Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
0
Helpful
2
Replies

PIX Authenticaion for outbound SSH & FTP

dofaulkner
Level 1
Level 1

‎05-04-2003 03:58 PM - edited ‎02-20-2020 10:43 PM

I have a PIX firewall in which I wish to authenticate outbound connections for slected users of SSH & FTP against an internal AAA server, using TACACS.

Is this functionality supported ?

I have created an access list to match the traffic SSH-Tracker .

I have related the access list to the authenticate, aaa authentication match SSH-Tracker inside tacserv.

I have glodal nats in place.

I suspect I am missing something of the functionality is not there yet ?

Any help appriciated.

0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎05-04-2003 09:04 PM

You can define what traffic should be authenticated through the PIX with the command you've shown, but users can only still authenticate using Telnet, FTP or HTTP traffic. There's nothing in the SSH protocol for example, that can have the PIX intercept it and display a username/password request to the user.

Have a read through http://www.cisco.com/warp/public/110/atp52.html and see how you get on. Pay particular attention to the debug/syslog messages, they'll help you out a lot.

0 Helpful

nsteup
Level 1
Level 1

‎05-05-2003 06:44 AM

Hi Doug,

ftp can be authenticated, but ssh not. But you can do it another way. Authenticate the traffic via ftp, http or telnet (https in V6.3 is supported to) and authorize ssh against you tacacs server. Authorization only takes place, when the user is authenticated first. So you can say who is allowed to ftp or ssh or whatever you want.

Hope this helps a bit

Norbert

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card