem in interface MIITS-SUNCHEM
>> access-group servicedesk_out in interface VIACOM-LAN
>> access-group gm_out in interface GM-LAN
>> access-group viacomserv_out in interface VIACOM-SERVER
>> route outside 0.0.0.0 0.0.0.0 A.A.64.73 1
>> route outside 10.0.0.0 255.0.0.0 A.A.64.73 1
>> route outside 128.107.0.0 255.255.0.0 A.A.64.73 1
>> route outside 128.110.0.0 255.255.0.0 A.A.64.73 1
>> route outside 172.21.0.0 255.255.0.0 A.A.64.73 1
>> timeout xlate 3:00:00
>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
>> 1:00:00
>> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>> timeout uauth 0:05:00 absolute
>> aaa-server TACACS+ protocol tacacs+
>> aaa-server TACACS+ max-failed-attempts 3
>> aaa-server TACACS+ deadtime 10
>> aaa-server RADIUS protocol radius
>> aaa-server RADIUS max-failed-attempts 3
>> aaa-server RADIUS deadtime 10
>> aaa-server LOCAL protocol local
>> aaa authentication telnet console LOCAL
>> aaa authentication enable console LOCAL
>> no snmp-server location
>> no snmp-server contact
>> snmp-server community
>> no snmp-server enable traps
>> floodguard enable
>> sysopt connection permit-ipsec
>> crypto ipsec transform-set trset esp-des esp-md5-hmac
>> crypto ipsec transform-set gmvashi esp-3des esp-md5-hmac
>> crypto ipsec transform-set dr-mgmt esp-3des esp-md5-hmac
>> crypto ipsec transform-set gmrva esp-3des esp-md5-hmac
>> crypto map crymap 1 ipsec-isakmp
>> crypto map crymap 1 match address viacom-ipsec
>> crypto map crymap 1 set peer .235.141
>> crypto map crymap 1 set transform-set trset
>> crypto map crymap 2 ipsec-isakmp
>> crypto map crymap 2 match address gm-vashi-ipsec
>> crypto map crymap 2 set peer A.A.24.195
>> crypto map crymap 2 set transform-set gmvashi
>> crypto map crymap 3 ipsec-isakmp
>> crypto map crymap 3 match address dr-mgmt-ipsec
>> crypto map crymap 3 set peer .5.205
>> crypto map crymap 3 set transform-set dr-mgmt
>> crypto map crymap 4 ipsec-isakmp
>> crypto map crymap 4 match address gmripsec
>> crypto map crymap 4 set peer .29.146
>> crypto map crymap 4 set transform-set gmrva
>> crypto map crymap interface outside
>> isakmp enable outside
>> isakmp key ******** address .235.141 netmask 255.255.255.255
>> isakmp key ******** address A.A.24.195 netmask 255.255.255.255
>> isakmp key ******** address .5.205 netmask 255.255.255.255
>> isakmp key ******** address .29.146 netmask 255.255.255.255
>> isakmp policy 1 authentication pre-share
>> isakmp policy 1 encryption 3des
>> isakmp policy 1 hash md5
>> isakmp policy 1 group 1
>> isakmp policy 1 lifetime 86400
>> isakmp policy 2 authentication pre-share
>> isakmp policy 2 encryption 3des
>> isakmp policy 2 hash md5
>> isakmp policy 2 group 2
>> isakmp policy 2 lifetime 86400
>> telnet A.A.114.192 255.255.255.192 inside
>> telnet 10.75.192.0 255.255.224.0 MIITS-SUNCHEM
>> telnet 192.168.99.2 255.255.255.255 MIITS-OAServer
>> telnet 192.168.97.0 255.255.255.128 GM-LAN
>> telnet timeout 3
>> ssh A.A.111.250 255.255.255.255 outside
>> ssh timeout 10
>> console timeout 0
>> dhcprelay server 192.168.99.2 MIITS-OAServer
>> dhcprelay enable inside
>> dhcprelay enable MIITS-SUNCHEM
>> dhcprelay enable VIACOM-LAN
>> dhcprelay enable GM-LAN
>> username partha_s password zdr9SRpu6vmh0PLq encrypted privilege 15
>> username srinivasan_v password BN8kesEvEhELYBKH encrypted privilege 15
>> username lnarayanan_p password Z7ybOCOVcOEG0OsW encrypted privilege 15
>> username mohamed_n password LmEgjp4aVj.y6i3a encrypted privilege 15
>> username zhuhair_i password 3V2TCjO3u0dZLViA encrypted privilege 15
>> username back_app password 8Sbfi5ITT2yqDdoT encrypted privilege 15
>> username vengada_subbu password i9o//ouW9FWBg78D encrypted privilege 15
>>
>> terminal width 80
>> banner motd
>> +---------------------------------------------------------------+
>> banner motd | This system is for the use of authorized users only. |
>> banner motd |Individuals using this system without authority or in excess
>> |
>> banner motd |of their authority, are subject to having all of the
>> activities|
>> banner motd |on this system monitored and recorded by system personnel. |
>> banner motd | |
>> banner motd | In the course of monitoring individuals improperly
>> using |
>> banner motd |system, or in the course of system maintenance, the
>> activities |
>> banner motd |of authorized users may also be monitored. |
>> banner motd | |
>> banner motd | Anyone using this system expressly consents to such |
>> banner motd |monitoring and is advised if such monitoring reveals
>> possible |
>> banner motd |evidence of criminal activity, system personnel may provide
>> |
>> banner motd |the evidence to law enforcement officials. |
>> banner motd
>> +---------------------------------------------------------------+
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3