10-03-2015 12:18 AM - edited 03-11-2019 11:41 PM
hi
i am trying to test the ASA authentication in my LAB before implementing in real production system amd its not working
my lab is to having HTTP server set in the inside network (IIS) and outside network , the IIS server is Static NAT to the out side , ACL to allow HTTP to the sever from Outside network AAA rule is applied to authenticate the Connection but no request for authentication when attemp to access the web server .
any idea ?
here is output of configuration
: Saved : ASA Version 8.4(2) ! hostname IISFW enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface GigabitEthernet0 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1 nameif IIS security-level 100 ip address 10.1.1.1 255.255.255.0 ! interface GigabitEthernet2 nameif outside security-level 0 ip address 192.168.100.1 255.255.255.0 ! interface GigabitEthernet3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet5 shutdown no nameif no security-level no ip address ! ftp mode passive clock timezone AST 3 object network IIS host 10.1.1.5 object network IIS_icmp host 10.1.1.5 object network IIS_REMOTE host 10.1.1.5 object-group service DM_INLINE_SERVICE_1 service-object icmp service-object tcp destination eq www access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object IIS access-list IIS extended permit tcp any any pager lines 24 logging enable logging asdm informational mtu IIS 1500 mtu outside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-714.bin no asdm history enable arp timeout 14400 ! object network IIS nat (IIS,outside) static 192.168.100.5 access-group outside_access_in in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server ASA protocol radius aaa-server ASA (IIS) host 10.1.1.5 key ***** radius-common-pw ***** user-identity default-domain LOCAL aaa authentication enable console LOCAL aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL aaa authentication match IIS IIS ASA aaa authentication listener http IIS port www redirect http server enable http 0.0.0.0 0.0.0.0 IIS no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15 username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15 username http password 6OvUPoxhQgt3X6on encrypted username http attributes service-type remote-access ! class-map global-class match default-inspection-traffic ! ! policy-map global-policy class global-class inspect http inspect icmp ! service-policy global-policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily crashinfo save disable Cryptochecksum:96123be00fc2e4d399ddc0b063bde939 : end asdm image disk0:/asdm-714.bin no asdm history enable
Solved! Go to Solution.
10-05-2015 03:25 AM
Hi,
Try applying aaa authentication on the ingress interface for the traffic.
From your configuration i think the ingress interface would be outside interface.
try changing aaa config to:
aaa authentication match IIS outside ASA
Do share your findings.
Thanks,
R.Seth
Don't forget to mark the answer as correct if it helps in resolving your query!!!
10-05-2015 03:25 AM
Hi,
Try applying aaa authentication on the ingress interface for the traffic.
From your configuration i think the ingress interface would be outside interface.
try changing aaa config to:
aaa authentication match IIS outside ASA
Do share your findings.
Thanks,
R.Seth
Don't forget to mark the answer as correct if it helps in resolving your query!!!
10-06-2015 01:22 AM
hi
thanks a lot while i am waiting for any reply i realize the issue with the ingress interface but thanks very much , another thing there is no timeout for this authentication i mean once you enter the credential for the access process its not asking you each time you visit the site without saving the login information into the browser that users use.
any idea for this ?
BR
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide