Re: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard ports?

Mohamed Gazzaz Tue, 27 Apr 2010 14:34:31 -0700

Hi Roger,
 
I am not sure About Telnet but I was able to get Auth-Proxy to work on 
non-standard ports for HTTP and HTTPS
 
Here is what I added in addition to the default Auth-Proxy configuration.


ip port-map http port tcp 8088
ip port-map https port tcp 5796
 
ip http server
ip http port 8088
ip http secure-server
ip http secure-port 5796
 

After that, try http://(Server's ip address):8088  or https://(Server's ip 
address):5796


Regards,
Mohamed Gazzaz






From: [email protected]
To: [email protected]
Date: Tue, 27 Apr 2010 16:50:25 -0400
CC: [email protected]
Subject: Re: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard 
ports?







The first option will work for HTTP.  Not sure on telnet working with a 
separate port.
 
Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
 
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio 
Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, 
Voice, Security & Service Provider) certification(s) with training locations 
throughout the United States, Europe, South Asia and Australia. Be sure to 
visit our online communities at www.ipexpert.com/communities and our public 
website at www.ipexpert.com
 

From: Roger Cheeks [mailto:[email protected]] 
Sent: Tuesday, April 27, 2010 3:50 PM
To: Tyson Scott
Cc: OSL Security
Subject: Re: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard 
ports?
 
Just as an FYI - neither of those solutions worked.  I'm going to read some to 
see if this is a supported feature.

 

Thanks

On Tue, Apr 27, 2010 at 2:01 PM, Tyson Scott <[email protected]> wrote:


Second option is to use a NAT statement to redirect 3023 to 23 on the router.  
But try the first thing.

 
Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
 
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio 
Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, 
Voice, Security & Service Provider) certification(s) with training locations 
throughout the United States, Europe, South Asia and Australia. Be sure to 
visit our online communities at www.ipexpert.com/communities and our public 
website at www.ipexpert.com
 

From: [email protected] 
[mailto:[email protected]] On Behalf Of Roger Cheeks
Sent: Tuesday, April 27, 2010 1:58 PM
To: OSL Security
Subject: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard ports?
 
Has anyone ever gotten this to work for http or telnet?  This is a little long, 
sorry for that.



 

Topology

SW1 <-> R3845 <-> R2600

 

Goal - force auth-proxy for telnet (on 23 and 3023) sessions to R2600 from SW1

 

Switch info...


SW3750(config)#siib | i 35

Vlan35                 192.168.35.9    YES NVRAM  up                    up  

 

Security Router configurations...

hostname R3845


aaa new-model

aaa authentication login no_aaa none

aaa authentication login local_aaa local

aaa authorization auth-proxy default local 

 

username aptest privilege 15 password 0 apworkplease

 


ip port-map telnet port tcp 3023

ip inspect name watch_telnet telnet audit-trail on

ip auth-proxy name SW1-Proxy telnet inactivity-time 60 list 102

 


interface GigabitEthernet0/0

 ip address 192.168.35.254 255.255.255.0

 ip inspect watch_telnet in

 ip auth-proxy SW1-Proxy

 ip virtual-reassembly

 

interface GigabitEthernet0/1

 ip address 77.77.77.254 255.255.255.0

  ip virtual-reassembly

 


access-list 102 permit tcp host 192.168.35.9 any eq telnet

access-list 102 permit tcp host 192.168.35.9 any eq 3023

 

Target router...

hostname R2600-H


interface FastEthernet0/0

 ip address 77.77.77.26 255.255.255.0

 


line vty 0 4

 exec-timeout 60 0

 password cisco

 login

 rotary 23

 

RESULTS for strait telnet:


SW3750#telnet 77.77.77.26

Trying 77.77.77.26 ... Open

 

Firewall authentication

Username:aptest

Password:

Firewall authentication Success.

Connection will be closed if remote server does not respond

Connecting to remote server...

 

 

User Access Verification

 

Password: 

R2600>

 

Debug from 3845:


R3845(config)#

*Apr 27 18:00:29.641: AUTH-PROXY:incremented proxy_proc_count=1

*Apr 27 18:00:29.641: AUTH-PROXY:written opts and USERNAME:42

*Apr 27 18:00:29.641: AUTH-PROXY:Client sent DO SPGA

*Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FD,3

*Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,18

*Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,18

*Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,17

*Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,17

*Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,20

*Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,20

*Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,1F

*Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,1F

*Apr 27 18:00:29.641: AUTH-PROXY:option=FF,FB,21

*Apr 27 18:00:29.641: AUTH-PROXY:writing back option=FF,FE,21

*Apr 27 18:00:29.645: AUTH-PROXY:Client sent DO ECHO

*Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FD,1

*Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,18

*Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,18

*Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,17

*Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,17

*Apr 27 18:00:29.645: AUTH-PROXY:option=FF,FC,20

*Apr 27 18:00:29.645: AUTH-PROXY:writing back option=FF,FE,20

*Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,1F

*Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,1F

*Apr 27 18:00:29.649: AUTH-PROXY:option=FF,FC,21

*Apr 27 18:00:29.649: AUTH-PROXY:writing back option=FF,FE,21

*Apr 27 18:00:33.781: AUTH-PROXY:ap_username:carriage ret seen D

*Apr 27 18:00:33.781: AUTH-PROXY:ap_username:newline seen A

*Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:carr ret seen D

*Apr 27 18:00:37.065: AUTH-PROXY:ap_passwd:newline seen A

*Apr 27 18:00:37.065: AUTH-PROXY:turning off options

*Apr 27 18:00:37.269:  AUTH-TELNET: Opening Server side

*Apr 27 18:00:37.269: AUTH-PROXY:srcaddr of server side is 192.168.35.9

*Apr 27 18:00:37.269: AUTH-PROXY:dstaddr of server side is 77.77.77.26

*Apr 27 18:00:37.269: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: 
initiator (192.168.35.9:31233) -- responder (77.77.77.26:23)

*Apr 27 18:01:32.610: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: initiator 
(192.168.35.9:31233) sent 48 bytes -- responder (77.77.77.26:23) sent 74 bytes

R3845(config)#

 

RESULTS for telnet on 3023:

R3845(config)#do clear ip auth-proxy cache *

 


SW3750#telnet 77.77.77.26 3023

Trying 77.77.77.26, 3023 ... Open

 

 

User Access Verification

 

Password: 

R2600>

 

Logs from 3845 verifying telnet inspection:


R3845(config)#

*Apr 27 18:02:53.959: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: 
initiator (192.168.35.9:57857) -- responder (77.77.77.26:3023)

*Apr 27 18:03:42.196: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: initiator 
(192.168.35.9:57857) sent 67 bytes -- responder (77.77.77.26:3023) sent 86 bytes

 

As shown telnet on 3023 bypasses auth-proxy entirely.

 

Thanks for any input.

 

 
                                          
_________________________________________________________________
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Re: [OSL | CCIE_Security] can IOS auth-proxy work for non-standard ports?

Reply via email to