Using AAA on PIX to authenticate inbound HTTP traffic on port 8080 ?
I am trying to authenticate inbound http users to a pix, but with users navigating in their browsers on a port other than 80. The port is in the fixup http list, but the following command does not work :
aaa authentication include http outside 192.168.0.1 255.255.255.0 0 0 authserv
this command works for port 80 but if I try it for another port it does not work.
If I try
aaa authentication include http/8080 outside 192.168.0.1 255.255.255.0 0 0 authserv
it obviously does not work because it has not been thought this way and
aaa authentication include tcp/8080 outside 192.168.0.1 255.255.255.0 0 0 authserv
freezes the browser, like if it does not connect. So I am thinking that the aaa authenticate command should take into consideration the TCP ports mentionned in the fixup protocol list. Or am I missing something ?
Re: Using AAA on PIX to authenticate inbound HTTP traffic on por
The problem is not to enable straight user access to http on port 8080, but rather to authenticate users using the same aaa mecanism but on port 8080 instead of port 80 as when :
aaa authenticate include http outside 192.168.0.1 255.255.255.255 0 0 authserv
but that the "http" keyword takes any http port session that is identified on the fixup list, otherwise I don't really see how it can guess that there is http traffic on another port. It would have to open every packet looking for http traffic..
Or have a command such as the one I suggested with http/port# could help but this command is not there...
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...