Cisco PIX 525 Especificaciones Pagina 273
- Pagina / 604
- Tabla de contenidos
- SOLUCIÓN DE PROBLEMAS
- MARCADORES
Valorado. / 5. Basado en revisión del cliente
16-5
Cisco Security Appliance Command Line Configuration Guide
OL-6721-01
Chapter 16 Applying AAA for Network Access
Configuring Authentication for Network Access
Note The Cisco Systems text field shown in this example was customized using the auth-prompt command.
For the detailed syntax of this command refer to the Cisco Security Appliance Command Reference. If
you do not enter a string using the auth-prompt command, this field will be blank.
After the user enters a valid username and password, an “Authentication Successful” page appears and
closes automatically. If the user fails to enter a valid username and password, an “Authentication Failed”
page appears.
Secured web-client authentication has the following limitations:
• A maximum of 16 concurrent HTTPS authentication sessions are allowed. If all 16 HTTPS
authentication processes are running, a new connection requiring authentication will not succeed.
• When uauth timeout 0 is configured (the uauth timeout is set to 0), HTTPS authentication might
not work. If a browser initiates multiple TCP connections to load a web page after HTTPS
authentication, the first connection is let through, but the subsequent connections trigger
authentication. As a result, users are continuously presented with an authentication page, even if the
correct username and password are entered each time. To work around this, set the uauth timeout
to 1 second with the timeout uauth 0:0:1 command. However, this workaround opens a 1-second
window of opportunity that might allow non-authenticated users to go through the firewall if they
are coming from the same source IP address.
• Because HTTPS authentication occurs on the SSL port 443, users must not configure an access-list
command statement to block traffic from the HTTP client to HTTP server on port 443. Furthermore,
if static PAT is configured for web traffic on port 80, it must also be configured for the SSL port. In
the following example, the first line configures static PAT for web traffic and the second line must
be added to support the HTTPS authentication configuration.
static (inside,outside) tcp 10.132.16.200 www 10.130.16.10 www
static (inside,outside) tcp 10.132.16.200 443 10.130.16.10 443
• HTTP users see a pop-up window generated by the browser itself if aaa authentication
secure-http-client is not configured. If aaa authentication secure-http-client is configured, a
form loads in the browser to collect username and password. In either case, if a user enters an
incorrect password, the user is prompted again. When the web server and the authentication server
are on different hosts, use the virtual command to get the correct authentication behavior.
To enable secure authentication of web clients, perform the following steps:
Step 1 Enable HTTP authentication. For more information about enabling authentication, see the “Enabling
Network Access Authentication” section on page 16-3.
Step 2 To enable secure authentication of web clients, enter this command:
aaa authentication secure-http-client
Note Use of the aaa authentication secure-http-client command is not dependent upon enabling HTTP
authentication. If you prefer, you can enter this command before you enable HTTP authentication so that
if you later enable HTTP authentication, usernames and passwords are already protected by secured
web-client authentication.
- Configuration Guide 1
- CONTENTS 3
- 2 Getting Started 2-1 4
- 9 Configuring IPv6 9-1 6
- 11 Configuring Failover 11-1 7
- 2 Configuring the Firewall 9
- 14 Applying NAT 14-1 10
- Contents 11
- OL-6721-01 11
- 20 Applying QoS Policies 20-1 13
- 3 Configuring VPN 16
- 4 System Administration 19
- B Sample Configurations B-1 21
- About This Guide 23
- Related Documentation 24
- Document Organization 24
- Part 3: Configuring VPN 25
- Document Conventions 26
- Obtaining Documentation 27
- Documentation Feedback 27
- Submitting a Service Request 28
- Firewall Functional Overview 33
- Security Policy Overview 34
- Stateful Inspection Overview 36
- VPN Functional Overview 37
- Security Context Overview 37
- Security Context Overview 38
- Getting Started 39
- Saving Configuration Changes 41
- Viewing the Configuration 41
- Interface.” 43
- Unsupported Features 46
- Context Configuration Files 46
- Shared Interface Guidelines 51
- Cascading Security Contexts 53
- Restoring Single Context Mode 55
- Configuring Ethernet Settings 57
- Configuring Subinterfaces 58
- Configuring Subinterfaces 60
- Removing a Security Context 65
- Changing the Admin Context 65
- Reloading a Security Context 67
- Monitoring Security Contexts 68
- Viewing Resource Usage 69
- Security Level Overview 71
- Configuring the Interface 72
- Security Level 74
- Configuring Basic Settings 77
- Setting the Hostname 78
- Setting the Domain Name 78
- Setting the Date and Time 78
- Configuring a Static Route 84
- Configuring OSPF 85
- OSPF Overview 86
- Enabling OSPF 87
- Adding a Route Map 88
- Configuring OSPF NSSA 93
- Generating a Default Route 95
- Monitoring OSPF 97
- Restarting the OSPF Process 97
- Configuring RIP 98
- Configuring Multicast Routing 99
- Enabling Multicast Routing 100
- Configuring IGMP Features 100
- Configuring Group Membership 101
- Changing the IGMP Version 103
- Configuring PIM Features 104
- Configuring DHCP 106
- Configuring DHCP Options 108
- Configuring the DHCP Client 110
- Configuring IPv6 111
- Configuring IPv6 Access Lists 114
- The show ipv6 route Command 116
- IPv6 Configuration Example 117
- AAA Overview 119
- About Authentication 120
- About Authorization 120
- About Accounting 120
- Summary of Support 121
- RADIUS Server Support 122
- TACACS+ Server Support 123
- SDI Server Support 124
- NT Server Support 125
- Kerberos Server Support 125
- LDAP Server Support 126
- Local Database Support 126
- Fallback Support 127
- Configuring Failover 133
- Failover System Requirements 134
- The Failover and State Links 135
- State Link 136
- Active/Standby Failover 137
- Understanding Failover 138
- Command Replication 139
- Failover Triggers 140
- Failover Actions 140
- Active/Active Failover 141
- Regular and Stateful Failover 145
- Failover Health Monitoring 146
- Prerequisites 148
- Configuring the Primary Unit 150
- Configuring Failover Criteria 154
- Configure the Primary Unit 157
- Configure the Secondary Unit 159
- Figure 11-1 ASR Example 163
- Configuring Failover 164
- Show Failover—Active/Active 169
- Viewing Monitored Interfaces 173
- Forcing Failover 174
- Disabling Failover 175
- Monitoring Failover 175
- Debug Messages 176
- Configuring the Firewall 185
- Firewall Mode Overview 187
- IP Routing Support 188
- Network Address Translation 188
- Routed Mode Overview 189
- Figure 12-2 Inside to Outside 190
- Transparent Mode Overview 194
- Transparent Firewall Features 195
- Transparent Mode Overview 196
- Access List Overview 203
- Access List Types and Uses 204
- Access List Overview 206
- VPN Access (Extended) 207
- Access List Guidelines 208
- Access Control Implicit Deny 209
- Adding a Standard Access List 215
- Adding Object Groups 216
- Adding a Network Object Group 217
- Adding a Service Object Group 217
- Nesting Object Groups 219
- Displaying Object Groups 221
- Removing Object Groups 221
- Time Range Options 222
- Logging Access List Activity 222
- Access List Logging Overview 223
- access_list_name 224
- Managing Deny Flows 225
- Applying NAT 227
- Introduction to NAT 228
- NAT Control 229
- Chapter 14 Applying NAT 230
- NAT Overview 230
- NAT Types 231
- Static NAT 233
- Static PAT 233
- Figure 14-7 Static PAT 234
- Policy NAT 235
- Mapped Address Guidelines 239
- DNS and NAT 240
- Configuring NAT Control 241
- Using Dynamic NAT and PAT 242
- Global 2: 209.165.201.11 245
- NAT 2: 192.168.1.0/24 245
- Figure 14-19 Dynamic NAT 248
- Figure 14-20 Dynamic PAT 248
- Using Static NAT 251
- Using Static PAT 252
- Bypassing NAT 255
- 209.165.201.1 209.165.201.1 256
- Inside Outside 256
- 209.165.201.2 209.165.201.2 256
- Security 256
- Appliance 256
- Configuring NAT Exemption 257
- NAT Examples 258
- Overlapping Networks 259
- Redirecting Ports 260
- NAT Examples 262
- AAA Performance 269
- Authentication Overview 270
- Applying Filtering Services 281
- Filtering ActiveX Objects 282
- Filtering Java Applets 283
- Filtering Overview 284
- General Procedure 285
- Filtering HTTP URLs 287
- Filtering HTTPS URLs 288
- Filtering FTP Requests 289
- Viewing Caching Statistics 291
- Overview 293
- Class Map Example 296
- Policy Map Procedure 297
- Policy Map Examples 298
- Restrictions 299
- Action Order 301
- Advanced Options 302
- Types of Direction Policies 303
- Implicit Direction Policies 303
- Examples 303
- Service Policy and NAT 306
- Configuring TCP Normalization 310
- Preventing IP Spoofing 311
- Configuring the Fragment Size 313
- Blocking Unwanted Connections 313
- Applying QoS Policies 315
- QoS Concepts 316
- Identifying Traffic for QoS 317
- Classifying Traffic for QoS 318
- Defining a QoS Policy Map 320
- Applying Rate Limiting 320
- Verifying QoS Statistics 322
- Activating the Service Policy 323
- Applying Low Latency Queueing 323
- Configuring Priority Queuing 324
- Sizing the Priority Queue 324
- Reducing Queue Latency 324
- Viewing QoS Statistics 325
- How Inspection Engines Work 328
- Supported Protocols 329
- Managing CTIQBE Inspection 336
- Managing FTP Inspection 340
- Configuring FTP Inspection 341
- Managing GTP Inspection 345
- Managing H.323 Inspection 350
- Limitations and Restrictions 351
- Monitoring H.225 Sessions 354
- Monitoring H.245 Sessions 355
- Monitoring H.323 RAS Sessions 355
- Managing HTTP Inspection 356
- Managing MGCP Inspection 359
- MGCP Inspection Overview 360
- Managing MGCP Inspection 361
- Managing RTSP Inspection 365
- RTSP Inspection Overview 366
- Using RealPlayer 366
- Restrictions and Limitations 367
- Managing SIP Inspection 369
- SCCP Inspection Overview 373
- Supporting Cisco IP Phones 374
- Managing SNMP Inspection 379
- SNMP Inspection Overview 380
- Parameters 383
- Adding a Static ARP Entry 384
- Enabling ARP Inspection 384
- MAC Address Table Overview 385
- Adding a Static MAC Address 385
- Viewing the MAC Address Table 386
- Configuring VPN 387
- Configuring IPSec and ISAKMP 389
- IPSec Overview 390
- Configuring ISAKMP 390
- ISAKMP Overview 391
- Configuring ISAKMP Policies 392
- Enabling IPSec over NAT-T 395
- Enabling IPSec over TCP 395
- Configuring IPSec 399
- Understanding Transform Sets 400
- Defining Crypto Maps 400
- Using Interface Access Lists 401
- Configuring IPSec 402
- Changing IPSec SA Lifetimes 403
- Using Dynamic Crypto Maps 406
- Configuring Client Update 412
- Configuring Client Update 414
- • Group Policies, page 25-10 415
- Tunnel Groups 416
- IPSec Connection Parameters 417
- Configuring Tunnel Groups 418
- Group Policies 424
- Default Group Policy 425
- Configuring Group Policies 426
- ACL name 428
- Configuring Users 440
- Configuring Specific Users 441
- Configuring User Attributes 442
- Configuring Users 446
- Configuring AAA Addressing 448
- Configuring DHCP Addressing 449
- Summary of the Configuration 451
- Configuring Interfaces 452
- Outside Interface 453
- Configuring an Address Pool 454
- Adding a User 454
- Creating a Transform Set 454
- Defining a Tunnel Group 455
- Step 4 Save your changes 456
- Step 3 Save your changes 456
- Configuring LAN-to-LAN VPNs 459
- Configuring an ACL 462
- Step 2 Save your changes 465
- Configuring Certificates 467
- Certificate Scalability 468
- About Key Pairs 468
- About Trustpoints 469
- About CRLs 469
- Certificate Configuration 470
- Configuring Key Pairs 471
- Configuring Trustpoints 472
- Obtaining Certificates 474
- [ certificate data omitted ] 476
- [ PKCS12 data omitted ] 480
- System Administration 483
- Managing System Access 485
- Allowing SSH Access 486
- Using an SSH Client 487
- Changing the Login Password 487
- Recovering from a Lockout 499
- Configuring a Login Banner 500
- Configurations 501
- Entering a New Activation Key 502
- Installation Overview 502
- Viewing Files in Flash Memory 502
- Backing Up the Configuration 506
- Using System Log Messages 509
- Using SNMP 509
- Enabling SNMP 511
- Testing Your Configuration 512
- Performing Password Recovery 517
- Other Troubleshooting Tools 519
- Common Problems 520
- Supported Platforms 523
- Platform Feature Licenses 523
- Platform Feature Licenses 524
- VPN Specifications 526
- Cryptographic Standards 527
- VPN Specifications 528
- Sample Configurations 529
- Figure B-2 Example 2 534
- Figure B-3 Example 3 536
- APPENDIX 545
- Command Modes and Prompts 546
- Syntax Formatting 547
- Abbreviating Commands 547
- Command-Line Editing 547
- Command Completion 547
- Command Help 548
- Filtering show Command Output 548
- Command Output Paging 549
- Adding Comments 549
- Text Configuration Files 550
- Line Order 551
- Passwords 551
- Text Configuration Files 552
- Private Networks 554
- Subnet Masks 554
- Determining the Subnet Mask 555
- Class C-Size Network Address 556
- Class B-Size Network Address 556
- IPv6 Addresses 557
- IPv6 Address Types 558
- Global Address 559
- Site-Local Address 559
- Link-Local Address 559
- Unspecified Address 560
- Loopback Address 560
- Interface Identifiers 560
- Multicast Address 560
- Anycast Address 561
- IPv6 Address Prefixes 562
- Protocols and Applications 563
- TCP and UDP Ports 564
- TCP and UDP Ports 565
- Local Ports and Protocols 566
- ICMP Types 567
- ICMP Types 568
- Numerics 569
- Glossary 570
© 2020, manymanuals.es. Todos los derechos reservados | 0.043 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales