Cisco ASA 5505 User Manual

38-10

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 38 Configuring AAA Rules for Network Access

Configuring Authentication for Network Access

Examples

The following example shows how to enable virtual Telnet together with AAA authentication for other
services:

hostname(config)# virtual telnet 209.165.202.129

hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.200.225 eq smtp

hostname(config)# access-list ACL-IN remark This is the SMTP server on the inside

hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.202.129 eq

telnet

hostname(config)# access-list ACL-IN remark This is the virtual Telnet address

hostname(config)# access-group ACL-IN in interface outside

hostname(config)# network object obj-209.165.202.129-01

hostname(config-network-object)# host 209.165.202.129

hostname(config-network-object)# nat (inside,outside) static 209.165.202.129

hostname(config)# access-list AUTH extended permit tcp any host 209.165.200.225 eq smtp

hostname(config)# access-list AUTH remark This is the SMTP server on the inside

hostname(config)# access-list AUTH extended permit tcp any host 209.165.202.129 eq telnet

hostname(config)# access-list AUTH remark This is the virtual Telnet address

hostname(config)# aaa authentication match AUTH outside tacacs+

Command

Purpose

virtual telnet

ip_address

Example:

hostname(config)# virtual telnet 209.165.202.129

Configures a virtual Telnet server.

The ip_address argument sets the IP address for the virtual
Telnet server. Make sure this address is an unused address that
is routed to the ASA.

You must configure authentication for Telnet access to the
virtual Telnet address as well as the other services that you
want to authenticate using the authentication match or aaa
authentication include command.

When an unauthenticated user connects to the virtual Telnet IP
address, the user is challenged for a username and password,
and then authenticated by the AAA server. Once authenticated,
the user sees the message “Authentication Successful.” Then,
the user can successfully access other services that require
authentication.

For inbound users (from lower security to higher security),
you must also include the virtual Telnet address as a
destination interface in the access list applied to the source
interface. In addition, you must add a static NAT command for
the virtual Telnet IP address, even if NAT is not required. An
identity NAT command is typically used (where you translate
the address to itself).

For outbound users, there is an explicit permit for traffic, but
if you apply an access list to an inside interface, be sure to
allow access to the virtual Telnet address. A static statement is
not required.

To log out from the ASA, reconnect to the virtual Telnet IP
address; you are then prompted to log out.