Cisco Support Community
Community Member

PIX with AAA not validating new users from same NAT-domain

We're using a PIX 515R with a Microsoft webserver on HTTP and HTTPS. Users on this webserver have to authenticate with an cryptocard token.

The PIX is validating the user by checking the token on a cryptocard RADIUS server. This system works fine if you're not behind a proxyserver with NAT. If the clienst are behind a proxy/firewall server with NAT we encounter problems with authenticating each client seperate.

Once the first user is authenticated, every other user from behind the proxy server can connect trough the PIX with the webserver without authentication.

The log from the PIX and the configuration of the PIX are included below.

The log from the pix is as follows:


109001: Auth start for user '???' from to

109011: Authen Session Start: user 'gobo', sid 242

109005: Authentication succeeded for user 'gobo' from to on interface outside

302001: Built inbound TCP connection 47097 for faddr gaddr laddr (gobo)

302002: Teardown TCP connection 47097 faddr gaddr laddr duration 0:01:03 bytes 9364 (gobo)


302001: Built inbound TCP connection 47099 for faddr gaddr laddr (gobo) This user doesn't have to authenticate because the PIX firewall still thinks it's the first user (gobo)

Then request a webpage with first client (gobo)

302001: Built inbound TCP connection 47100 for faddr gaddr laddr (gobo)

302001: Built inbound TCP connection 47101 for faddr gaddr laddr (gobo)

And then the second client again (not authenticated, PIX thinks that this is client "gobo")

302001: Built inbound TCP connection 47102 for faddr gaddr laddr (gobo)

Th configuration looks like this:

: Saved


PIX Version 5.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password removed encrypted

passwd removed encrypted

hostname TLEUFFWR002

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521


name eufi_web_extern

name eufi_web_intern

access-list acl_out permit tcp any any eq www

access-list acl_out permit tcp any any eq 443

access-list acl_in permit ip any any

access-list acl_in permit tcp any any

access-list acl_in permit udp any any

access-list acl_in permit icmp any any

pager lines 24

logging on

no logging timestamp

no logging standby

no logging console

no logging monitor

logging buffered debugging

no logging trap

no logging history

logging facility 20

logging queue 4096

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

arp timeout 14400

nat (inside) 1 0 0

static (inside,outside) eufi_web_extern eufi_web_intern netmask 0 0 access-group acl_out in interface outside access-group acl_in in interface inside route outside 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 3:00:00 absolute uauth 0:30:00 inactivity aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host eufi_web_intern Removed timeout 30 aaa authentication include http inbound RADIUS aaa authentication include tcp/443 inbound RADIUS no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable isakmp identity hostname telnet timeout 5 terminal width 80 Cryptochecksum:f2650712cc168d0326178d6f8323a295

: end

CreatePlease to create content