7-13
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 Configuring AAA Rules for Network Access
Configuring Authentication for Network Access
Examples
The following example shows how to enable virtual Telnet together with AAA authentication for other
services:
ciscoasa(config)# virtual telnet 209.165.202.129
ciscoasa(config)# access-list ACL-IN extended permit tcp any host 209.165.200.225 eq smtp
ciscoasa(config)# access-list ACL-IN remark This is the SMTP server on the inside
ciscoasa(config)# access-list ACL-IN extended permit tcp any host 209.165.202.129 eq
telnet
ciscoasa(config)# access-list ACL-IN remark This is the virtual Telnet address
ciscoasa(config)# access-group ACL-IN in interface outside
ciscoasa(config)# network object obj-209.165.202.129-01
ciscoasa(config-network-object)# host 209.165.202.129
ciscoasa(config-network-object)# nat (inside,outside) static 209.165.202.129
ciscoasa(config)# access-list AUTH extended permit tcp any host 209.165.200.225 eq smtp
ciscoasa(config)# access-list AUTH remark This is the SMTP server on the inside
ciscoasa(config)# access-list AUTH extended permit tcp any host 209.165.202.129 eq telnet
ciscoasa(config)# access-list AUTH remark This is the virtual Telnet address
ciscoasa(config)# aaa authentication match AUTH outside tacacs+
Command Purpose
virtual telnet ip_address
Example:
ciscoasa(config)# virtual telnet 209.165.202.129
Configures a virtual Telnet server.
The ip_address argument sets the IP address for the virtual
Telnet server. Make sure this address is an unused address that
is routed to the ASA.
You must configure authentication for Telnet access to the
virtual Telnet address as well as the other services that you
want to authenticate using the authentication match or aaa
authentication include command.
When an unauthenticated user connects to the virtual Telnet IP
address, the user is challenged for a username and password,
and then authenticated by the AAA server. Once
authenticated, the user sees the message “Authentication
Successful.” Then, the user can successfully access other
services that require authentication.
For inbound users (from lower security to higher security),
you must also include the virtual Telnet address as a
destination interface in the ACL applied to the source
interface. In addition, you must add a static NAT command for
the virtual Telnet IP address, even if NAT is not required. An
identity NAT command is typically used (where you translate
the address to itself).
For outbound users, there is an explicit permit for traffic, but
if you apply an ACL to an inside interface, be sure to allow
access to the virtual Telnet address. A static statement is not
required.
To log out from the ASA, reconnect to the virtual Telnet IP
address; you are then prompted to log out.