Configuring Virtual Telnet Inbound Connections
PIXFirewall(config)# ip address outside 192.168.1.1 255.255.255.0
PIXFirewall(config)# ip address inside 10.10.10.1 255.255.255.0
PIXFirewall(config)# global (outside) 1 192.168.1.20-192.168.1.40 netmask 255.255.255.0
PIXFirewall(config)# nat (inside) 1 0 0 0 0
PIXFirewall(config)# aaa-server TACACS+ protocol tacacs+
PIXFirewall(config)# aaa-server TACACS+ (DMZ) host 172.16.1.2 abc123 timeout 20
PIXFirewall(config)# aaa authentication include any outside 0 0 0 0 TACACS+
PIXFirewall(config)# virtual telnet 192.168.1.4
PIXFirewall(config)# static (inside, outside) 192.168.1.4 10.10.10.100 netmask
255.255.255.255 0 0
PIXFirewall(config)# access-list NetMeeting permit tcp any host 192.168.1.4 eq 23
PIXFirewall(config)# access-list NetMeeting permit tcp 192.168.128.128
255.255.255.255 192.168.1.4 255.255.255.255 eq H323
PIXFirewall(config)# access-group NetMeeting in interface outside
NOTE To remove the virtual Telnet from the configuration, enter no virtual telnet.
Virtual HTTP
Virtual HTTP functions similarly to virtual Telnet in that the PIX Firewall acts as the HTTP
server via an additional IP address assigned to the firewall. Users might believe that they are
accessing the web server, but they are actually accessing the virtual server for the authentication
prompt, being authenticated by an AAA server, and being redirected to their
destination after successful authentication. The syntax for virtual http is
virtual http ip-address [warn]
The warn option is used for text-based browsers that cannot automatically be redirected.
The option adds a link that would be used to redirect to the virtual HTTP server.
Normally, the ip-address should be an address that the inside network routes to the Security
Appliance. This way, the internal users access it directly, and the external users connect to it
via static address translation at the firewall. Of course, the inbound users require authentication
and also must be permitted by an access list or conduit. Example 18-6 depicts the
configuration for virtual HTTP on the Security Appliance. This is the configuration shown
in Figure 18-5.