OK, so it should also work without virtual IP but you must connect to something behind the ASA. If you want to authenticate your users connecting to the ASA you must use virtual IP.
Regards, Piotr 2012/1/5 Eugene Pefti <[email protected]> > Thanks, Piotr,**** > > I thought that “virtual http” and “authentication listener” are two > different methods. And using “virtual http” requires an additional IP > address which is luxury in my case ;)**** > > ** ** > > Eugene**** > > ** ** > > *From:* Piotr Matusiak [mailto:[email protected]] > *Sent:* 04 January 2012 04:04 > *To:* Eugene Pefti > *Cc:* ccie security > *Subject:* Re: [OSL | CCIE_Security] Cut-through proxy authentication > with HTTP redirection**** > > ** ** > > Hi Eugene, > > The ASA tries to open up ASDM connection. > > To achieve what you want configure the following: > > virtual http 192.168.1.99 > aaa authentication listener https inside port 1111 redirect > > > Then you'll be able to connect to https://192.168.1.99 and be redirected > to port 1111 > > Regards, > Piotr > > **** > > 2012/1/4 Eugene Pefti <[email protected]>**** > > Hello everyone,**** > > I started the New year with my resolution to get back to CCIE studies > and immediately I was challenged by the client of us asking to configure > them network access controls with cut-through proxy authentication.**** > > Their particular task was to authentication the traffic that is not part > of four well-known protocols (FTP, Telnet, HTTP and HTTPs) that would > trigger authentication in the classic situation.**** > > They need to authenticate RDP and SSH traffic through the ASA and I > followed this document published at Cisco support forum:**** > > https://supportforums.cisco.com/docs/DOC-14842**** > > **** > > My intention was to have users open their web browser, connect to the ASA > interface IP address via HTTPS, authenticate and voila, the RDP and SSH > traffic defined in the authentication ACL would be authenticated.**** > > **** > > I.e.**** > > access-list CTP_AUTH extended permit tcp any any eq https > access-list CTP_AUTH extended permit tcp any any eq 3389 > access-list CTP_AUTH extended permit tcp any any eq ssh **** > > **** > > aaa authentication match CTP_AUTH inside LOCAL**** > > aaa authentication listener https inside port 1111**** > > **** > > Then I go to https://192.168.1.200:1111 (where 192.168.1.200 is the ASA > inside IP address) to authentication against a local user database and it > doesn't work. The ASA rewrites the URL and says "File not found".**** > > I don't want to use virtual HTTP for the reasons described in the above > said document. Am I missing something? Is it really an approvement or just > a documentation defect misleading people ?**** > > **** > > Eugene**** > > **** > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > ** ** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
