Hi Brian With include option, the idea is bit different as following:
include <local network> <remote network> The local network is the network connected to the inside interface i.e., higher security level The remote network is the network connected to the outside interface i., lower security level It applies to both inbound and outbound auth-proxy. With regards Kings On Sun, Feb 14, 2010 at 11:12 PM, Brian Schultz <[email protected]> wrote: > For inbound authentication through the ASA, I can make it work by matching > an ACL to the outside IP like this. > > *access-list Inbound_Auth_ACL extended permit tcp any host 192.1.24.15 eq > telnet > aaa authentication match Inbound_Auth_ACL outside AuthInbound* > static (inside,outside) 192.1.24.15 10.2.2.5 netmask 255.255.255.255 > access-list OUTSIDE_IN extended permit tcp host 192.1.24.4 host 192.1.24.15 > eq telnet > > > However, if I setup specific auth include, I have to use the inside address > to make it work: > > *aaa authentication include telnet outside 10.2.2.5 255.255.255.255 0 0 > AuthInbound* > static (inside,outside) 192.1.24.15 10.2.2.5 netmask 255.255.255.255 > access-list OUTSIDE_IN extended permit tcp host 192.1.24.4 host 192.1.24.15 > eq telnet > > > I'm trying to figure out the order of operation and why each method acts > differently. Any suggestions? > > > Thanks, > Brian > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
