pix client authentication

shaharm6 · ‎11-10-2005

using pix version 7.0(1)

For one of our client to be remotly connected through the pix unit,

is there any way to force user to require pix authentication before the connection is allowed,

something like,

Telnet in one port to the pix

using user+password authentication

Connection is allowed as firewall policy

Thanks in advanced

shahar.

jackko · ‎11-10-2005

the feature you are after is called virtual telnet.

e.g.

static (inside,outside) 1.1.1.1 192.168.1.100 netmask 255.255.255.255 0 0

static (inside,outside) 1.1.1.2 192.168.1.101 netmask 255.255.255.255 0 0

access-list 111 permit tcp any host 1.1.1.1 eq telnet

access-list 111 permit tcp any host 1.1.1.2 eq 3389

aaa authentication include telnet inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL

aaa authentication include tcp/3389 inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL

virtual telnet 1.1.1.1

username cisco password cisco123

with the sample above, the remote user was attempting to establish a terminal session to the server behind the pix with private ip 192.168.1.101. first, the remote user will issue "telnet 1.1.1.1" from the pc. pix will then prompt for the username and password, which is cisco and cisco123. after authenticated, remote user can close the command prompt and kick off the terminal session destined for 1.1.1.2. i.e. the public ip of the server 192.168.1.101. further, 192.168.1.100 is an invisible host that shouldn't be used by any host, it should be reserved for the virtual telnet.

another thing is with v7, you can actually configure webvpn, which is clientless as well. in fact, this is much more secured than virtual telnet. for more details on webvpn:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080334071.html

shaharm6 · ‎11-13-2005

Exact what i was looking for, Excellnet

Thank-You