Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco PIX authentication proxy clarification

Reply
Thread Tools

Cisco PIX authentication proxy clarification

 
 
lombardi
Guest
Posts: n/a
 
      04-03-2004
Hello group,

We currently have a PIX 501 to PIX 501 vpn between two offices. We
have an AS400 at the main site. At both locations we would like the
users to authenticate to the PIX locally for internet access. I
understand that the PIX allows for telnet, ftp and http authentication
locally but will the users have to authenticate against the PIX for
other traffic being passed by the AS400 or other systems on the two
networks via the VPN. Meaning we only want the user to have to
authenticate to the PIX for internet access only and not have to
authenticate against the PIX for normal traffic between the two sites.
This traffic should be allowed to flow freely without a user name and
password. I have read the documentation on this but am unsure if this
is allowed. ** At both sites internet access routes directly out it
does not tunnel through the VPN.

Thanks as always,

Joe
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      04-03-2004
In article <(E-Mail Removed) >,
lombardi <(E-Mail Removed)> wrote:
:We currently have a PIX 501 to PIX 501 vpn between two offices. We
:have an AS400 at the main site. At both locations we would like the
:users to authenticate to the PIX locally for internet access. I
:understand that the PIX allows for telnet, ftp and http authentication
:locally but will the users have to authenticate against the PIX for
ther traffic being passed by the AS400 or other systems on the two
:networks via the VPN.

I believe you might be able to do what you want by using the
'exclude' clause of the 'aaa authorization' configuration.
--
"There are three kinds of lies: lies, damn lies, and statistics."
-- not Twain, perhaps Disraeli, first quoted by Leonard Courtney
 
Reply With Quote
 
 
 
 
Rik Bain
Guest
Posts: n/a
 
      04-03-2004
On Sat, 03 Apr 2004 01:44:38 -0600, lombardi wrote:

> Hello group,
>
> We currently have a PIX 501 to PIX 501 vpn between two offices. We have
> an AS400 at the main site. At both locations we would like the users to
> authenticate to the PIX locally for internet access. I understand that
> the PIX allows for telnet, ftp and http authentication locally but will
> the users have to authenticate against the PIX for other traffic being
> passed by the AS400 or other systems on the two networks via the VPN.
> Meaning we only want the user to have to authenticate to the PIX for
> internet access only and not have to authenticate against the PIX for
> normal traffic between the two sites.
> This traffic should be allowed to flow freely without a user name and
> password. I have read the documentation on this but am unsure if this
> is allowed. ** At both sites internet access routes directly out it
> does not tunnel through the VPN.
>
> Thanks as always,
>
> Joe



Try the following to require auth for web traffic (v6.2+).

username <username> password <password>
access-list AUTH permit tcp any any eq 80
aaa authentication match AUTH inside LOCAL

Rik Bain
 
Reply With Quote
 
lombardi
Guest
Posts: n/a
 
      04-03-2004
Rik Bain <(E-Mail Removed)> wrote in message news:<(E-Mail Removed) ainz.org>...
> On Sat, 03 Apr 2004 01:44:38 -0600, lombardi wrote:
>
> > Hello group,
> >
> > We currently have a PIX 501 to PIX 501 vpn between two offices. We have
> > an AS400 at the main site. At both locations we would like the users to
> > authenticate to the PIX locally for internet access. I understand that
> > the PIX allows for telnet, ftp and http authentication locally but will
> > the users have to authenticate against the PIX for other traffic being
> > passed by the AS400 or other systems on the two networks via the VPN.
> > Meaning we only want the user to have to authenticate to the PIX for
> > internet access only and not have to authenticate against the PIX for
> > normal traffic between the two sites.
> > This traffic should be allowed to flow freely without a user name and
> > password. I have read the documentation on this but am unsure if this
> > is allowed. ** At both sites internet access routes directly out it
> > does not tunnel through the VPN.
> >
> > Thanks as always,
> >
> > Joe

>
>
> Try the following to require auth for web traffic (v6.2+).
>
> username <username> password <password>
> access-list AUTH permit tcp any any eq 80
> aaa authentication match AUTH inside LOCAL
>
> Rik Bain



Thanks for the input. I will try this on Monday
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco 7200 Series - Bandwidth clarification dubbakor@gmail.com Cisco 2 11-19-2008 05:39 PM
Pix error message clarification needed. Mike Cisco 0 04-18-2005 04:04 PM
Authentication for Cisco VPN client on PIX (RADIUS vs. local PIX database) tejlor Cisco 2 11-25-2003 08:07 AM
Cisco PIX 515E - Proxy ARP? Illusion Cisco 4 07-24-2003 08:49 AM
Cisco PIX 515E - Proxy ARP? Illusion Cisco 0 07-23-2003 11:04 AM



Advertisments