Just as an FYI - neither of those solutions worked. I'm going to read some to see if this is a supported feature.
Thanks On Tue, Apr 27, 2010 at 2:01 PM, Tyson Scott <[email protected]> wrote: > Second option is to use a NAT statement to redirect 3023 to 23 on the > router. But try the first thing. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Roger Cheeks > *Sent:* Tuesday, April 27, 2010 1:58 PM > *To:* OSL Security > *Subject:* [OSL | CCIE_Security] can IOS auth-proxy work for non-standard > ports? > > > > Has anyone ever gotten this to work for http or telnet? This is a little > long, sorry for that. > > > > Topology > > SW1 <-> R3845 <-> R2600 > > > > Goal - force auth-proxy for telnet (on 23 and 3023) sessions to R2600 from > SW1 > > > > Switch info... > > SW3750(config)#siib | i 35 > > Vlan35 192.168.35.9 YES NVRAM up up > > > > > Security Router configurations... > > hostname R3845 > > aaa new-model > > aaa authentication login no_aaa none > > aaa authentication login local_aaa local > > aaa authorization auth-proxy default local > > > > username aptest privilege 15 password 0 apworkplease > > > > ip port-map telnet port tcp 3023 > > ip inspect name watch_telnet telnet audit-trail on > > ip auth-proxy name SW1-Proxy telnet inactivity-time 60 list 102 > > > > interface GigabitEthernet0/0 > > ip address 192.168.35.254 255.255.255.0 > > ip inspect watch_telnet in > > ip auth-proxy SW1-Proxy > > ip virtual-reassembly > > > > interface GigabitEthernet0/1 > > ip address 77.77.77.254 255.255.255.0 > > ip virtual-reassembly > > > > access-list 102 permit tcp host 192.168.35.9 any eq telnet > > access-list 102 permit tcp host 192.168.35.9 any eq 3023 > > > > Target router... > > hostname R2600-H > > interface FastEthernet0/0 > > ip address 77.77.77.26 255.255.255.0 > > > > line vty 0 4 > > exec-timeout 60 0 > > password cisco > > login > > rotary 23 > > > > RESULTS for strait telnet: > > SW3750#telnet 77.77.77.26 > > Trying 77.77.77.26 ... Open > > > > Firewall authentication > > Username:aptest > > Password: > > Firewall authentication Success. > > Connection will be closed if remote server does not respond > > Connecting to remote server... > > > > > > User Access Verification > > > > Password: > > R2600> > > > > Debug from 3845: > > R3845(config)# > > *Apr 27 18:00:29.641: AUTH-PROXY:incremented proxy_proc_count=1 > > *Apr 27 18:00:29.641: AUTH-PROXY:written opts and USERNAME:42 > > *Apr 27 18:00:29.641: AUTH-PROXY:Client sent DO SPGA > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FD,3 > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,18 > > *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,18 > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,17 > > *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,17 > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,20 > > *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,20 > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,1F > > *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,1F > > *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,21 > > *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,21 > > *Apr 27 18:00:29.645: AUTH-PROXY:Client sent DO ECHO > > *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FD,1 > > *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,18 > > *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,18 > > *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,17 > > *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,17 > > *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,20 > > *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,20 > > *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,1F > > *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,1F > > *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,21 > > *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,21 > > *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:carriage ret seen D > > *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:newline seen A > > *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:carr ret seen D > > *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:newline seen A > > *Apr 27 18:00:37.065: AUTH-PROXY:turning off options > > *Apr 27 18:00:37.269: AUTH-TELNET: Opening Server side > > *Apr 27 18:00:37.269: AUTH-PROXY:srcaddr of server side is 192.168.35.9 > > *Apr 27 18:00:37.269: AUTH-PROXY:dstaddr of server side is 77.77.77.26 > > *Apr 27 18:00:37.269: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: > initiator (192.168.35.9:31233) -- responder (77.77.77.26:23) > > *Apr 27 18:01:32.610: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: > initiator (192.168.35.9:31233) sent 48 bytes -- responder (77.77.77.26:23) > sent 74 bytes > > R3845(config)# > > > > RESULTS for telnet on 3023: > > R3845(config)#do clear ip auth-proxy cache * > > > > SW3750#telnet 77.77.77.26 3023 > > Trying 77.77.77.26, 3023 ... Open > > > > > > User Access Verification > > > > Password: > > R2600> > > > > Logs from 3845 verifying telnet inspection: > > R3845(config)# > > *Apr 27 18:02:53.959: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: > initiator (192.168.35.9:57857) -- responder (77.77.77.26:3023) > > *Apr 27 18:03:42.196: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: > initiator (192.168.35.9:57857) sent 67 bytes -- responder ( > 77.77.77.26:3023) sent 86 bytes > > > > As shown telnet on 3023 bypasses auth-proxy entirely. > > > > Thanks for any input. > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
