Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Proxy authentication

I have the following topology. R1 with firewall features, R2 and ACS belong to Customer A, while R3 with firewall features and VPN concentrator belong to Customer B.

User--Internet--R1FW---R2--R3FW--VPNConcentrator |


The requirement is for User which is a mobile user of Customer A to connect to Customer?s B VPN concentrator and open a IPSEC connection using Cisco VPN client.

User must also be authenticated when entering Customer A network and I am considering proxy authentication. So, before opening the vpn client, the user will initiate an http connection to R1 and authenticate itself to the ACS server using a username/password. If authentication is successful, an entry will be downloaded to the R1 inbound access-list to allow traffic from the IP of the authenticated user to the IP of the VPN concentrator.

The problem is that Customer B needs to know the IP addresses of users with vpn clients so that it can allow only traffic from this IP passing through R3 FW.

Since this is a mobile user it can connect from different places so he does not use a single IP.

Here are my thoughts/questions to address this issue:

1. Is it possible to assign User with a static IP when authentication with the ACS along with proxy authentication?

2. Can I use NAT outside at R1 so I translate user IP to a static IP? Do you see any issue with this implementation?

3. Is there another solution to achieve the above: 1. authentication of mobile users and static IP assignment?



New Member

Re: Proxy authentication

Does the Concentrator have connectivity with Cust A's ACS server? I assume so. The best way to assign the remote client an IP address is to use an IP pool which is attached to the VPN user's group. Then Cust B would be able to build fw rules around this subnet. Be sure to use NARs to permit only authentication to the VPN and not any other RADIUS/TACACS+ clients. HTH.