SimplyNerdy
asked on
Configure ASA to only allow administration from specific hosts
Short and sweet: We have an ASA that we want to limit the ability to access from other devices. We don't want anyone to be able to access the ASDM or the CLI from the interface leading to the external router, we do want them to be able to access the ASDM and CLI from the interface leading into the internal network.
If I had a lab firewall, I'd play around with it till I got it, but all we have is the production firewall and I don't want to risk shutting down the entire datacenter because I told the ASA to not accept traffic from the router.
If I had a lab firewall, I'd play around with it till I got it, but all we have is the production firewall and I don't want to risk shutting down the entire datacenter because I told the ASA to not accept traffic from the router.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
HTTP - This allows HTTPS connections on port TCP/443 to access the ASA - so this covers ASDM. SSH allows access on port TCP/22
IP and Subnet - This is the subnet you want to allow access, or host by simply changing the subnet, for example
192.168.1.0 255.255.255.0 gives all of the 192.168.1.0 - 254
192.168.1.1 255.255.255.255 gives the one host 192.168.1.1 access
Inteface - this is the name of the interface you will be accessing the ASA from, so if you use the management interfaces, specify the management interface name you can do this by looking in the config at the "nameif" field of the interface configuration.
So in full
<service> <ip address> <mask> <nameif>