Privilege level for Cisco ASA

For authenticated scanning of Cisco ASA devices you'll need to provide a user account with privilege level 15 (recommended) or an account with a lower privilege level as long as the account has been configured so that it's able to execute all of the commands that are required for scanning these devices.

Important - Please be aware that sensitive configurations could be at risk when you grant access to commands to a user account with a lower privilege level. Please assign the appropriate privilege level per your business needs and your organization's security policies.

For compliance scanning - this high level of privileges is required for the scan to be successful.

For vulnerability scanning - this high level of privileges is required for configuration based checks only. The configuration QID for Cisco ASA is QID 45245 "Cisco ASA Device Configurations Detected".

Commands required for scanning

show running-config all
show logging
show clock detail
show version
show crypto key mypubkey rsa
show snmp user
show snmp group
show software authenticity running
show interface ip brief

Note - The commands listed above may not show the required output. This will depend on the customer configuration, except for "show version" and "show running-config all" commands. The compliance scan will fail if "show running-config all" doesn't have any output.

How to provide access to a target

By default, only privilege level 15 supports the command "show running-config all" for Cisco ASA which would mean that our compliance scan can only be run using privilege 15. However, you can configure privilege levels for different users to grant different types of access. We require a user account that can run all of the commands required for scanning listed above.

Here's an example of how you can give access to a user with privilege level 14.

Note that the command "show running-config all" is executed successfully for the user with privilege level 15, but an Error appears for a user with privilege level 14 since the command is not supported for the lower privilege level.


As shown, only privilege level 15 users can execute "running-config".


Give access to the privilege level 14 user by using the following command.


Now compare the output of the command "show running-config all" and you'll see that it's successful for both users with different privilege levels. Note - The output you get on your targets may differ due to different versions and configurations.