Eli Fulkerson .com HomeArticlesCisco-pix-limited-access-account-howto
 

Howto: Create a limited user account on a Cisco Pix Firewall

This is a snippet for the Cisco Pix firewall that create a 'limited user' account on the firewall itself. That user will have access to all 'show' diagnostic commands, as well as the ability to clear the error/usage counters on interfaces and to ping other devices.

This configuration does the following things:

Here is the snippet:

aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authorization command LOCAL

username enable_15 password [PUT YOUR ENABLE PASSWORD HERE] privilege 15
username show password [PUT YOUR SHOW PASSWORD HERE] privilege 5
privilege show level 5 command aaa
privilege show level 5 command aaa-server
privilege show level 5 command access-group
privilege show level 5 command access-list
privilege show level 5 command activation-key 
privilege show level 5 command age
privilege show level 5 command alias
privilege show level 5 command apply
privilege show level 5 command arp
privilege show level 5 command auth-prompt
privilege show level 5 command auto-update
privilege show level 5 command banner
privilege show level 5 command blocks
privilege show level 5 command ca
privilege show level 5 command capture
privilege show level 5 command chunkstat
privilege show level 5 command clock
privilege show level 5 command conduit
privilege show level 5 command conn
privilege show level 5 command console
privilege show level 5 command cpu
privilege show level 5 command Crashinfo
privilege show level 5 command crypto
privilege show level 5 command ctiqbe
privilege show level 5 command debug
privilege show level 5 command dhcpd
privilege show level 5 command dhcprelay
privilege show level 5 command domain-name
privilege show level 5 command dynamic-map
privilege show level 5 command eeprom
privilege show level 5 command established
privilege show level 5 command failover
privilege show level 5 command filter
privilege show level 5 command fixup
privilege show level 5 command flashfs
privilege show level 5 command fragment
privilege show level 5 command global
privilege show level 5 command h225
privilege show level 5 command h245
privilege show level 5 command h323-ras
privilege show level 5 command http
privilege show level 5 command icmp
privilege show level 5 command interface
privilege show level 5 command ip
privilege show level 5 command ipsec
privilege show level 5 command isakmp
privilege show level 5 command local-host
privilege show level 5 command mac-list
privilege show level 5 command map
privilege show level 5 command memory
privilege show level 5 command mgcp
privilege show level 5 command management-access
privilege show level 5 command mroute
privilege show level 5 command mtu
privilege show level 5 command multicast
privilege show level 5 command name
privilege show level 5 command nameif
privilege show level 5 command names
privilege show level 5 command nat
privilege show level 5 command ntp
privilege show level 5 command object-group
privilege show level 5 command outbound
privilege show level 5 command passwd
privilege show level 5 command pdm
privilege show level 5 command prefix-list
privilege show level 5 command privilege
privilege show level 5 command processes
privilege show level 5 command rip
privilege show level 5 command route
privilege show level 5 command route-map
privilege show level 5 command router
privilege show level 5 command routing
privilege show level 5 command running-config
privilege show level 5 command service
privilege show level 5 command shun
privilege show level 5 command sip
privilege show level 5 command skinny
privilege show level 5 command snmp-server
privilege show level 5 command ssh
privilege show level 5 command startup-config
privilege show level 5 command static
privilege show level 5 command sysopt
privilege show level 5 command tcpstat
privilege show level 5 command tech-support
privilege show level 5 command telnet
privilege show level 5 command terminal
privilege show level 5 command tftp-server
privilege show level 5 command timeout
privilege show level 5 command traffic
privilege show level 5 command uauth
privilege show level 5 command url-cache
privilege show level 5 command url-block
privilege show level 5 command url-server
privilege show level 5 command username
privilege show level 5 command virtual
privilege show level 5 command vpdn
privilege show level 5 command vpnclient
privilege show level 5 command vpngroup
privilege show level 5 command who
privilege show level 5 command xlate
privilege configure level 5 command ping
privilege clear level 5 command interface
privilege configure level 5 command disable


Download this snippet (plain text) here.