2 Replies Latest reply: Apr 14, 2012 12:57 PM by MIKIS RSS

    Problem in uauth (ASA)

    Shoaib Merchant

      Hi mates,

       

      I'm facing a problem with uauth. Here's the scenario:

       

      (R1)-------in(ASA)out--------(R2)

       

      I'm able to ping and telnet R2 from R1 without any uauth configs.

      __________________________________________________________

       

      Now I configured the following on the ASA:

       

      ciscoasa# sho run username

      username shoaib password xuVTv4w.XekEjyJj encrypted

       

      ciscoasa# show run access-list UAUTH

      access-list UAUTH extended permit tcp any host 1.1.1.2 eq telnet log

      access-list UAUTH extended permit icmp any any log

       

      ciscoasa# show run virtual

      virtual telnet 1.1.1.2

       

      ciscoasa# show run aaa

      aaa authentication match UAUTH inside LOCAL

      __________________________________________________________

       

      Verifying from R1:

       

      R1#telnet 1.1.1.2

      Trying 1.1.1.2 ... Open

       

      LOGIN Authentication

       

      Authenticate Before Access

      Username: shoaib

       

      Password:

      Access Granted

       

      Authentication Successful

       

      [Connection to 1.1.1.2 closed by foreign host]

      R1#ping 1.1.1.2

       

      Type escape sequence to abort.

      Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:

      .....

      Success rate is 0 percent (0/5)

      __________________________________________________________

       

      Verifying on ASA:

       

      ciscoasa#sho access-list UAUTH

      access-list UAUTH; 2 elements

      access-list UAUTH line 1 extended permit tcp any host 1.1.1.2 eq telnet log informational interval 300 (hitcnt=10) 0xfb4a8d11

      access-list UAUTH line 2 extended permit icmp any any log informational interval 300 (hitcnt=30) 0xfda7e5d9

       

      ciscoasa# show uauth

                              Current    Most Seen

      Authenticated Users       1          1

      Authen In Progress        0          1

      user 'shoaib' at 10.1.1.2, authenticated (idle for 0:00:11)

         absolute   timeout: 0:05:00

         inactivity timeout: 0:00:00

      ____________________________________

       

      Traffic is matching both the ACLs. Authentication is taking place using telnet, but not able to ping after being authenticated. Without all these configs pings are working fine. So no issues with routing/icmp inspection or anything of that sort.

       

      What might be the problem here?

        • 1. Re: Problem in uauth (ASA)
          Paul Stewart  -  CCIE Security

          Can you see if the pings are getting to R2.  On R2, do a "debug ip icmp" just to make sure that icmp echos aren't making it.  It is very curious that it worked before, but not after adding the UAUTH.  The ACL is more of a trigger than anything, I don't know why it would have an issue after the user is authenticated.

          • 2. Re: Problem in uauth (ASA)
            MIKIS

            Hello Shoaib

             

            Just for my understanding, what is the IP of R2?

            I see that you have configured a virtual telnet IP 1.1.1.2 on ASA and you try to ping the virtual telnet IP 1.1.1.2.

            I run a small lab similar to yours with the following setup:

            R1 (100.0.11.1) -- (100.0.11.10 inside) ASA (outside 100.0.12.10) --- (100.0.12.2) R2

             

            username cisco password 3USUcOPFUiMCO4Jk encrypted

            virtual telnet 100.0.11.100

            aaa authentication match UAUTH inside LOCAL

            access-list UAUTH extended permit tcp any host 100.0.12.2 eq telnet

            access-list UAUTH extended permit icmp any any

            access-list UAUTH extended permit tcp any host 100.0.11.100 eq telnet

             

            R1 is able to ping R2 (100.0.12.2) after authenticating to the virtual-telnet IP (100.0.11.100).

            Without being authenticated I see the following log on ASA which is absolutely normal:

            "User from 100.0.11.1/5 to 100.0.12.2/0 on interface inside using icmp must authenticate before using this service"

             

            R1#ping 100.0.12.2

             

            Type escape sequence to abort.

            Sending 5, 100-byte ICMP Echos to 100.0.12.2, timeout is 2 seconds:

            .....

            Success rate is 0 percent (0/5)

            R1#telnet 100.0.11.100

            Trying 100.0.11.100 ... Open

             

            LOGIN Authentication

             

            Username: cisco

             

            Password:

             

            Authentication Successful

             

             

            [Connection to 100.0.11.100 closed by foreign host]

            R1#ping 100.0.12.2

             

            Type escape sequence to abort.

            Sending 5, 100-byte ICMP Echos to 100.0.12.2, timeout is 2 seconds:

            !!!!!

            Success rate is 100 percent (5/5), round-trip min/avg/max = 60/123/256 ms