Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1512
Views
0
Helpful
2
Replies

aaa authentication for inbound in PIX 6.1.1

cjrchoi11
Level 1
Level 1

‎10-22-2002 10:23 AM - edited ‎02-21-2020 10:04 AM

I want to configure authentication in the PIX(6.1.1) but cannot get a prompt for authentication. please give me an advise what's wrong for the following scenario.

Server-(1.1.1.0)-PIX-(2.2.2.0)-VPN3030--Internet--PIX515-(3.3.3.0)-Client

1. IP for server1=1.1.1.1, ACS server=1.1.1.2

2. PIX configuration.

static (inside,dmz) 2.2.2.2 1.1.1.1 netmask 255.255.255.255 0 0

conduit permit tcp host 2.2.2.2 eq telnet 3.3.3.0 255.255.255.0

!

aaa-server test protocol radius

aaa-server test (inside) host 1.1.1.2 PASSWORD timeout 10

aaa authentication include telnet outside 2.2.2.2 255.255.255.255 3.3.3.0 255.255.255.0 test

!

3. PIX515 connected to VPN3030's base group using IPSec tunnel

!

4. try telnet to 2.2.2.2 from client(3.3.3.3), then direct show up the telnet screen without any authentication prompt.

!

** PIX log**

302001: Built inbound TCP connection 2704306 for faddr 3.3.3.3/2511 gaddr 2.2.2.2/23 laddr 1.1.1.1/23

Thanks,

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎10-23-2002 04:06 PM

You have the following:

static (inside,dmz) 2.2.2.2 1.1.1.1 netmask 255.255.255.255 0 0

aaa authentication include telnet outside 2.2.2.2 255.255.255.255 3.3.3.0 255.255.255.0 test

Your static says that connections for 2.2.2.2 will be coming in on the dmz interface, yet your authentication line is saying that it's coming in on the outside interface. Which is it?

If it's the DMZ, then you need to change the above lines to read:

static (inside,dmz) 2.2.2.2 1.1.1.1 netmask 255.255.255.255 0 0

aaa authentication include telnet dmz 2.2.2.2 255.255.255.255 3.3.3.0 255.255.255.0 test

If it's the outside, then you need to change the above lines to read:

static (inside,outside) 2.2.2.2 1.1.1.1 netmask 255.255.255.255 0 0

aaa authentication include telnet outside 2.2.2.2 255.255.255.255 3.3.3.0 255.255.255.0 test

HTH.

0 Helpful

cjrchoi11
Level 1
Level 1
In response to gfullage

‎10-28-2002 11:00 AM

Thanks, it works.

another issue that I'll assign one userID to the remote site and let them share the UserID and only allow 3 http sessions concurrently(three stations will use same UserID).

I tried "Max session=3" on the ACS(2.6) but never can authenticated from ACS with message "User exceeded max sessions" even only one user trying access. only "unlimited" can made authentication successfully.

Is the "ACS for Unix with DSM" solution ? please guide me how to implement.

Thanks,

0 Helpful
Customers Also Viewed These Support Documents