Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

how to require authentication from inbound https connections?

Unanswered Question
Oct 6th, 2006
User Badges:


I have this internal web server protected by the pix. now I want the pix to use aaa and ask for authentication when the user tries to connect to the firewall which by using static send the request to the web server.

this is my code,

access-list from_outside extended permit icmp any any log

access-list from_outside extended permit tcp any host <mypublicip> eq 11070 log

access-list from_outside extended permit tcp any host <mypublicip> eq https log

access-list from_outside extended deny ip any any log

access-list acl_auth extended permit tcp any any eq https

aaa-server MYAAA protocol radius

aaa-server MYAAA (inside) host


authentication-port 1812

aaa authentication ssh console MYAAA LOCAL

aaa authentication match acl_auth outside MYAAA

auth-prompt prompt Enter your user and pass!



now when I try to connect to


I don't get any internet explorer popups and in my pix logs I see a line

%PIX-7-109014: uauth_lookup_net fail for get_np_flow_info()

on cisco it says that I have to use authorization as well but I don't understand why, I don't even get a popup to type my user/pass.

also, I'm using freeradius on a linux box, the authentication works because to log into my cisco I use aaa and I can log no problem there.

any help would be appreciated.

thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pamirian76 Fri, 10/06/2006 - 06:47
User Badges:

my 2nd question:

if a user from a company that's using PAT gets to the pix, for the first user the pix will prompt for a user/pass but not for the other users since the user coming from that IP has already authenticated.

how can I force the pix to ask for a user/pass anyway? I'm not even sure that this can be done...

what's my option if I want all the user coming from the same IP to be authenticated by the pix?

thank you!!

kaachary Mon, 10/16/2006 - 13:00
User Badges:
  • Cisco Employee,


Regarding your second question :

Try to lower down the uauth timeout on the PIX.



kaachary Mon, 10/16/2006 - 13:02
User Badges:
  • Cisco Employee,


Regarding your first question :

Change the exisiting command to :

aaa authentication match acl_auth inside MYAAA




This Discussion