Cisco Systems ASA5515K9, ASA 5500

38-10

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter38 Configuring AAA Rules for Network Access

Configuring Authentication for Network Access

Examples

The following example shows how to enable virtual Telnet together with AAA authentication for other

services:

hostname(config)# virtual telnet 209.165.202.129

hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.200.225 eq smtp

hostname(config)# access-list ACL-IN remark This is the SMTP server on the inside

hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.202.129 eq

telnet

hostname(config)# access-list ACL-IN remark This is the virtual Telnet address

hostname(config)# access-group ACL-IN in interface outside

hostname(config)# network object obj-209.165.202.129-01

hostname(config-network-object)# host 209.165.202.129

hostname(config-network-object)# nat (inside,outside) static 209.165.202.129

hostname(config)# access-list AUTH extended permit tcp any host 209.165.200.225 eq smtp

hostname(config)# access-list AUTH remark This is the SMTP server on the inside

hostname(config)# access-list AUTH extended permit tcp any host 209.165.202.129 eq telnet

hostname(config)# access-list AUTH remark This is the virtual Telnet address

hostname(config)# aaa authentication match AUTH outside tacacs+

Command Purpose

virtual telnet ip_address

Example:

hostname(config)# virtual telnet 209.165.202.129

Configures a virtual Telnet server.

The ip_address argument sets the IP address for the virtual

Telnet server. Make sure this address is an unused address that

is routed to the ASA.

You must configure authentication for Telnet access to the

virtual Telnet address as well as the other services that you

want to authenticate using the authentication match or aaa

authentication include command.

When an unauthenticated user connects to the virtual Telnet IP

address, the user is challenged for a username and password,

and then authenticated by the AAA server. Once authenticated,

the user sees the message “Authentication Successful.” Then,

the user can successfully access other services that require

authentication.

For inbound users (from lower security to higher security),

you must also include the virtual Telnet address as a

destination interface in the access list applied to the source

interface. In addition, you must add a static NAT command for

the virtual Telnet IP address, even if NAT is not required. An

identity NAT command is typically used (where you translate

the address to itself).

For outbound users, there is an explicit permit for traffic, but

if you apply an access list to an inside interface, be sure to

allow access to the virtual Telnet address. A static statement is

not required.

To log out from the ASA, reconnect to the virtual Telnet IP

address; you are then prompted to log out.