Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: Pix Authentication doubts

RE: Pix Authentication doubts

From: Strydom, Willie <WStrydom_at_fnb.co.za>
Date: Mon, 2 Feb 2004 08:08:33 +0200

I would have an acl, then you can include/exclude sites..

aaa-server AuthInbound protocol radius
aaa-server AuthInbound (dmz) host IP_IAS_SERVER shared_secret

aaa authentication match acl-http inside AuthInbound
aaa authentication match acl-http outside AuthInbound

access-list acl-http deny tcp host your_boss_ip_address host
yoursite_IP_address eq www
access-list acl-http permit tcp any host yoursite_IP_address eq www

you can also add this for good measure....

aaa-server AuthToPIX protocol radius
aaa-server AuthToPIX (dmz) host IP_IAS_SERVER shared_secret

aaa authentication telnet console AuthToPIX
aaa authentication ssh console AuthToPIX
aaa authentication serial console AuthToPIX

-----Original Message-----
From: Jaime Vargas [mailto:j.vargas_at_marieclaire.es]
Sent: 28 January 2004 05:41
To: firewall-wizards_at_honor.icsalabs.com
Subject: [fw-wiz] Pix Authentication doubts

Hi, first-time poster...

I have a problem with a Cisco PIX 515E version 6.3. In the documentation it
explains rather well how to set up authentication via RADIUS for "any
server", but what I want to do is to authenticate only users which try to
connect to http to a particular server which is in my inside network.

Let's assume that the IP address of my IAS server is IP_IAS_SERVER, which is
on the DMZ, that the IP address of the web server is IP_WEB_SERVER and that
it is visible on the outside interface via NAT with an address of
IP_WEB_NAT.

I think I know that first you have to define the RADIUS server with:

aaa-server AuthInbound protocol radius
aaa-server AuthInbound (dmz) host IP_IAS_SERVER shared_secret

But how excatly should I set up authentication for the server? Should it be

aaa authentication include http outside IP_WEB_NAT 255.255.255.255 0 0
AuthInbound,
aaa authentication include http inside IP_WEB_SERVER 255.255.255.255 0 0
AuthInbound,

or none of the above?

Greetings, Jaime

PD: I'm on digest, so I'd be grateful if you could CC the possible answer to
my e-mail address as well as to the list. Thanks :)

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

___________________________________________________________________________________________________

The views expressed in this email are, unless otherwise stated, those of the author and not those
of the FirstRand Banking Group or its management. The information in this e-mail is confidential
and is intended solely for the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution or any action taken or
omitted in reliance on this, is prohibited and may be unlawful.
Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data
transmitted electronically and to preserve the confidentiality thereof, no liability or
responsibility whatsoever is accepted if information or data is, for whatever reason, corrupted
or does not reach its intended destination.

                               ________________________________
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 02 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos