7-11
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 Configuring AAA Rules for Network Access
Configuring Authentication for Network Access
nat (inside,outside) static 10.132.16.200 service tcp 443 443
Authenticating Directly with the ASA
If you do not want to allow HTTP, HTTPS, Telnet, or FTP through the ASA but want to authenticate
other types of traffic, you can authenticate with the ASA directly using HTTP, HTTPS, or Telnet.
This section includes the following topics:
• Authenticating HTTP(S) Connections with a Virtual Server, page 7-11
• Authenticating Telnet Connections with a Virtual Server, page 7-12
Authenticating HTTP(S) Connections with a Virtual Server
If you enabled the redirection method of HTTP and HTTPS authentication in the “Configuring Network
Access Authentication” section on page 7-7, then you have also automatically enabled direct
authentication.
When you use HTTP authentication on the ASA (see the“Configuring Network Access Authentication”
section on page 7-7), the ASA uses basic HTTP authentication by default.
To continue to use basic HTTP authentication, and to enable direct authentication for HTTP and HTTPS,
enter the following command:
If the destination HTTP server requires authentication in addition to the ASA, then to authenticate
separately with the ASA (via a AAA server) and with the HTTP server, enter the following command:
Command Purpose
aaa authentication listener http[s] interface_name
[port portnum] redirect
Example:
ciscoasa(config)# aaa authentication listener http
inside redirect
(Optional) Enables the redirection method of authentication
for HTTP or HTTPS connections.
The interface_name argument is the interface on which you
want to enable listening ports. The port portnum argument
specifies the port number on which the ASA listens; the
defaults are 80 (HTTP) and 443 (HTTPS).
You can use any port number and retain the same functionality,
but be sure your direct authentication users know the port
number; redirected traffic is sent to the correct port number
automatically, but direct authenticators must specify the port
number manually.
Enter this command separately for HTTP and for HTTPS.