Cisco ASA 5505 Configuration Manual page 705

Chapter 33 Configuring AAA Rules for Network Access
Authenticating Telnet Connections with a Virtual Server
Although you can configure network access authentication for any protocol or service (see the
"Configuring Authentication for Network Access" section on page
with HTTP, Telnet, or FTP only. A user must first authenticate with one of these services before other
traffic that requires authentication is allowed through. If you do not want to allow HTTP, Telnet, or FTP
through the adaptive security appliance, but want to authenticate other types of traffic, you can configure
virtual Telnet; the user Telnets to a given IP address configured on the adaptive security appliance, and
the adaptive security appliance provides a Telnet prompt.
You must configure authentication for Telnet access to the virtual Telnet address as well as the other
services you want to authenticate according to the
section on page
When an unauthenticated user connects to the virtual Telnet IP address, the user is challenged for a
username and password, and then authenticated by the AAA server. Once authenticated, the user sees
the message "Authentication Successful." Then, the user can successfully access other services that
require authentication.
For inbound users (from lower security to higher security), you must also include the virtual Telnet
address as a destination interface in the Access Rule applied to the source interface. Moreover, you must
add a static NAT rule for the virtual Telnet IP address, even if NAT is not required. An identity NAT rule
is typically used (where you translate the address to itself).
For outbound users, there is an explicit permit for traffic, but if you apply an Access Rule to an inside
interface, be sure to allow access to the virtual Telnet address. A static NAT rule is not required.
To logout from the adaptive security appliance, reconnect to the virtual Telnet IP address; you are
prompted to log out.
To enable direct authentication using Telnet, perform the following steps:
From the Configuration > Firewall > Advanced > Virtual Access > Virtual Telnet Server area, check the
Step 1
Enable check box.
In the Virtual Telnet Server field, add the IP address of the virtual Telnet server.
Step 2
Make sure this address is an unused address that is routed to the adaptive security appliance. For
example, if you perform NAT for inside addresses accessing an outside server, and you want to provide
outside access to the virtual HTTP server, you can use one of the global NAT addresses for the virtual
HTTP server address.
Click Apply.
Step 3
The virtual server is added and the changes are saved to the running configuration.
Authenticating HTTP(S) Connections with a Virtual Server
When you use HTTP authentication on the adaptive security appliance (see
Authentication for Network Access" section on page
HTTP authentication by default. You can change the authentication method so that the adaptive security
appliance redirects HTTP connections to web pages generated by the adaptive security appliance itself
using the
page
However, if you continue to use basic HTTP authentication, then you might need the virtual HTTP server
when you have cascading HTTP authentications.
OL-20339-01
33-1.
"Enabling the Redirection Method of Authentication for HTTP and HTTPS" section on
33-5.
Configuring Authentication for Network Access
33-1), you can authenticate directly
"Configuring Authentication for Network Access"
33-1), the adaptive security appliance uses basic
Cisco ASA 5500 Series Configuration Guide using ASDM
the"Configuring
33-7