Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Configuring the Authentication Proxy Limit

8-11

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter8 Configuring AAA Rules for Network Access

Configuring Authentication for Network Access

that requires authentication is allowed through. If you do not want to allow HTTP, Telnet, or FTP traffic

through the ASA, but want to authenticate other types of traffic, you can configure virtual Telnet; the

user Telnets to a given IP address configured on the ASA, and the ASA issues a Telnet prompt.

When an unauthenticated user connects to the virtual Telnet IP address, the user is challenged for a

username and password, and then authenticated by the AAA server. After the user is authenticated, the

message “Authentication Successful” appears. Then the user can successfully access other services that

require authentication.

For inbound users (from lower security to higher security), you must also include the virtual Telnet

address as a destination interface in the access rule applied to the source interface. In addition, you must

add a static NAT rule for the virtual Telnet IP address, even if NAT is not required. An identity NAT rule

is typically used (where you translate the address to itself).

For outbound users, there is an explicit permit for traffic, but if you apply an access rule to an inside

interface, be sure to allow access to the virtual Telnet address. A static NAT rule is not required.

To log out from the ASA, reconnect to the virtual Telnet IP address; you are prompted to log out.

To enable direct authentication using Telnet, perform the following steps:

Step1 In the Configuration > Firewall > Advanced > Virtual Access > Virtual Telnet Server area, check the

Enable check box.

Step2 In the Virtual Telnet Server field, enter the IP address of the virtual Telnet server.

Make sure that this address is an unused address that is routed to the ASA. For example, if you perform

NAT for inside addresses accessing an outside server, and you want to provide outside access to the

virtual HTTP server, you can use one of the global NAT addresses for the virtual HTTP server address.

Step3 Click Apply.

The virtual server is added and the changes are saved to the running configuration.

Configuring the Authentication Proxy Limit

You can manually configure the uauth session limit by setting the maximum number of concurrent proxy

connections allowed per user.

To set the proxy limit, perform the following steps:

Step1 Choose Configuration > Firewall > AAA Rules, then click Advanced.

The AAA Rules Advanced Options dialog box appears.

Step2 In the Proxy Limit area, check the Enable Proxy Limit check box.

Step3 In the Proxy Limit field, enter the number of concurrent proxy connections allowed per user, from 1 to

128.

Step4 Click OK, then click Apply.

The changes are saved to the running configuration.

Cisco Systems Configuring the Authentication Proxy Limit