12-04-2006 05:11 AM - edited 03-11-2019 02:04 AM
hi all can someone pls help me. i am able to authenticate rdp and all other kinds of trafic with the help of virtual http and virtual telnet from inside to outside. but i am unable to achieve the same from outside to inside.
int e0
no sh
nameif outside
ip add 1.1.1.1/24
int e1
no sh
nameif inside
ip add 10.1.1.1/24
acs server is on 10.1.1.3 and rdp server is on 10.1.1.2
host is connected on the outside with 1.1.1.2
aaa-server cisco protocol tacacs+
aaa-server cisco (inside) host 10.1.1.3
key cisco
static(inside,outside) 1.1.1.3 10.1.1.2 netmask 255.255.255.255
access-list 101 per tcp any host 1.1.1.3 eq 3389
access-list 101 per tcp any host 1.1.1.4 eq 80
access-list 101 per tcp any host 1.1.1.5 eq 23
access-group 101 in interface outside
virtual-telnet 1.1.1.5
virtual-http 1.1.1.4
when i am trying to telnet or do http to this virtual ip;s i am not getting triggered for authentication. what could be the problem. so i have to do a static nat for virtual http and virtual telnet servers.
what am i missing. can someone pls help me.
on the acs server also i have permitted http 1.1.1.4 and telnet to 1.1.1.5.
pls urgent help required.
regards
sebastan
12-04-2006 05:44 AM
Can you try to add 1.1.1.3 as virtual-telnet IP and auth proxy?
aaa authentication any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
virtual-http 1.1.1.3
Existing:
static(inside,outside) 1.1.1.3 10.1.1.2 netmask 255.255.255.255
access-list 101 per tcp any host 1.1.1.3 eq 3389
access-list 101 per tcp any host 1.1.1.4 eq 80
access-list 101 per tcp any host 1.1.1.5 eq 23
access-group 101 in interface outside
virtual-telnet 1.1.1.5
virtual-http 1.1.1.4
*replace conduit with ACL
HTH
AK
12-04-2006 05:55 AM
Some newer ref - PIX 7.2:
You definitely need authentication proxy to intercept the incoming access traffic, and get authentication page.
Example:
ASA(config)# access-list AUTH extended permit tcp 10.1.1.0 host 10.1.2.1 eq telnet
ASA(config)# access-list AUTH extended permit tcp 10.1.1.0 host 209.165.200.225 eq
smtp
ASA(config)# aaa authentication match AUTH inside tacacs+
ASA(config)# virtual telnet 10.1.2.1
Cheers!
12-04-2006 06:23 AM
Hello,
You look like you're missing a 'match' statement.
Your interface access-list only tells you what traffic is allowed through - you then need an authentication access-list to allow you to say which traffic needs to authenticate
In this access list, permits mean you have to authenticate, whereas denies mean you don't have to authenticate.
In your example above, you'd want something like:
access-list inbound-auth permit tcp any host 1.1.1.5 eq 23
access-list inbound-auth permit tcp any host 1.1.1.4 eq 80
aaa authentication match inbound-auth outside cisco
Now, that means anything going to those IP addresses has to authenticate. Everything else doesn't - but your interface access-list doesn't allow any other traffic through. So effectively, if they don't telnet or http to that IP address, or are using 3389 to host 1.1.1.3, they won't get through.
--Jason
Please rate this message if it solved all or some of your issue.
12-04-2006 09:30 AM
hi jason here;s my config buddy.
int e0
nameif outside
ip add 1.1.1.1/24
int e1
nameif inside
ip add 10.1.1.1/24
acs server on 10.1.1.3 and server on 10.1.1.2
i have done a static entry for the server to be reachable from the outside.
static (inside,outside) 1.1.1.3 10.1.1.2 netmask 255.255.255.255
access-list 101 permit tcp any host 1.1.1.3 eq 3389
access-list 101 permit tcp any host 1.1.1.4 eq 80
access-group 101 in interface outside
access-list 102 permit tcp any host 1.1.1.3 eq 3389
access-list 102 permit tcp any host 1.1.1.4 eq 80
aaa authentication match 102 outside cisco
aaa authorization match 102 outside cisco
aaa-server cisco protocol tacacs+
aaa-server cisco (inside) host 10.1.1.3
key cisco
virtual http 1.1.1.4
jason as far i can see my configuration is right. but i don;t get the authentication promt when i type the ip address http://1.1.1.4 in the web browser.
can u pls help me man. i am really stuck with this.
waiting for ur reply.
regards
sebastan
12-04-2006 12:31 PM
Sebastan,
I did some more checking on virtual http. If you are doing it inbound (low to high security level) , you are *required* to have a static.
I would add something like
static (inside,outside) 1.1.1.4 172.16.3.1 netmask 255.255.255.255
and then do a clear xlate.
If that works, great, you don't have to use up your real IP addresses on the inside to accomodate it virtual telnet/http. If it doesn't, try a static pointed to an unused IP address on your inside interface and see if that works.
--Jason
Please rate this message if it solved some or all of your issue.
12-04-2006 01:09 PM
hi jason i tried using the static for the virtual ip;s but noting worked out. then finally i used the virtual ip which is the same natted ip for the inside server and it worked.
using a different virtual ip didn;t work at all man. and that too only virtual http worked . virtual telnet i get the user prompt and get authenticated also. but the sad part is the other traffic doesn;t get authorised like rdp in my scenario.
the debug says authentication required for this service. when i did virtual telnet from inside to outside i get authentication successful. but when i do from outside to inside i get authorization failed. it;s sick man. i hope i don;t get such problems in my ccie lab man.
i guess it;s a bug. i tried every other means.
what do u say.
regards
sebastan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: