Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX Authenticaion for outbound SSH & FTP

I have a PIX firewall in which I wish to authenticate outbound connections for slected users of SSH & FTP against an internal AAA server, using TACACS.

Is this functionality supported ?

I have created an access list to match the traffic SSH-Tracker .

I have related the access list to the authenticate, aaa authentication match SSH-Tracker inside tacserv.

I have glodal nats in place.

I suspect I am missing something of the functionality is not there yet ?

Any help appriciated.

2 REPLIES
Cisco Employee

Re: PIX Authenticaion for outbound SSH & FTP

You can define what traffic should be authenticated through the PIX with the command you've shown, but users can only still authenticate using Telnet, FTP or HTTP traffic. There's nothing in the SSH protocol for example, that can have the PIX intercept it and display a username/password request to the user.

Have a read through http://www.cisco.com/warp/public/110/atp52.html and see how you get on. Pay particular attention to the debug/syslog messages, they'll help you out a lot.

New Member

Re: PIX Authenticaion for outbound SSH & FTP

Hi Doug,

ftp can be authenticated, but ssh not. But you can do it another way. Authenticate the traffic via ftp, http or telnet (https in V6.3 is supported to) and authorize ssh against you tacacs server. Authorization only takes place, when the user is authenticated first. So you can say who is allowed to ftp or ssh or whatever you want.

Hope this helps a bit

Norbert

124
Views
0
Helpful
2
Replies
CreatePlease login to create content