Re: virtual http from outside to inside not working. urgent help

sebastan_bach · ‎12-04-2006

hi all can someone pls help me. i am able to authenticate rdp and all other kinds of trafic with the help of virtual http and virtual telnet from inside to outside. but i am unable to achieve the same from outside to inside.

int e0

no sh

nameif outside

ip add 1.1.1.1/24

int e1

no sh

nameif inside

ip add 10.1.1.1/24

acs server is on 10.1.1.3 and rdp server is on 10.1.1.2

host is connected on the outside with 1.1.1.2

aaa-server cisco protocol tacacs+

aaa-server cisco (inside) host 10.1.1.3

key cisco

static(inside,outside) 1.1.1.3 10.1.1.2 netmask 255.255.255.255

access-list 101 per tcp any host 1.1.1.3 eq 3389

access-list 101 per tcp any host 1.1.1.4 eq 80

access-list 101 per tcp any host 1.1.1.5 eq 23

access-group 101 in interface outside

virtual-telnet 1.1.1.5

virtual-http 1.1.1.4

when i am trying to telnet or do http to this virtual ip;s i am not getting triggered for authentication. what could be the problem. so i have to do a static nat for virtual http and virtual telnet servers.

what am i missing. can someone pls help me.

on the acs server also i have permitted http 1.1.1.4 and telnet to 1.1.1.5.

pls urgent help required.

regards

sebastan

a.kiprawih · ‎12-04-2006

Can you try to add 1.1.1.3 as virtual-telnet IP and auth proxy?

aaa authentication any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+

virtual-http 1.1.1.3

Existing:

static(inside,outside) 1.1.1.3 10.1.1.2 netmask 255.255.255.255

access-list 101 per tcp any host 1.1.1.3 eq 3389

access-list 101 per tcp any host 1.1.1.4 eq 80

access-list 101 per tcp any host 1.1.1.5 eq 23

access-group 101 in interface outside

virtual-telnet 1.1.1.5

virtual-http 1.1.1.4

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f3f.shtml#virt1

*replace conduit with ACL

HTH

AK

a.kiprawih · ‎12-04-2006

Some newer ref - PIX 7.2:

http://www.cisco.com/en/US/customer/products/ps6120/products_command_reference_chapter09186a008063f188.html#wp1410788

You definitely need authentication proxy to intercept the incoming access traffic, and get authentication page.

Example:

ASA(config)# access-list AUTH extended permit tcp 10.1.1.0 host 10.1.2.1 eq telnet

ASA(config)# access-list AUTH extended permit tcp 10.1.1.0 host 209.165.200.225 eq

smtp

ASA(config)# aaa authentication match AUTH inside tacacs+

ASA(config)# virtual telnet 10.1.2.1

Cheers!

jgervia_2 · ‎12-04-2006

Hello,

You look like you're missing a 'match' statement.

Your interface access-list only tells you what traffic is allowed through - you then need an authentication access-list to allow you to say which traffic needs to authenticate

In this access list, permits mean you have to authenticate, whereas denies mean you don't have to authenticate.

In your example above, you'd want something like:

access-list inbound-auth permit tcp any host 1.1.1.5 eq 23

access-list inbound-auth permit tcp any host 1.1.1.4 eq 80

aaa authentication match inbound-auth outside cisco

Now, that means anything going to those IP addresses has to authenticate. Everything else doesn't - but your interface access-list doesn't allow any other traffic through. So effectively, if they don't telnet or http to that IP address, or are using 3389 to host 1.1.1.3, they won't get through.

--Jason

Please rate this message if it solved all or some of your issue.

sebastan_bach · ‎12-04-2006

hi jason here;s my config buddy.

int e0

nameif outside

ip add 1.1.1.1/24

int e1

nameif inside

ip add 10.1.1.1/24

acs server on 10.1.1.3 and server on 10.1.1.2

i have done a static entry for the server to be reachable from the outside.

static (inside,outside) 1.1.1.3 10.1.1.2 netmask 255.255.255.255

access-list 101 permit tcp any host 1.1.1.3 eq 3389

access-list 101 permit tcp any host 1.1.1.4 eq 80

access-group 101 in interface outside

access-list 102 permit tcp any host 1.1.1.3 eq 3389

access-list 102 permit tcp any host 1.1.1.4 eq 80

aaa authentication match 102 outside cisco

aaa authorization match 102 outside cisco

aaa-server cisco protocol tacacs+

aaa-server cisco (inside) host 10.1.1.3

key cisco

virtual http 1.1.1.4

jason as far i can see my configuration is right. but i don;t get the authentication promt when i type the ip address http://1.1.1.4 in the web browser.

can u pls help me man. i am really stuck with this.

waiting for ur reply.

regards

sebastan

jgervia_2 · ‎12-04-2006

Sebastan,

I did some more checking on virtual http. If you are doing it inbound (low to high security level) , you are *required* to have a static.

I would add something like

static (inside,outside) 1.1.1.4 172.16.3.1 netmask 255.255.255.255

and then do a clear xlate.

If that works, great, you don't have to use up your real IP addresses on the inside to accomodate it virtual telnet/http. If it doesn't, try a static pointed to an unused IP address on your inside interface and see if that works.

--Jason

Please rate this message if it solved some or all of your issue.

sebastan_bach · ‎12-04-2006

hi jason i tried using the static for the virtual ip;s but noting worked out. then finally i used the virtual ip which is the same natted ip for the inside server and it worked.

using a different virtual ip didn;t work at all man. and that too only virtual http worked . virtual telnet i get the user prompt and get authenticated also. but the sad part is the other traffic doesn;t get authorised like rdp in my scenario.

the debug says authentication required for this service. when i did virtual telnet from inside to outside i get authentication successful. but when i do from outside to inside i get authorization failed. it;s sick man. i hope i don;t get such problems in my ccie lab man.

i guess it;s a bug. i tried every other means.

what do u say.

regards

sebastan

virtual http from outside to inside not working. urgent help required pls