Roger Although I cannot 100% confirm it I am pretty sure that auth proxy needs to be running on the standard well known ports to be supported. Which would definitely explain your results.
I know that when using http for instance it must be running on port 80 for auth proxy to work, and this is specifically stated in the documentation. So Im pretty sure for telnet it will only run on port 23 and port 21 for ftp. Im certain that someone will correct me if I am missing something, but to be honest I have never tried this approach. Stu On Tue, Apr 27, 2010 at 8:49 PM, Roger Cheeks <[email protected]>wrote: > Just as an FYI - neither of those solutions worked. I'm going to read some > to see if this is a supported feature. > > Thanks > > On Tue, Apr 27, 2010 at 2:01 PM, Tyson Scott <[email protected]> wrote: > >> Second option is to use a NAT statement to redirect 3023 to 23 on the >> router. But try the first thing. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Roger Cheeks >> *Sent:* Tuesday, April 27, 2010 1:58 PM >> *To:* OSL Security >> *Subject:* [OSL | CCIE_Security] can IOS auth-proxy work for non-standard >> ports? >> >> >> >> Has anyone ever gotten this to work for http or telnet? This is a little >> long, sorry for that. >> >> >> >> Topology >> >> SW1 <-> R3845 <-> R2600 >> >> >> >> Goal - force auth-proxy for telnet (on 23 and 3023) sessions to R2600 from >> SW1 >> >> >> >> Switch info... >> >> SW3750(config)#siib | i 35 >> >> Vlan35 192.168.35.9 YES NVRAM up up >> >> >> >> >> Security Router configurations... >> >> hostname R3845 >> >> aaa new-model >> >> aaa authentication login no_aaa none >> >> aaa authentication login local_aaa local >> >> aaa authorization auth-proxy default local >> >> >> >> username aptest privilege 15 password 0 apworkplease >> >> >> >> ip port-map telnet port tcp 3023 >> >> ip inspect name watch_telnet telnet audit-trail on >> >> ip auth-proxy name SW1-Proxy telnet inactivity-time 60 list 102 >> >> >> >> interface GigabitEthernet0/0 >> >> ip address 192.168.35.254 255.255.255.0 >> >> ip inspect watch_telnet in >> >> ip auth-proxy SW1-Proxy >> >> ip virtual-reassembly >> >> >> >> interface GigabitEthernet0/1 >> >> ip address 77.77.77.254 255.255.255.0 >> >> ip virtual-reassembly >> >> >> >> access-list 102 permit tcp host 192.168.35.9 any eq telnet >> >> access-list 102 permit tcp host 192.168.35.9 any eq 3023 >> >> >> >> Target router... >> >> hostname R2600-H >> >> interface FastEthernet0/0 >> >> ip address 77.77.77.26 255.255.255.0 >> >> >> >> line vty 0 4 >> >> exec-timeout 60 0 >> >> password cisco >> >> login >> >> rotary 23 >> >> >> >> RESULTS for strait telnet: >> >> SW3750#telnet 77.77.77.26 >> >> Trying 77.77.77.26 ... Open >> >> >> >> Firewall authentication >> >> Username:aptest >> >> Password: >> >> Firewall authentication Success. >> >> Connection will be closed if remote server does not respond >> >> Connecting to remote server... >> >> >> >> >> >> User Access Verification >> >> >> >> Password: >> >> R2600> >> >> >> >> Debug from 3845: >> >> R3845(config)# >> >> *Apr 27 18:00:29.641: AUTH-PROXY:incremented proxy_proc_count=1 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:written opts and USERNAME:42 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:Client sent DO SPGA >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FD,3 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,18 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,18 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,17 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,17 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,20 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,20 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,1F >> >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,1F >> >> *Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,21 >> >> *Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,21 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:Client sent DO ECHO >> >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FD,1 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,18 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,18 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,17 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,17 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,20 >> >> *Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,20 >> >> *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,1F >> >> *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,1F >> >> *Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,21 >> >> *Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,21 >> >> *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:carriage ret seen D >> >> *Apr 27 18:00:33.781: AUTH-PROXY:ap_username:newline seen A >> >> *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:carr ret seen D >> >> *Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:newline seen A >> >> *Apr 27 18:00:37.065: AUTH-PROXY:turning off options >> >> *Apr 27 18:00:37.269: AUTH-TELNET: Opening Server side >> >> *Apr 27 18:00:37.269: AUTH-PROXY:srcaddr of server side is 192.168.35.9 >> >> *Apr 27 18:00:37.269: AUTH-PROXY:dstaddr of server side is 77.77.77.26 >> >> *Apr 27 18:00:37.269: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: >> initiator (192.168.35.9:31233) -- responder (77.77.77.26:23) >> >> *Apr 27 18:01:32.610: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: >> initiator (192.168.35.9:31233) sent 48 bytes -- responder (77.77.77.26:23) >> sent 74 bytes >> >> R3845(config)# >> >> >> >> RESULTS for telnet on 3023: >> >> R3845(config)#do clear ip auth-proxy cache * >> >> >> >> SW3750#telnet 77.77.77.26 3023 >> >> Trying 77.77.77.26, 3023 ... Open >> >> >> >> >> >> User Access Verification >> >> >> >> Password: >> >> R2600> >> >> >> >> Logs from 3845 verifying telnet inspection: >> >> R3845(config)# >> >> *Apr 27 18:02:53.959: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: >> initiator (192.168.35.9:57857) -- responder (77.77.77.26:3023) >> >> *Apr 27 18:03:42.196: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: >> initiator (192.168.35.9:57857) sent 67 bytes -- responder ( >> 77.77.77.26:3023) sent 86 bytes >> >> >> >> As shown telnet on 3023 bypasses auth-proxy entirely. >> >> >> >> Thanks for any input. >> >> >> >> >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Regards, Stuart Hare CCIE #25616 (Security), CCSP, Microsoft MCP Sr. Support Engineer – IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
