Cisco PIX authentication proxy clarification

Discussion in 'Cisco' started by lombardi, Apr 3, 2004.

  1. lombardi

    lombardi Guest

    Hello group,

    We currently have a PIX 501 to PIX 501 vpn between two offices. We
    have an AS400 at the main site. At both locations we would like the
    users to authenticate to the PIX locally for internet access. I
    understand that the PIX allows for telnet, ftp and http authentication
    locally but will the users have to authenticate against the PIX for
    other traffic being passed by the AS400 or other systems on the two
    networks via the VPN. Meaning we only want the user to have to
    authenticate to the PIX for internet access only and not have to
    authenticate against the PIX for normal traffic between the two sites.
    This traffic should be allowed to flow freely without a user name and
    password. I have read the documentation on this but am unsure if this
    is allowed. ** At both sites internet access routes directly out it
    does not tunnel through the VPN.

    Thanks as always,

    Joe
    lombardi, Apr 3, 2004
    #1
    1. Advertising

  2. In article <>,
    lombardi <> wrote:
    :We currently have a PIX 501 to PIX 501 vpn between two offices. We
    :have an AS400 at the main site. At both locations we would like the
    :users to authenticate to the PIX locally for internet access. I
    :understand that the PIX allows for telnet, ftp and http authentication
    :locally but will the users have to authenticate against the PIX for
    :eek:ther traffic being passed by the AS400 or other systems on the two
    :networks via the VPN.

    I believe you might be able to do what you want by using the
    'exclude' clause of the 'aaa authorization' configuration.
    --
    "There are three kinds of lies: lies, damn lies, and statistics."
    -- not Twain, perhaps Disraeli, first quoted by Leonard Courtney
    Walter Roberson, Apr 3, 2004
    #2
    1. Advertising

  3. lombardi

    Rik Bain Guest

    On Sat, 03 Apr 2004 01:44:38 -0600, lombardi wrote:

    > Hello group,
    >
    > We currently have a PIX 501 to PIX 501 vpn between two offices. We have
    > an AS400 at the main site. At both locations we would like the users to
    > authenticate to the PIX locally for internet access. I understand that
    > the PIX allows for telnet, ftp and http authentication locally but will
    > the users have to authenticate against the PIX for other traffic being
    > passed by the AS400 or other systems on the two networks via the VPN.
    > Meaning we only want the user to have to authenticate to the PIX for
    > internet access only and not have to authenticate against the PIX for
    > normal traffic between the two sites.
    > This traffic should be allowed to flow freely without a user name and
    > password. I have read the documentation on this but am unsure if this
    > is allowed. ** At both sites internet access routes directly out it
    > does not tunnel through the VPN.
    >
    > Thanks as always,
    >
    > Joe



    Try the following to require auth for web traffic (v6.2+).

    username <username> password <password>
    access-list AUTH permit tcp any any eq 80
    aaa authentication match AUTH inside LOCAL

    Rik Bain
    Rik Bain, Apr 3, 2004
    #3
  4. lombardi

    lombardi Guest

    Rik Bain <> wrote in message news:<>...
    > On Sat, 03 Apr 2004 01:44:38 -0600, lombardi wrote:
    >
    > > Hello group,
    > >
    > > We currently have a PIX 501 to PIX 501 vpn between two offices. We have
    > > an AS400 at the main site. At both locations we would like the users to
    > > authenticate to the PIX locally for internet access. I understand that
    > > the PIX allows for telnet, ftp and http authentication locally but will
    > > the users have to authenticate against the PIX for other traffic being
    > > passed by the AS400 or other systems on the two networks via the VPN.
    > > Meaning we only want the user to have to authenticate to the PIX for
    > > internet access only and not have to authenticate against the PIX for
    > > normal traffic between the two sites.
    > > This traffic should be allowed to flow freely without a user name and
    > > password. I have read the documentation on this but am unsure if this
    > > is allowed. ** At both sites internet access routes directly out it
    > > does not tunnel through the VPN.
    > >
    > > Thanks as always,
    > >
    > > Joe

    >
    >
    > Try the following to require auth for web traffic (v6.2+).
    >
    > username <username> password <password>
    > access-list AUTH permit tcp any any eq 80
    > aaa authentication match AUTH inside LOCAL
    >
    > Rik Bain



    Thanks for the input. I will try this on Monday
    lombardi, Apr 4, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tejlor
    Replies:
    2
    Views:
    2,264
    tejlor
    Nov 25, 2003
  2. Replies:
    1
    Views:
    2,977
  3. chellappa

    Inbound Proxy and Outbound Proxy

    chellappa, Apr 7, 2006, in forum: VOIP
    Replies:
    0
    Views:
    2,434
    chellappa
    Apr 7, 2006
  4. James Sleeman
    Replies:
    12
    Views:
    905
    joe_90
    Sep 19, 2004
  5. Replies:
    1
    Views:
    1,637
    alexd
    Feb 25, 2009
Loading...

Share This Page