Static Pat And Http - Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 19 Applying AAA for Network Access
This feature is useful when you have cascaded firewalls that require multiple logins. You can separate
several names and passwords by multiple at signs (@).

Static PAT and HTTP

For HTTP authentication, the security appliance checks real ports when static PAT is configured. If it
detects traffic destined for real port 80, regardless of the mapped port, the security appliance intercepts
the HTTP connection and enforces authentication.
For example, assume that outside TCP port 889 is translated to port 80 (www) and that any relevant
access lists permit the traffic:
static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 www netmask 255.255.255.255
Then when users try to access 10.48.66.155 on port 889, the security appliance intercepts the traffic and
enforces HTTP authentication. Users see the HTTP authentication page in their web browsers before the
security appliance allows HTTP connection to complete.
If the local port is different than port 80, as in the following example:
static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 111 netmask 255.255.255.255
Then users do not see the authentication page. Instead, the security appliance sends to the web browser
an error message indicating that the user must be authenticated prior using the requested service.
Authenticating Directly with the Security Appliance
If you do not want to allow HTTP, HTTPS, Telnet, or FTP through the security appliance but want to
authenticate other types of traffic, you can authenticate with the security appliance directly using HTTP
or HTTPS at the following URLs when you enable AAA for the interface:
http://interface_ip:1080/netaccess/connstatus.html
https://interface_ip:1443/netaccess/connstatus.html
Alternatively, you can configure virtual Telnet. With virtual Telnet, the user Telnets to a given IP
address configured on the security appliance, and the security appliance provides a Telnet prompt. For
more information about the virtual telnet command, see the Cisco Security Appliance Command
Reference.
Enabling Network Access Authentication
To enable network access authentication, perform the following steps:
Using the aaa-server command, identify your AAA servers. If you have already identified your AAA
Step 1
servers, continue to the next step.
For more information about identifying AAA servers, see the
Servers" section on page
Using the access-list command, create an access list that identifies the source addresses and destination
Step 2
addresses of traffic you want to authenticate. For steps, see the
section on page
OL-10088-01
13-12.
16-5.
Cisco Security Appliance Command Line Configuration Guide
Configuring Authentication for Network Access
"Identifying AAA Server Groups and
"Adding an Extended Access List"
19-3