Static pat and http, Configuring network access authentication – Cisco ASA 5505 User Manual

Page 778

Advertising
background image

38-4

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 38 Configuring AAA Rules for Network Access

Configuring Authentication for Network Access

Static PAT and HTTP

For HTTP authentication, the ASA checks real ports when static PAT is configured. If it detects traffic
destined for real port 80, regardless of the mapped port, the ASA intercepts the HTTP connection and
enforces authentication.

For example, assume that outside TCP port 889 is translated to port 80 and that any relevant access lists
permit the traffic:

object network obj-192.168.123.10-01

host 192.168.123.10

nat (inside,outside) static 10.48.66.155 service tcp 80 889

Then when users try to access 10.48.66.155 on port 889, the ASA intercepts the traffic and enforces
HTTP authentication. Users see the HTTP authentication page in their web browsers before the ASA
allows HTTP connection to complete.

If the local port is different than port 80, as in the following example:

object network obj-192.168.123.10-02

host 192.168.123.10

nat (inside,outside) static 10.48.66.155 service tcp 111 889

Then users do not see the authentication page. Instead, the ASA sends an error message to the web
browser indicating that the user must be authenticated before using the requested service.

Configuring Network Access Authentication

To configure network access authentication, perform the following steps:

Command

Purpose

Step 1

aaa-server

Example:

hostname(config)# aaa-server AuthOutbound protocol

tacacs+

Identifies your AAA servers. If you have already
identified them, continue to the next step. For more
information about identifying AAA servers, see the

“Configuring AAA Server Groups” section on
page 35-11

.

Step 2

access-list

Example:

hostname(config)# access-list MAIL_AUTH extended

permit tcp any any eq smtp

Creates an access list that identifies the source
addresses and destination addresses of traffic you
want to authenticate. For details, see

Chapter 15,

“Adding an Extended Access List.”

The permit ACEs mark matching traffic for
authentication, while deny entries exclude matching
traffic from authentication. Be sure to include the
destination ports for either HTTP, HTTPS, Telnet, or
FTP in the access list, because the user must
authenticate with one of these services before other
services are allowed through the ASA.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals