Support User Manuals

Cisco Systems ASA 5580 Network Router User Manual

Open as PDF

of 712

7-13

Cisco ASA Series Firewall CLI Configuration Guide

Chapter 7 Configuring AAA Rules for Network Access

Configuring Authentication for Network Access

Examples

The following example shows how to enable virtual Telnet together with AAA authentication for other

services:

ciscoasa(config)# virtual telnet 209.165.202.129

ciscoasa(config)# access-list ACL-IN extended permit tcp any host 209.165.200.225 eq smtp

ciscoasa(config)# access-list ACL-IN remark This is the SMTP server on the inside

ciscoasa(config)# access-list ACL-IN extended permit tcp any host 209.165.202.129 eq

telnet

ciscoasa(config)# access-list ACL-IN remark This is the virtual Telnet address

ciscoasa(config)# access-group ACL-IN in interface outside

ciscoasa(config)# network object obj-209.165.202.129-01

ciscoasa(config-network-object)# host 209.165.202.129

ciscoasa(config-network-object)# nat (inside,outside) static 209.165.202.129

ciscoasa(config)# access-list AUTH extended permit tcp any host 209.165.200.225 eq smtp

ciscoasa(config)# access-list AUTH remark This is the SMTP server on the inside

ciscoasa(config)# access-list AUTH extended permit tcp any host 209.165.202.129 eq telnet

ciscoasa(config)# access-list AUTH remark This is the virtual Telnet address

ciscoasa(config)# aaa authentication match AUTH outside tacacs+

Command Purpose

virtual telnet ip_address

Example:

ciscoasa(config)# virtual telnet 209.165.202.129

Configures a virtual Telnet server.

The ip_address argument sets the IP address for the virtual

Telnet server. Make sure this address is an unused address that

is routed to the ASA.

You must configure authentication for Telnet access to the

virtual Telnet address as well as the other services that you

want to authenticate using the authentication match or aaa

authentication include command.

When an unauthenticated user connects to the virtual Telnet IP

address, the user is challenged for a username and password,

and then authenticated by the AAA server. Once

authenticated, the user sees the message “Authentication

Successful.” Then, the user can successfully access other

services that require authentication.

For inbound users (from lower security to higher security),

you must also include the virtual Telnet address as a

destination interface in the ACL applied to the source

interface. In addition, you must add a static NAT command for

the virtual Telnet IP address, even if NAT is not required. An

identity NAT command is typically used (where you translate

the address to itself).

For outbound users, there is an explicit permit for traffic, but

if you apply an ACL to an inside interface, be sure to allow

access to the virtual Telnet address. A static statement is not

required.

To log out from the ASA, reconnect to the virtual Telnet IP

address; you are then prompted to log out.

previous next