10-25-2007 09:11 PM - edited 03-10-2019 03:28 PM
hello cisco people! Need your help.
Below is my running configuration of my PIX515e.
Here is the network topology:
http://img145.imageshack.us/img145/5598/pix515eap6.jpg
The problem that I am trying to solve is I want that my inside users (network 192.168.1.0/24)
be authenticated every web connection they make. With this current configuration PIX firewall
prompts login every web connection but when I reboot the PIX the PIx will not be able to challenge
the user for username and password.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PIX Version 7.0(5)
!
hostname pix515e
enable password xxx
names
dns-guard
!
interface Ethernet0
description Outside Link
duplex full
nameif outside
security-level 0
ip address 203.177.X.X 255.255.255.248
!
interface Ethernet1
description Inside Link
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns name-server 203.177.X.X
dns name-server 203.127.X.X
access-list OUTSIDE_IN extended permit tcp any any eq 80
access-list OUTSIDE_IN extended permit tcp any any eq 53
access-list OUTSIDE_IN extended permit udp any any eq 53
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_OUT extended permit tcp any any eq 80
access-list OUTSIDE_OUT extended permit tcp any any eq 53
access-list OUTSIDE_OUT extended permit udp any any eq 53
access-list OUTSIDE_OUT extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group OUTSIDE_IN in interface outside
access-group INSIDE_OUT out interface outside
route outside 0.0.0.0 0.0.0.0 203.177.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username ryan password sugGTcAdkAhppJ5g encrypted
aaa authentication match OUTSIDE_IN inside LOCAL
aaa local authentication attempts max-fail 5
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
10-26-2007 10:03 PM
issue solved. :) Thank you :)
12-10-2007 04:04 PM
Hi, I'm wondering if you could elaborate on how you resolved your authentication issue. We are presently working on a setup similar to your description.
Cheers.
12-11-2007 07:07 PM
Enabling Network Access Authentication
To enable network access authentication, perform the following steps:
Step 1:
Using the access-list command, create an ACL that identifies the source addresses and destination addresses of traffic you want to authenticate.
The permit ACEs mark matching traffic for authentication, while deny entries exclude matching traffic from authentication. Be sure to include the destination ports for either HTTP, Telnet, or FTP in the ACL because the user must authenticate with one of these services before other services are allowed through the security appliance.
Step 2:
To configure authentication, enter the following command:
hostname/contexta(config)# aaa authentication match acl_name interface_name server_group_or_LOCAL
where acl_name is the name of the ACL you created in Step 1, interface_name is the name of the interface as specified with the nameif command.
- - - - - - - - - - - - - - - - - - - - - - -
(Optional) If you are using the local database for network access authentication and you want to limit the number of consecutive failed login attempts that the security appliance allows any given user account, use the aaa local authentication attempts max-fail command.
For example:
hostname/contexta(config)# aaa local authentication attempts max-fail 7
- - - - - - - - - - - - - - - - - - - - - - -
Step 3:
Create users.
hostname/contexta(config)# username insideuser password INSIDEUSER
Step 4:
Finish. You can now test your configuration.
Traffic traversing the security appliance will need authentication.
EXAMPLE Config:
hostname/contexta(config)# username user1 password password1
hostname/contexta(config)# access-list INSIDE_AUTH extended permit tcp any any eq telnet
hostname/contexta(config)# access-list INSIDE_AUTH extended permit tcp any any eq www
hostname/contexta(config)# aaa authentication match INSIDE_AUTH inside LOCAL
hostname/contexta(config)# aaa local authentication attempts max-fail 3
RATE THIS POST IF THIS IS USEFULL TO YOU.
THANK YOU!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide