https://community.cisco.com/t5/network-access-control/aaa-authentication-at-outside-interface-for-port-1433/m-p/226484#M985 <HTML><HEAD></HEAD><BODY><P>You might have to add a "aaa authorization". This will protect your 2.2.2.2 server from anyone who's trying to hit w/ port 1433. User will have to perform an authentication on port http first, then will be authorize to use tcp/1433 thru the PIX.</P><P></P><P>You may end up w/ a command like this (sorry I'm old and not using the match ACL command set)</P><P>aaa authorization include tcp/1433 outside 2.2.2.2 255.255.255.255 0.0.0.0 0.0.0.0 AuthServer</P><P></P><P>Also PIX will let user authenticate w/ tcp-port 21(ftp),23(telnet) and 80(http) only. Not sure w/ tcp/443(https).</P><P></P><P>Please refer to this link:</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#1056043" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#1056043</A></P><P></P><P>You may also use "show uauth" command to diagnose common login session.</P><P></P><P>Mike</P></BODY></HTML> Fri, 14 Nov 2003 18:50:46 GMT mpalardy 2003-11-14T18:50:46Z https://community.cisco.com/t5/network-access-control/aaa-authentication-at-outside-interface-for-port-1433/m-p/226483#M969 <P>Problem:</P><P>Want to let customer authenticate at PIX outside interface and then open up SQL port 1433 to run enterprise manager</P><P>Port 1433 not accessable by anyone else unless authenticated</P><P>I'm looking for the type of functionallity that the lock and key access lists can do in IOS</P><P></P><P>Customer will be outside the PIX, The server in question (2.2.2.2) currently has a functioning static and access-lists that</P><P>allow the world to hit a web site hosted on the server.</P><P></P><P>AAA is working for administrative login to the pix console over telnet and SSH</P><P></P><P>This is what I have:real IP addresses removed</P><P></P><P>access-list OutsideAuth permit tcp any host 2.2.2.2 eq 1433 </P><P>access-list OutsideAuth permit tcp any host 2.2.2.100 eq www </P><P>access-list OutsideAuth permit tcp any host 2.2.2.100 eq https</P><P></P><P>aaa-server AuthServer protocol tacacs+ </P><P>aaa-server AuthServer (inside) host 1.1.1.1 password timeout 5</P><P>aaa authentication secure-http-client</P><P>aaa authentication telnet console AuthServer</P><P>aaa authentication ssh console AuthServer</P><P>aaa authentication match OutsideAuth outside AuthServer</P><P>virtual http 2.2.2.100</P><P></P><P>My hope is that user could securely HTTP to 2.2.2.100, authenticate and then hit port 1433</P><P>If I hit the 2.2.2.100 address i get a web screen with a username and password boxes. I dont see the </P><P>secure Java based authentication screen.</P><P></P><P>Am I on the right track ? Can this be done?</P> Fri, 21 Feb 2020 18:08:46 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-at-outside-interface-for-port-1433/m-p/226483#M969 bvanbenschoten 2020-02-21T18:08:46Z https://community.cisco.com/t5/network-access-control/aaa-authentication-at-outside-interface-for-port-1433/m-p/226484#M985 <HTML><HEAD></HEAD><BODY><P>You might have to add a "aaa authorization". This will protect your 2.2.2.2 server from anyone who's trying to hit w/ port 1433. User will have to perform an authentication on port http first, then will be authorize to use tcp/1433 thru the PIX.</P><P></P><P>You may end up w/ a command like this (sorry I'm old and not using the match ACL command set)</P><P>aaa authorization include tcp/1433 outside 2.2.2.2 255.255.255.255 0.0.0.0 0.0.0.0 AuthServer</P><P></P><P>Also PIX will let user authenticate w/ tcp-port 21(ftp),23(telnet) and 80(http) only. Not sure w/ tcp/443(https).</P><P></P><P>Please refer to this link:</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#1056043" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#1056043</A></P><P></P><P>You may also use "show uauth" command to diagnose common login session.</P><P></P><P>Mike</P></BODY></HTML> Fri, 14 Nov 2003 18:50:46 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-at-outside-interface-for-port-1433/m-p/226484#M985 mpalardy 2003-11-14T18:50:46Z