Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

authentication proxy with vpn client question


I am trying to get http authentication proxy to work together with vpn client.

I think I might have misunderstood how it is supposed to work, because in with my configuration, once the vpn tunnel is established, the user already has full access to all internal networks. I have tried to follow the examples in

(auth-proxy with vpn and firewall no NAT)


(auth-proxy with vpn and firewall and NAT)

I am trying from a laptop on

connecting to router interface on The vpnclients gets an IP address from pool

Accesslist 115 denies and explicitly, but once the vpn tunnel is up I can already ping the internal address What am I getting wrong?

Here is my setup:

Laptop -- Router1 -- Router2 --

aaa authentication login default group radius local

aaa authentication login

CLIENTuserauthen group radius

aaa authorization exec default group radius if-authenticated

aaa authorization network CLIENTgroupauthor local

aaa authorization auth-proxy default group radius

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2


crypto isakmp client configuration group CLIENTgroup

key halodri



domain lco.gtn

pool CLIENTpool

crypto isakmp profile CLIENTprof

match identity group CLIENTgroup

client authentication list CLIENTuserauthen

isakmp authorization list CLIENTgroupauthor

client configuration address respond



crypto ipsec transform-set CLIENTset esp-3des esp-md5-hmac


crypto dynamic-map CLIENTdynmap 10

set transform-set CLIENTset

set isakmp-profile CLIENTprof


crypto map VPNMAP 100 ipsec-isakmp dynamic CLIENTdynmap

interface GigabitEthernet0/0

description Outside Interface

ip address

ip access-group 115 in

ip nat outside

ip auth-proxy auth_proxy_rule_http

ip virtual-reassembly

duplex auto

speed auto

crypto map VPNMAP

interface GigabitEthernet0/1

ip address

ip nat inside

ip virtual-reassembly

duplex auto

speed auto


ip local pool CLIENTpool

ip forward-protocol nd

ip route

ip route GigabitEthernet0/1

ip route

ip route GigabitEthernet0/1

ip route GigabitEthernet0/1

ip http server

ip http access-class 10

ip http authentication aaa

ip http secure-server

logging trap debugging

logging facility local3


access-list 10 remark http server needed by auth-proxy, but we deny access to http server itself

access-list 10 deny any

access-list 105 remark -- end route-map nonat list

access-list 115 remark --- block certain hosts for auth-proxy testing ---

access-list 115 permit esp any any log-input

access-list 115 permit udp any any eq isakmp log-input

access-list 115 permit ip host any log-input

access-list 115 permit ip host any log-input

access-list 115 permit ip host any log-input

access-list 115 deny ip host any

access-list 115 deny ip host any

access-list 115 deny ip any

access-list 115 permit ip any any




Re: authentication proxy with vpn client question

Authentication proxy provides dynamic, per-user authentication and authorization, authenticating users against industry standard TACACS+ and RADIUS authentication protocols. Authenticating and authorizing connections by user provides more robust protection against network attacks.

Refer to the Cisco IOS Security Configuration Guide, Release 12.1 for more information on configuring authentication proxy:

New Member

Re: authentication proxy with vpn client question

I have read that guide before, but it says it that auth proxy works with vpn and that


If a VPN client initiates an HTTP connection, the authentication proxy first checks for prior client authentication. If the client is authenticated, authorized traffic is permitted. If the client is not authenticated, the HTTP request triggers the authentication proxy, and the user is prompted for a username and password.

If the user authentication is successful, the authentication proxy retrieves the user profile from the AAA server. The source address in the user profile entries is replaced with the IP address of the authenticated VPN client from the decrypted packet.


The only way I could make an impact with auth proxy on the vpn behaviour was when I configured a split-tunnel rule for the vpnclient which points only sends traffic to a non-existent internal network via the vpntunnel. Only then would auth-proxy insert additional rules that allow access to more destinations.

As VPN without split-tunnel already allows access to all destinations I don't see how

auth-proxy can make a difference