Configuring Virtual Telnet Inbound Connections

Configuring Virtual Telnet Inbound Connections
PIXFirewall(config)# ip address outside 192.168.1.1 255.255.255.0
PIXFirewall(config)# ip address inside 10.10.10.1 255.255.255.0
PIXFirewall(config)# global (outside) 1 192.168.1.20-192.168.1.40 netmask 255.255.255.0
PIXFirewall(config)# nat (inside) 1 0 0 0 0
PIXFirewall(config)# aaa-server TACACS+ protocol tacacs+
PIXFirewall(config)# aaa-server TACACS+ (DMZ) host 172.16.1.2 abc123 timeout 20
PIXFirewall(config)# aaa authentication include any outside 0 0 0 0 TACACS+
PIXFirewall(config)# virtual telnet 192.168.1.4
PIXFirewall(config)# static (inside, outside) 192.168.1.4 10.10.10.100 netmask
255.255.255.255 0 0
PIXFirewall(config)# access-list NetMeeting permit tcp any host 192.168.1.4 eq 23
PIXFirewall(config)# access-list NetMeeting permit tcp 192.168.128.128
255.255.255.255 192.168.1.4 255.255.255.255 eq H323
PIXFirewall(config)# access-group NetMeeting in interface outside
NOTE To remove the virtual Telnet from the configuration, enter no virtual telnet.
Virtual HTTP
Virtual HTTP functions similarly to virtual Telnet in that the PIX Firewall acts as the HTTP
server via an additional IP address assigned to the firewall. Users might believe that they are
accessing the web server, but they are actually accessing the virtual server for the authentication
prompt, being authenticated by an AAA server, and being redirected to their
destination after successful authentication. The syntax for virtual http is
virtual http ip-address [warn]
The warn option is used for text-based browsers that cannot automatically be redirected.
The option adds a link that would be used to redirect to the virtual HTTP server.
Normally, the ip-address should be an address that the inside network routes to the Security
Appliance. This way, the internal users access it directly, and the external users connect to it
via static address translation at the firewall. Of course, the inbound users require authentication
and also must be permitted by an access list or conduit. Example 18-6 depicts the
configuration for virtual HTTP on the Security Appliance. This is the configuration shown
in Figure 18-5.

Assigning the IP address for Virtual Services for Inbound Traffic

Assigning the IP address for Virtual Services for Inbound Traffic
The Security Appliance configuration must change to allow the inbound traffic to connect to
the NetMeeting server. First, the NetMeeting server needs to have a public IP address, which
means that you need to perform static translation. Second, you need to configure the access
lists to allow the inbound traffic. Example 18-5 shows the configuration required to allow
inbound connections to a destination on the protected network.

Assigning the IP Address for Virtual Services for Outbound Traffic

Assigning the IP Address for Virtual Services for Outbound Traffic
Example 18-4 shows the virtual Telnet configuration that authenticates host 10.10.10.100
when you make an outbound connection to a NetMeeting server located on the Internet.
Now let us change the positions of the client and server. This time, the NetMeeting server is
behind the Security Appliance, and the client is on the Internet. Figure 18-5 depicts the
configuration with the NetMeeting server on the internal network and the client on the
Internet.
Example 18-4 Configuring Virtual Telnet Outbound Connections
PIXFirewall(config)# ip address outside 192.168.1.1 255.255.255.0
PIXFirewall(config)# ip address inside 10.10.10.1 255.255.255.0
PIXFirewall(config)# global (outside) 1 192.168.1.20-192.168.1.40 netmask
255.255.255.0
PIXFirewall(config)# nat (inside) 1 0 0 0 0
PIXFirewall(config)# aaa-server TACACS+ protocol tacacs+
PIXFirewall(config)# aaa-server TACACS+ (DMZ) host 172.16.1.2 abc123 timeout 20
PIXFirewall(config)# aaa authentication include any inside 0 0 0 0 TACACS+
PIXFirewall(config)# virtual telnet 192.168.1.4

Authentication of Services

Authentication of Services
The Cisco Security Appliance is designed to authenticate users via FTP, HTTP, HTTPS, and
Telnet. Many other services that pass through the Security Appliance require authentication.
To fulfill this requirement, the Security Appliance supports virtual services. The Security
Appliance can perform functions for servers that do not exist and configures the Security
Appliance to authenticate users who want to connect to services other than FTP, HTTP,
HTTPS, and Telnet. After a user has been authenticated, that user can access whatever
authorized services they are requesting.
If your company uses Microsoft NetMeeting to communicate among its many different
branch offices, NetMeeting runs on the H.323 protocol, which uses a number of different
ports. To allow this access, users must authenticate via FTP, HTTP, or Telnet. If you do not
have a server available to accept the FTP, HTTP, or Telnet connections, you can configure the
Security Appliance to accept the connections via a virtual service.
Virtual Telnet
Virtual Telnet enables the user to authenticate using Telnet and use a service that does not
support authentication. The Security Appliance accepts the user’s connection and challenges
the user for a username and password. The username and password are verified by the
TACACS+ or RADIUS server. If the user successfully authenticates, the connection to the
user’s requested service is completed. An additional server is not required to accept the
connection, because the Security Appliance creates a virtual server to handle the authentication
requests. Virtual Telnet sessions can be inbound or outbound on the Security Appliance.
To configure virtual Telnet on the Security Appliance, you must first create the virtual server
on a segment that can be reached via the Security Appliance. Normally, this is an address on
the firewall’s outside interface. In Figure 18-4, the virtual IP address is 192.168.1.4. This
public IP address can be accessed from both inside networks and public networks (such as
the Internet). The syntax of the virtual telnet command is as follows:
virtual telnet ip-address

Console Access Authentication

Console Access Authentication
The final type of AAA authentication is for direct connections to the Cisco Security
Appliance. It is very important to restrict access to the firewall as much as possible. One way
to increase your firewall’s security is to require all access to the firewall to be authenticated
by an AAA server. Console access is traditionally password protected; however, the aaa
authentication console command prompts the user to authenticate differently, depending on
the method used to access the Security Appliance:
■ serial—Causes the user to be prompted before the first command of the command-line
prompt when connecting directly to the firewall via a serial cable. Users are continually
prompted until they successfully log in.
■ telnet—Causes the user to be prompted before the first command-line prompt when
attempting a Telnet session to the CLI. Users are continually prompted until they
successfully log in.
■ ssh—Causes the user to be prompted before the first command-line prompt when
attempting a Secure Shell (SSH) session to the CLI. If users are unable to successfully
authenticate within three attempts, they are disconnected and receive the message
“Rejected by Server.”
■ http—This option is selected when you use the Adaptive Security Device Manager
(ASDM) to manage your Security Appliance. ASDM users see a pop-up window in their
browser (PIX Device Manager). Users are continually prompted until they successfully
log in.
■ enable—With this option, the Security Appliance requires AAA server authentication to
enter privileged mode. The enable option prompts the user for a username and password
before entering privileged mode for serial, Telnet, and SSH connections. If users are
unable to successfully authenticate after three attempts, they see the “Access Denied”
message.
NOTE By default, the ASDM can access the Security Appliance with no username and
the enable password unless the aaa authentication http console group-tag command is set.

Configuring aaa authentication match

Configuring aaa authentication match
PIXFirewall(config)# static (inside,outside) 192.168.200.1 10.10.10.10 netmask
255.255.255.255
PIXFirewall(config)# access-list PIXTEST permit tcp any host 192.168.200.1 eq 80
PIXFirewall(config)# access-group PIXTEST in interface outside
PIXFirewall(config)# aaa authentication match PIXTEST outside TACACS+
The static translation and access group are also included in this example because each is
required to have the correct public address and to apply the access list.
Example 18-2 Configuring AAA Authentication on the PIX Firewall
PIXFirewall(config)# aaa authentication include any outside 0 0 0 0 TACACS+
PIXFirewall(config)# aaa authentication exclude http outside 0 0 192.168.1.28
255.255.255.255 TACACS+
Example 18-3 Configuring aaa authentication match
PIXFirewall(config)# static (inside,outside) 192.168.200.1 10.10.10.10 netmask
255.255.255.255
PIXFirewall(config)# access-list PIXTEST permit tcp any host 192.168.200.1 eq 80
PIXFirewall(config)# access-group PIXTEST in interface outside
PIXFirewall(config)# aaa authentication match PIXTEST outside TACACS+
NOTE Chapter 7, “Configuring Access,” discusses access lists in greater detail.

Designating AAA Authentication Parameters Via Access Lists

Designating AAA Authentication Parameters Via Access Lists
It is also possible to configure your AAA authentication to reference access lists using the
match command. This configuration removes the requirement of manually defining the local
and foreign addresses. The syntax for AAA authentication using access lists is as follows:
aaa authentication match acl-name if-name server-tag
Example 18-3 is an example of the aaa authentication command, including the referenced
access list.

Configuring AAA Authentication on the PIX Firewall

Configuring AAA Authentication on the PIX Firewall
PIXFirewall(config)# aaa authentication include any outside 0 0 0 0 TACACS+
PIXFirewall(config)# aaa authentication exclude http outside 0 0 192.168.1.28
255.255.255.255 TACACS+
The local-ip must be the actual IP address configured on a system without Network Address
Translation (NAT). To configure this authentication, you must ensure that you have a static
address translation or NAT configured for your local-ip but you must list the original IP
address as the local-ip.

Manually Designating AAA Authentication Parameters

Manually Designating AAA Authentication Parameters
The first command enables you to manually designate the authentication parameters using
the items in the preceding list. The syntax for this command is as follows:
aaa authentication include | exclude authen-service inbound | outbound if-name local-ip
local-mask foreign-ip foreign-mask group-tag
Example 18-2 shows the syntax for requiring all inbound traffic to authenticate except for
traffic connecting from host 192.168.1.28 based on the network shown in Figure 18-1.

Configuring Authentication

Configuring Authentication
Now that you have the AAA server and the NAS configured to communicate with each other,
you need to configure both for user authentication. First, you need to configure the
authentication parameters on the Security Appliance Cisco Secure ACS. Seven types of
authentication are supported on the PIX Firewall:
■ TACACS+
■ RADIUS
■ LDAP
■ NT
■ SDI
■ Kerberos
■ LOCAL
NOTE The TACACS+ or RADIUS key specified on Cisco Secure ACS must exactly match
the key specified in the aaa-server command for communication between the Cisco Secure
ACS server and the NAS to be established.
546 Chapter 18: Configuration of AAA on the Cisco Security Appliance
Both TACACS+, LDAP, and RADIUS support numerous vendor-specific attributes (VSAs) or
attribute value (AV) pairs. For a list of the specific VSAs or AV pairs and their definitions, see
the User Guide for Cisco Secure ACS for Windows Version 3.3.
The aaa authentication command has three different types. The following list describes the
options and variables you find collectively within all three:
■ include—Creates a rule with a specified service.
■ exclude—Creates an exception to a previously defined rule.
■ authen-service—The service that is included or excluded. It is the application with which
the user accesses the network. The Security Appliance can authenticate only via FTP,
HTTP, and Telnet. You can configure the authen-service as “any” to allow the Security
Appliance to authenticate any of the three, but this does not allow your users to
authenticate using any protocol other than FTP, HTTP, or Telnet.
■ inbound—Specifies that the Security Appliance is to authenticate inbound traffic
(originates on the outside interface and is directed to the inside interface).
■ outbound—Specifies that the Security Appliance is to authenticate outbound traffic
(originates on the inside interface and is directed to the outside interface).
■ if-name—The interface name from which the users should be authenticated. This is
optional. By default, the user must authenticate before being allowed through the PIX
Firewall. Therefore, outbound traffic authenticates at the inside interface, and inbound
traffic authenticates at the outside interface.
■ local-ip—The host address or network segment with the highest security level. As with
the other address definitions on the Security Appliance, 0 is used to define “any.”
■ local-mask—The subnet mask that applies to the local-ip; 0 is used to define “any.”
■ foreign-ip—Defines the address space with the lowest security level. The use of 0 defines
“any.”
■ foreign-mask—The subnet mask that applies to the foreign-ip; 0 is used to define “any.”
■ group-tag—The name used for the AAA server group. The group-tag is also used in the
aaa-server, aaa authorization, and aaa accounting commands.
The following sections describe the three different formats and functions of the aaa
authentication command in greater detail.

Selecting the Network Access Server

Selecting the Network Access Server
You also can create additional NASs or edit the current NAS settings in Cisco Secure ACS by
clicking the Network Configuration button in the Cisco Secure ACS main window.
Remember that the Cisco Secure ACS calls the NAS the “AAA client.” Figure 18-3 shows the
settings for the Security Appliance in the Cisco Secure ACS. Notice that the authentication
protocol has been changed from RADIUS to TACACS+.

Identifying AAA Servers on the PIX Firewall

Identifying AAA Servers on the PIX Firewall
PIXFirewall(config)# aaa-server TACACS+ protocol tacacs+
PIXFirewall(config)# aaa-server TACACS+ (DMZ) host 172.16.1.2 abc123 timeout 20
PIXFirewall(config-aaa-server)#
544 Chapter 18: Configuration of AAA on the Cisco Security Appliance
You finish configuring the Cisco Secure ACS to connect to the Security Appliance by selecting
the Security Appliance during the Cisco Secure ACS installation, as shown in Figure 17-2.

Identifying the AAA Server and NAS

Identifying the AAA Server and NAS
You must be sure to have the correct information about your AAA server before you attempt
to configure your Security Appliance. You use the aaa-server command (from configuration
mode on the Security Appliance) to specify the AAA server. Remember that you are dealing
with at least two devices: the Security Appliance and the Cisco Secure ACS.
You must configure the Security Appliance to recognize the Cisco Secure ACS as its AAA
server for authentication. You also must configure the Cisco Secure ACS to communicate
with the Security Appliance with the necessary account information so that the Cisco Secure
ACS can validate authentication requests from the Security Appliance. To accomplish both
tasks, you need to use the following commands:
aaa-server server-tag protocol auth-protocol
aaa-server server-tag [if-name] host server-ip key [timeout seconds]
CSACS
172.16.1.2
Client
192.168.1.28
Web Server
10.10.10.10
FTP Server
10.10.10.20
PIX_Firewall
172.16.1.254
Configuring AAA on the Cisco Security Appliance 543
You must define the following command options and parameters for the configuration to be
successful:
■ aaa-server—Designates the AAA server or server group. A group can have as many as
16 servers, and the PIX Firewall can handle up to 15 single-mode groups of AAA servers,
for a total of 240 AAA servers. This enables you to tailor which AAA servers handle
certain services and lets you configure your AAA servers for redundancy. When a user
logs in, the NAS contacts the first server in the group (see the group-tag description). If
it does not receive a response within the designated timeout period, it moves to the next
server in the group.
■ server-tag—The name used for the AAA server group. The server-tag is also used in the
aaa authentication, aaa authorization, and aaa accounting commands.
■ protocol auth-protocol—The type of AAA server used (kerberos, ldap, NT, SDI,
TACACS+, or RADIUS).
■ if-name—The interface name for the interface on which the AAA server resides. This
designates how the firewall connects to the AAA server.
■ host server-ip—The AAA server’s IP address.
■ key—A shared secret between the Cisco Secure ACS (server) and the Security Appliance
(client). It is an alphanumeric password that can be as many as 127 characters.
■ timeout seconds—How long the Security Appliance waits between transmission
attempts to the AAA server. The Security Appliance makes four attempts to connect with
the AAA server before trying to connect to the next AAA server in the group. The default
timeout is 5 seconds; the maximum timeout is 30 seconds. Using the default timeout of
5 seconds, the Security Appliance attempts four transmissions, waiting 5 seconds
between each attempt, for a total of 20 seconds.
For the network example in this chapter, you would enter the syntax shown in Example 18-1.

Configuring AAA on the Cisco Security Appliance

Configuring AAA on the Cisco Security Appliance
Four steps are required to configure AAA on the Security Appliance:
Step 1 Identify the AAA server and the NAS.
Step 2 Configure authentication.
Step 3 Configure authorization.
Step 4 Configure accounting.
Each of these steps can be completed for the Security Appliance to communicate with the
AAA servers; however, it is possible to configure authentication without authorization or
accounting. Each step is discussed in detail in the following sections.

Specifying Your AAA Servers

Specifying Your AAA Servers
Only two components are required to build an AAA solution:
■ AAA server
■ Network access server (NAS)
It is possible to divide the AAA functions among multiple devices to reduce the processing
required by any single server. It is also possible for a single AAA server to support multiple
NASs. The point is that there is no single solution. The number of AAA servers and NASs
should be tailored to support the size and scope of the network being accessed. Configuring
the Security Appliance to connect to an AAA server requires only a few commands. Of
course, quite a few options are available with each command. In this exercise, a Security
Appliance, in this case a PIX Firewall, is configured to connect to a Cisco Secure ACS located
on the DMZ segment. Figure 18-1 depicts the network configuration used for the examples
in this chapter. Note that the Cisco Secure ACS is located on a DMZ segment rather than on
the inside or outside segments. This allows you to restrict access to the Cisco Secure ACS
from either segment, making the system more secure.