Can't make PIX authenticate

Unanswered Question
Jan 8th, 2009

I'm trying to configure a Cisco Pix 506E. I've added a static translation rule for IP. Then I've added an access rule to the inside network over one port I need to use. Everything is working Ok and I do connect through the Pix over such port. But, when I add an Authentication rule with the LOCAL server to make the Pix ask for a User Name and Password when accessing to a host in the inside network, the connection is not possible and I no user name and password is requiered ever.

Please help me. What should I do?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Fri, 01/09/2009 - 16:01

I presume you are trying to use Cut-Through-Proxy feature on this pix, if this is the case is this a standard TCP port like HTTP, HTTPS or TELNET? These are the only ports that work with straight forward with the proper aaa setup. If you are using another service like RDP or so you would need to use Virtual configs like virtual telnet or virtual http check the link below:

sdelorenzi Wed, 01/14/2009 - 04:25

Excuse me, may be I did not explain very well. What I want to do is to perform a Remote Desktop Connection from the Outside network to a specific hot in the inside network, and to specify who can access that host in that way in the LOCAL Pix database with user names and passwords. So, it happens that when I create the static translation rule and an access rule to give access on the Remote Desktop Port (3389), I do connect by Remote Desktop to the host in the inside network. But, when I add an Authentication Rule, I am not ever asked for the user name nor password and the connection is not possible any more. You told that this is not possible? I'm using PDM to configure the Pix.

Ivan Martinon Wed, 01/14/2009 - 09:10

You did explain well, this feature is called Cut-Through-Proxy, and it is supported straigh through for HTTP, HTTPS and TELNET, for services such as RDP (port 3389) you need to use either virtual telnet or virtual http to make it even prompt for authentication, please take a look at the link I sent you.


This Discussion