09-05-2002 06:48 AM - edited 02-21-2020 10:03 AM
This was originally posted in the VPN-->security section
We use Cisco VPN client v1.1 for remote access to the network. I need to make some config changes and I'm trying to understand the existing config so I don't mess up the present connectivity (I'm new to PIX).
I have the following command in my config:
aaa authentication include tcp/0 outside 172.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0 partnerauth
It appears to be a legal command, because it is in the running config. However, I cannot find anything in the docs that reference the "tcp/0" parameter. I'm presently using V6.2, upgraded from V5.2. There is an example of this given for the aaa authorization command. Also, in
http://www.cisco.com/warp/public/110/atp52.html
at "Virtual Telnet Outbound," there is an example given where protocol/port is shown.
Anyway, if I am correct in my assumption, the command given above would read, in English, "Authenticate anyone from network 192.168.1.0 that arrives on the outside interface using any TCP port, to access the network 172.1.0.0, using the partnerauth server."
What does this command really do? I doubt it is even working, because the 172.1.0.0 isn't part of the 172 class B private network we use.
To further confuse me, the example below doesn't use this command at all when configuring radius authentication.
http://www.cisco.com/warp/public/110/pixcryaaa52.shtml#setup3
If anyone can point me in the right direction I would be very grateful!!
Later . . .
dotx
09-06-2002 01:22 AM
Let me make it simple for you
when you enter following command on PIX:-
aaa authentication include any outside 172.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0 partnerauth
it will translate to following when you do show run:-
aaa authentication include tcp/0 outside 172.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0 partnerauth
syntax format:-
aaa authentication|authorization|accounting include|exclude
as you can see from above that in the "SVC" field, when you define ANY originally, it replaces with tcp/0, which means "any protocol any port"
HTH
R/Yusuf
09-06-2002 06:56 AM
I have read elsewhere that this command is for authenticating users ON the PIX, not for authenticating VPN clients coming in, which is what I'm interested in.
I have no need to log onto the PIX from anywhere but through the console port.
If this is so, wouldn't removing this command provide additional security by not allowing external logins?
Thanks for your replies.
-dotx
09-07-2002 12:20 AM
This command is used for any traffic crossing/traversing the pix, not for users logging onto the pix.
Hope that clarifies.
R/Yusuf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide