Skip navigation
Cisco Learning Home > CCNP Security Study Group > Discussions
932 Views 2 Replies Latest reply: Apr 14, 2012 12:57 PM by MIKIS RSS

Currently Being Moderated

Problem in uauth (ASA)

Feb 14, 2012 8:50 AM

Shoaib Merchant 35 posts since
Oct 18, 2010

Hi mates,

 

I'm facing a problem with uauth. Here's the scenario:

 

(R1)-------in(ASA)out--------(R2)

 

I'm able to ping and telnet R2 from R1 without any uauth configs.

__________________________________________________________

 

Now I configured the following on the ASA:

 

ciscoasa# sho run username

username shoaib password xuVTv4w.XekEjyJj encrypted

 

ciscoasa# show run access-list UAUTH

access-list UAUTH extended permit tcp any host 1.1.1.2 eq telnet log

access-list UAUTH extended permit icmp any any log

 

ciscoasa# show run virtual

virtual telnet 1.1.1.2

 

ciscoasa# show run aaa

aaa authentication match UAUTH inside LOCAL

__________________________________________________________

 

Verifying from R1:

 

R1#telnet 1.1.1.2

Trying 1.1.1.2 ... Open

 

LOGIN Authentication

 

Authenticate Before Access

Username: shoaib

 

Password:

Access Granted

 

Authentication Successful

 

[Connection to 1.1.1.2 closed by foreign host]

R1#ping 1.1.1.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

__________________________________________________________

 

Verifying on ASA:

 

ciscoasa#sho access-list UAUTH

access-list UAUTH; 2 elements

access-list UAUTH line 1 extended permit tcp any host 1.1.1.2 eq telnet log informational interval 300 (hitcnt=10) 0xfb4a8d11

access-list UAUTH line 2 extended permit icmp any any log informational interval 300 (hitcnt=30) 0xfda7e5d9

 

ciscoasa# show uauth

                        Current    Most Seen

Authenticated Users       1          1

Authen In Progress        0          1

user 'shoaib' at 10.1.1.2, authenticated (idle for 0:00:11)

   absolute   timeout: 0:05:00

   inactivity timeout: 0:00:00

____________________________________

 

Traffic is matching both the ACLs. Authentication is taking place using telnet, but not able to ping after being authenticated. Without all these configs pings are working fine. So no issues with routing/icmp inspection or anything of that sort.

 

What might be the problem here?

  • Paul Stewart  -  CCIE Security, CCSI 6,993 posts since
    Jul 18, 2008
    Currently Being Moderated
    1. Feb 14, 2012 6:01 PM (in response to Shoaib Merchant)
    Re: Problem in uauth (ASA)

    Can you see if the pings are getting to R2.  On R2, do a "debug ip icmp" just to make sure that icmp echos aren't making it.  It is very curious that it worked before, but not after adding the UAUTH.  The ACL is more of a trigger than anything, I don't know why it would have an issue after the user is authenticated.

  • MIKIS 78 posts since
    Dec 12, 2010
    Currently Being Moderated
    2. Apr 14, 2012 12:57 PM (in response to Shoaib Merchant)
    Re: Problem in uauth (ASA)

    Hello Shoaib

     

    Just for my understanding, what is the IP of R2?

    I see that you have configured a virtual telnet IP 1.1.1.2 on ASA and you try to ping the virtual telnet IP 1.1.1.2.

    I run a small lab similar to yours with the following setup:

    R1 (100.0.11.1) -- (100.0.11.10 inside) ASA (outside 100.0.12.10) --- (100.0.12.2) R2

     

    username cisco password 3USUcOPFUiMCO4Jk encrypted

    virtual telnet 100.0.11.100

    aaa authentication match UAUTH inside LOCAL

    access-list UAUTH extended permit tcp any host 100.0.12.2 eq telnet

    access-list UAUTH extended permit icmp any any

    access-list UAUTH extended permit tcp any host 100.0.11.100 eq telnet

     

    R1 is able to ping R2 (100.0.12.2) after authenticating to the virtual-telnet IP (100.0.11.100).

    Without being authenticated I see the following log on ASA which is absolutely normal:

    "User from 100.0.11.1/5 to 100.0.12.2/0 on interface inside using icmp must authenticate before using this service"

     

    R1#ping 100.0.12.2

     

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 100.0.12.2, timeout is 2 seconds:

    .....

    Success rate is 0 percent (0/5)

    R1#telnet 100.0.11.100

    Trying 100.0.11.100 ... Open

     

    LOGIN Authentication

     

    Username: cisco

     

    Password:

     

    Authentication Successful

     

     

    [Connection to 100.0.11.100 closed by foreign host]

    R1#ping 100.0.12.2

     

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 100.0.12.2, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 60/123/256 ms

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)