Firewall Wizards mailing list archives
RE: Pix Authentication doubts
From: "Strydom, Willie" <WStrydom () fnb co za>
Date: Mon, 2 Feb 2004 08:08:33 +0200
I would have an acl, then you can include/exclude sites.. aaa-server AuthInbound protocol radius aaa-server AuthInbound (dmz) host IP_IAS_SERVER shared_secret aaa authentication match acl-http inside AuthInbound aaa authentication match acl-http outside AuthInbound access-list acl-http deny tcp host your_boss_ip_address host yoursite_IP_address eq www access-list acl-http permit tcp any host yoursite_IP_address eq www you can also add this for good measure.... aaa-server AuthToPIX protocol radius aaa-server AuthToPIX (dmz) host IP_IAS_SERVER shared_secret aaa authentication telnet console AuthToPIX aaa authentication ssh console AuthToPIX aaa authentication serial console AuthToPIX -----Original Message----- From: Jaime Vargas [mailto:j.vargas () marieclaire es] Sent: 28 January 2004 05:41 To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Pix Authentication doubts Hi, first-time poster... I have a problem with a Cisco PIX 515E version 6.3. In the documentation it explains rather well how to set up authentication via RADIUS for "any server", but what I want to do is to authenticate only users which try to connect to http to a particular server which is in my inside network. Let's assume that the IP address of my IAS server is IP_IAS_SERVER, which is on the DMZ, that the IP address of the web server is IP_WEB_SERVER and that it is visible on the outside interface via NAT with an address of IP_WEB_NAT. I think I know that first you have to define the RADIUS server with: aaa-server AuthInbound protocol radius aaa-server AuthInbound (dmz) host IP_IAS_SERVER shared_secret But how excatly should I set up authentication for the server? Should it be aaa authentication include http outside IP_WEB_NAT 255.255.255.255 0 0 AuthInbound, aaa authentication include http inside IP_WEB_SERVER 255.255.255.255 0 0 AuthInbound, or none of the above? Greetings, Jaime PD: I'm on digest, so I'd be grateful if you could CC the possible answer to my e-mail address as well as to the list. Thanks :) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards ___________________________________________________________________________________________________ The views expressed in this email are, unless otherwise stated, those of the author and not those of the FirstRand Banking Group or its management. The information in this e-mail is confidential and is intended solely for the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted in reliance on this, is prohibited and may be unlawful. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is, for whatever reason, corrupted or does not reach its intended destination. ________________________________ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Pix Authentication doubts Strydom, Willie (Feb 02)