Nope, Virtual IP is a different IP address where ASA will listen on.
2012/1/5 Diego Cambronero <[email protected]> > Correct me if I am wrong. Virtual http or telnet uses the ip address of > the ASA and the aaa listen uses conection through the ASA to authenticate > > > > El 05/01/2012, a las 08:43 a.m., Piotr Matusiak <[email protected]> escribió: > > Hi Kings, > > A said to Eugene that in this case direct auth will not work because ASA > thinks that this is ASDM connection. > enable logging and see the messages. > > Regards, > Piotr > > > 2012/1/5 Kingsley Charles < <[email protected]> > [email protected]> > >> Hi Piotr >> >> Has Direct authentication worked for you? I have tried pointing my >> browser to the outside interface IP with both http port 8080 and https port >> 4443 but doesn't work with the following configuration. >> >> aaa authentication listener http outside port 8080 redirect >> aaa authentication listener https outside port 4443 redirect >> >> With regards >> Kings >> >> >> On Thu, Jan 5, 2012 at 12:45 PM, Piotr Matusiak < <[email protected]> >> [email protected]> wrote: >> >>> OK, so it should also work without virtual IP but you must connect to >>> something behind the ASA. If you want to authenticate your users connecting >>> to the ASA you must use virtual IP. >>> >>> Regards, >>> Piotr >>> >>> >>> >>> 2012/1/5 Eugene Pefti < <[email protected]>[email protected] >>> > >>> >>>> Thanks, Piotr,**** >>>> >>>> I thought that “virtual http” and “authentication listener” are two >>>> different methods. And using “virtual http” requires an additional IP >>>> address which is luxury in my case ;)**** >>>> >>>> ** ** >>>> >>>> Eugene**** >>>> >>>> ** ** >>>> >>>> *From:* Piotr Matusiak [mailto: <[email protected]>[email protected]] >>>> *Sent:* 04 January 2012 04:04 >>>> *To:* Eugene Pefti >>>> *Cc:* ccie security >>>> *Subject:* Re: [OSL | CCIE_Security] Cut-through proxy authentication >>>> with HTTP redirection**** >>>> >>>> ** ** >>>> >>>> Hi Eugene, >>>> >>>> The ASA tries to open up ASDM connection. >>>> >>>> To achieve what you want configure the following: >>>> >>>> virtual http 192.168.1.99 >>>> aaa authentication listener https inside port 1111 redirect >>>> >>>> >>>> Then you'll be able to connect to <https://192.168.1.99> >>>> https://192.168.1.99 and be redirected to port 1111 >>>> >>>> Regards, >>>> Piotr >>>> >>>> **** >>>> >>>> 2012/1/4 Eugene Pefti < <[email protected]> >>>> [email protected]>**** >>>> >>>> Hello everyone,**** >>>> >>>> I started the New year with my resolution to get back to CCIE studies >>>> and immediately I was challenged by the client of us asking to configure >>>> them network access controls with cut-through proxy authentication.**** >>>> >>>> Their particular task was to authentication the traffic that is not >>>> part of four well-known protocols (FTP, Telnet, HTTP and HTTPs) that would >>>> trigger authentication in the classic situation.**** >>>> >>>> They need to authenticate RDP and SSH traffic through the ASA and I >>>> followed this document published at Cisco support forum:**** >>>> >>>> <https://supportforums.cisco.com/docs/DOC-14842> >>>> https://supportforums.cisco.com/docs/DOC-14842**** >>>> >>>> **** >>>> >>>> My intention was to have users open their web browser, connect to the >>>> ASA interface IP address via HTTPS, authenticate and voila, the RDP and SSH >>>> traffic defined in the authentication ACL would be authenticated.**** >>>> >>>> **** >>>> >>>> I.e.**** >>>> >>>> access-list CTP_AUTH extended permit tcp any any eq https >>>> access-list CTP_AUTH extended permit tcp any any eq 3389 >>>> access-list CTP_AUTH extended permit tcp any any eq ssh **** >>>> >>>> **** >>>> >>>> aaa authentication match CTP_AUTH inside LOCAL**** >>>> >>>> aaa authentication listener https inside port 1111**** >>>> >>>> **** >>>> >>>> Then I go to <https://192.168.1.200:1111>https://192.168.1.200:1111(where >>>> 192.168.1.200 is the ASA inside IP address) to authentication >>>> against a local user database and it doesn't work. The ASA rewrites the URL >>>> and says "File not found".**** >>>> >>>> I don't want to use virtual HTTP for the reasons described in the above >>>> said document. Am I missing something? Is it really an approvement or just >>>> a documentation defect misleading people ?**** >>>> >>>> **** >>>> >>>> Eugene**** >>>> >>>> **** >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit <http://www.ipexpert.com>www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> <http://www.PlatinumPlacement.com> >>>> www.PlatinumPlacement.com**** >>>> >>>> ** ** >>>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit <http://www.ipexpert.com>www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> <http://www.PlatinumPlacement.com>www.PlatinumPlacement.com >>> >> >> > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit <http://www.ipexpert.com>www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > <http://www.PlatinumPlacement.com>www.PlatinumPlacement.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
