hi
i am trying to test the ASA authentication in my LAB before implementing in real production system amd its not working
my lab is to having HTTP server set in the inside network (IIS) and outside network , the IIS server is Static NAT to the out side , ACL to allow HTTP to the sever from Outside network AAA rule is applied to authenticate the Connection but no request for authentication when attemp to access the web server .
any idea ?
here is output of configuration
: Saved
:
ASA Version 8.4(2)
!
hostname IISFW
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1
nameif IIS
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet2
nameif outside
security-level 0
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone AST 3
object network IIS
host 10.1.1.5
object network IIS_icmp
host 10.1.1.5
object network IIS_REMOTE
host 10.1.1.5
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp destination eq www
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object IIS
access-list IIS extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu IIS 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
!
object network IIS
nat (IIS,outside) static 192.168.100.5
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ASA protocol radius
aaa-server ASA (IIS) host 10.1.1.5
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication match IIS IIS ASA
aaa authentication listener http IIS port www redirect
http server enable
http 0.0.0.0 0.0.0.0 IIS
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username http password 6OvUPoxhQgt3X6on encrypted
username http attributes
service-type remote-access
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect http
inspect icmp
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:96123be00fc2e4d399ddc0b063bde939
: end
asdm image disk0:/asdm-714.bin
no asdm history enable
