PIX Set up for Cut Through Proxy Authentication and Authorization

As discussed earlier, PIX can perform authentication for connections established through it. It also can perform authorization for the connections using an AAA server. Cut-through proxy refers to the fact that as soon as a user has been authenticated through the PIX Firewall, the PIX keeps a record of that user's authentication credentials and switches the rest of the packets from that user based on these credentials without going through the authentication phase again.

This case study shows how to set up authentication and authorization for users trying to access a server located at 99.99.99.99 via FTP, Telnet, or HTTP. The authorization parameters (not shown here) are fairly simple, restricting certain users to only a subset of the three services offered by this server (only HTTP and FTP).

Example 8-4 shows how a PIX is set up to do authorization and authentication. Figure 8-15 shows the network topology for this case study.

Figure 8-15 Network Topology for This Case Study

Outside (99.99.99.1)

Outside (99.99.99.1)

Inside (172.18.134.157)

Inside (172.18.134.157)

Example 8-4 How PIX Is Set up to Do Authorization and Authentication pixfirewall#wr t PIX Version 5.2

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted passwd OnTrBUG1Tp0edmkr encrypted hostname pixfirewall fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

names

!The access list that follows is used later in the configuration to define the !traffic that will be subjected to AAA services access-list 101 permit tcp any any eq telnet access-list 101 permit tcp any any eq ftp access-list 101 permit tcp any any eq www !

!The access list below is used to allow access to the host located at 99.99.99.99 !via WWW, FTP, or Telnet.

access-list 110 permit tcp any 99.99.99.99 eq www access-list 110 permit tcp any 99.99.99.99 eq ftp access-list 110 permit tcp any 99.99.99.99 eq telnet access-group 110 in interface outside !

pager lines 24 logging on no logging timestamp no logging standby no logging console debugging no logging monitor no logging buffered no logging trap debugging no logging history no logging facility 20 logging queue 512 interface ethernet0 auto interface ethernet1 10baset mtu outside 1500 mtu inside 1500

ip address outside 99.99.99.1 255.255.255.0 ip address inside 172.18.124.157 255.255.255.0 ip audit info action alarm ip audit attack action alarm

Example 8-4 How PIX Is Set up to Do Authorization and Authentication (Continued)

Example 8-4 How PIX Is Set up to Do Authorization and Authentication (Continued)

aaa authentication match 101 outside AuthInbound aaa authentication match 101 inside AuthOutbound aaa authorization match 101 outside AuthInbound no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat isakmp identity hostname telnet timeout 5 ssh timeout 5 terminal width 80

The PIX saves the credentials of an authenticated user in a data structure known as uauth. The user can access resources through the PIX until either the idle timer or the absolute timer of uauth expires. After that, the user has to authenticate again to access the resources sitting behind the PIX.

0 0

Post a comment