Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Site-to-Site w User Authentication ???

Hi,

I've a VPN Site-to-Site between two branch offices.

What I want to know is, seen that is Site-to-Site, if it's possible, with a PIX, to add User Authentication before the traffic is sent to the destination network.

If Yes, as I suppose will be based on an external AAA server or it could be done directly on the PIX (local database)??

Thanks for any suggestion

Omar

2 REPLIES
Cisco Employee

Re: VPN Site-to-Site w User Authentication ???

Yes, any inbound traffic with IPSec terminating on the PIX can be configured for authentication on PIX for traffic passing through the PIX.

I tested with a router on outside and inside, and did a telnet across the IPSec tunnel with AAA

configured on PIX for telnet traffic.

Here is a document that explains how to configure AAA on PIX for traffic through the PIX;

http://www.cisco.com/warp/public/110/atp52.html

Here is a snip of my PIX config;

access-list 198 permit ip 11.11.11.0 255.255.255.0 13.13.13.0 255.255.255.0

nat (inside) 0 access-list 198

crypto map cisco 10 ipsec-isakmp

crypto map cisco 10 match address 198

crypto map cisco 10 set peer 81.18.1.3

crypto map cisco 10 set transform-set cisco

crypto map cisco interface outside

isakmp enable outside

isakmp key ******** address 81.18.1.3 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

!

aaa-server TACACS+ (inside) host 172.16.1.5 cisco timeout 5

aaa authentication include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+

PIX(config)# show uauth

Current Most Seen

Authenticated Users 1 1

Authen In Progress 0 1

user 'pix-telnet' at 13.13.13.13, authenticated

absolute timeout: 0:05:00

inactivity timeout: 0:00:00

PIX(config)# show crypto ipsec sa

interface: outside

Crypto map tag: cisco, local addr. 81.18.1.1

local ident (addr/mask/prot/port): (11.11.11.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (13.13.13.0/255.255.255.0/0/0)

current_peer: 81.18.1.3

PERMIT, flags={origin_is_acl,}

#pkts encaps: 569, #pkts encrypt: 569, #pkts digest 569

#pkts decaps: 601, #pkts decrypt: 601, #pkts verify 601

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

PIX(config)#

Hope that helps.

Regards

Yusuf

New Member

Re: VPN Site-to-Site w User Authentication ???

Hi Yusuf,

Thanks for the suggestion...Does the authentication works also with RADIUS ???...seeing that you use TACACS+ :-)

I've Release 6.2, does the authorization works with RADIUS (in my case IAS), seeing that the document states:

"RADIUS and TACACS+ authentication may be done for FTP, Telnet, and HTTP connections through the Cisco Secure PIX Firewall. Authentication for other less common protocols can usually be made to work. TACACS+ authorization is supported; RADIUS authorization is not."

Saluti

Omar

98
Views
0
Helpful
2
Replies
CreatePlease to create content