Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

AAA Authentication at Outside interface for port 1433

Problem:

Want to let customer authenticate at PIX outside interface and then open up SQL port 1433 to run enterprise manager

Port 1433 not accessable by anyone else unless authenticated

I'm looking for the type of functionallity that the lock and key access lists can do in IOS

Customer will be outside the PIX, The server in question (2.2.2.2) currently has a functioning static and access-lists that

allow the world to hit a web site hosted on the server.

AAA is working for administrative login to the pix console over telnet and SSH

This is what I have:real IP addresses removed

access-list OutsideAuth permit tcp any host 2.2.2.2 eq 1433

access-list OutsideAuth permit tcp any host 2.2.2.100 eq www

access-list OutsideAuth permit tcp any host 2.2.2.100 eq https

aaa-server AuthServer protocol tacacs+

aaa-server AuthServer (inside) host 1.1.1.1 password timeout 5

aaa authentication secure-http-client

aaa authentication telnet console AuthServer

aaa authentication ssh console AuthServer

aaa authentication match OutsideAuth outside AuthServer

virtual http 2.2.2.100

My hope is that user could securely HTTP to 2.2.2.100, authenticate and then hit port 1433

If I hit the 2.2.2.100 address i get a web screen with a username and password boxes. I dont see the

secure Java based authentication screen.

Am I on the right track ? Can this be done?

1 REPLY
Community Member

Re: AAA Authentication at Outside interface for port 1433

You might have to add a "aaa authorization". This will protect your 2.2.2.2 server from anyone who's trying to hit w/ port 1433. User will have to perform an authentication on port http first, then will be authorize to use tcp/1433 thru the PIX.

You may end up w/ a command like this (sorry I'm old and not using the match ACL command set)

aaa authorization include tcp/1433 outside 2.2.2.2 255.255.255.255 0.0.0.0 0.0.0.0 AuthServer

Also PIX will let user authenticate w/ tcp-port 21(ftp),23(telnet) and 80(http) only. Not sure w/ tcp/443(https).

Please refer to this link:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#1056043

You may also use "show uauth" command to diagnose common login session.

Mike

111
Views
0
Helpful
1
Replies
CreatePlease to create content