Second option is to use a NAT statement to redirect 3023 to 23 on the router. But try the first thing.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Roger Cheeks Sent: Tuesday, April 27, 2010 1:58 PM To: OSL Security Subject: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard ports? Has anyone ever gotten this to work for http or telnet? This is a little long, sorry for that. Topology SW1 <-> R3845 <-> R2600 Goal - force auth-proxy for telnet (on 23 and 3023) sessions to R2600 from SW1 Switch info... SW3750(config)#siib | i 35 Vlan35 192.168.35.9 YES NVRAM up up Security Router configurations... hostname R3845 aaa new-model aaa authentication login no_aaa none aaa authentication login local_aaa local aaa authorization auth-proxy default local username aptest privilege 15 password 0 apworkplease ip port-map telnet port tcp 3023 ip inspect name watch_telnet telnet audit-trail on ip auth-proxy name SW1-Proxy telnet inactivity-time 60 list 102 interface GigabitEthernet0/0 ip address 192.168.35.254 255.255.255.0 ip inspect watch_telnet in ip auth-proxy SW1-Proxy ip virtual-reassembly interface GigabitEthernet0/1 ip address 77.77.77.254 255.255.255.0 ip virtual-reassembly access-list 102 permit tcp host 192.168.35.9 any eq telnet access-list 102 permit tcp host 192.168.35.9 any eq 3023 Target router... hostname R2600-H interface FastEthernet0/0 ip address 77.77.77.26 255.255.255.0 line vty 0 4 exec-timeout 60 0 password cisco login rotary 23 RESULTS for strait telnet: SW3750#telnet 77.77.77.26 Trying 77.77.77.26 ... Open Firewall authentication Username:aptest Password: Firewall authentication Success. Connection will be closed if remote server does not respond Connecting to remote server... User Access Verification Password: R2600> Debug from 3845: R3845(config)# *Apr 27 18:00:29.641: AUTH-PROXY:incremented proxy_proc_count=1 *Apr 27 18:00:29.641: AUTH-PROXY:written opts and USERNAME:42 *Apr 27 18:00:29.641: AUTH-PROXY:Client sent DO SPGA *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FD,3 *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,18 *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,18 *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,17 *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,17 *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,20 *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,20 *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,1F *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,1F *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,21 *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,21 *Apr 27 18:00:29.645: AUTH-PROXY:Client sent DO ECHO *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FD,1 *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,18 *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,18 *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,17 *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,17 *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,20 *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,20 *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,1F *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,1F *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,21 *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,21 *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:carriage ret seen D *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:newline seen A *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:carr ret seen D *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:newline seen A *Apr 27 18:00:37.065: AUTH-PROXY:turning off options *Apr 27 18:00:37.269: AUTH-TELNET: Opening Server side *Apr 27 18:00:37.269: AUTH-PROXY:srcaddr of server side is 192.168.35.9 *Apr 27 18:00:37.269: AUTH-PROXY:dstaddr of server side is 77.77.77.26 *Apr 27 18:00:37.269: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: initiator (192.168.35.9:31233) -- responder (77.77.77.26:23) *Apr 27 18:01:32.610: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: initiator (192.168.35.9:31233) sent 48 bytes -- responder (77.77.77.26:23) sent 74 bytes R3845(config)# RESULTS for telnet on 3023: R3845(config)#do clear ip auth-proxy cache * SW3750#telnet 77.77.77.26 3023 Trying 77.77.77.26, 3023 ... Open User Access Verification Password: R2600> Logs from 3845 verifying telnet inspection: R3845(config)# *Apr 27 18:02:53.959: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: initiator (192.168.35.9:57857) -- responder (77.77.77.26:3023) *Apr 27 18:03:42.196: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: initiator (192.168.35.9:57857) sent 67 bytes -- responder (77.77.77.26:3023) sent 86 bytes As shown telnet on 3023 bypasses auth-proxy entirely. Thanks for any input.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
