Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
909
Views
0
Helpful
3
Replies

Is that possible to apply NAT on authenticated users?

qinxiaoyu
Level 1
Level 1

ā€Ž12-12-2010 04:14 AM - edited ā€Ž03-11-2019 12:21 PM

I am seeking a method to bridge authentication (maybe AAA on ios devices) and NAT. I can choose any PIX/ASA, IOS firewall, router with such functions, but I think they are same or similar on this problem.

The purpose is to assign one private IP to each specific user.

One  method not considered is VPDN, because cypher is unnecessary. However,  the result should be just like that without encryption and tunnelling.

Is there any existing mechanisms for cisco devices can achieve this purpose?

Thanks a lot!

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

ā€Ž12-12-2010 04:32 AM

Is cut-through proxy what you are after? Authenticating users before they get access to the network?

Here is some sample configurations for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

0 Helpful

qinxiaoyu
Level 1
Level 1
In response to Jennifer Halim

ā€Ž12-12-2010 01:07 PM

Thanks for your answer, but I'm afraid that cut-through proxy is also not suitable.

For Cut-Throught Proxy, I have a question. As there are just limited protocals configured in the example, I guess that not all the protocals supported by cut-through proxy. However, what is required is to apply the mechanism on any access, because the protected network and systems are for testing and research.

Also, because I saw that the protocals can be configured for cut-through proxy, I think it does too much on higher layer than IP layer. What we need in upper layers is just authentication and the most important is just to assign a new IP to the authenticated user.

Do you have any other suggestion? Thanks!

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to qinxiaoyu

ā€Ž12-12-2010 02:31 PM

Unfortunately, there aren't any other features that would fit what you are after. Cut through proxy feature is the only authentication method on ASA and routers. And yes, you are right, with cut through proxy, there is limited way to perform the authentication (only via ftp, http and telnet).

Typically authentication of users are done via Active Directory, and DHCP server will assign IP address. However, I am not aware of a device can apply NAT after a user is authenticated as NAT itself is just layer 3/4, and the NAT feature wouldn't know if user is authenticated or not.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card