virtual


Access firewall virtual server. (Configuration mode.)

virtual http ip_address [warn]
virtual telnet ip_address


Syntax Description

ip_address For outbound use, ip_address must be an address routed to the firewall. Use an RFC 1918 address that is not in use on any interface.

For inbound use, ip_address must be an unused global address. An access-list and static command pair must provide access to ip_address, as well as an aaa authentication command statement

For example, if an inside client at 192.168.0.100 has a default gateway set to the inside interface of the firewall at 192.168.0.1, the ip_address can be any IP address not in use on that segment (such as 10.2.3.4). As another example, if the inside client at 192.168.0.100 has a default gateway other than the firewall (such as a router at 192.168.0.254), then the ip_address would need to be set to a value that would get statically routed to the firewall. This might be accomplished by using a value of 10.0.0.1 for the ip_address, then on the client, setting the firewall at 192.168.0.1 as the route to host 10.0.0.1.

warn Let virtual http command users know that the command was redirected. This option is only applicable for text-based browsers where the redirect cannot happen automatically.


Usage Guidelines

The virtual http command lets web browsers work correctly with the firewall aaa command. The aaa command assumes that the AAA server database is shared with a web server. firewall automatically provides the AAA server and web server with the same information. The virtual http command works with the aaa command to authenticate the user, separate the AAA server information from the web client's URL request, and direct the web client to the web server. Use the show virtual http command to list commands in the configuration. Us the no virtual http command to disable its use.

The virtual http command works by redirecting the web browser's initial connection to the ip_address, which resides in the firewall, authenticating the user, then redirecting the browser back to the URL which the user originally requested. This mechanism comprises the firewall unit's new virtual server feature. The reason this command is named as it is, is because the virtual http command accesses the virtual server for use with HTTP, another name for the Web. This command is especially useful for firewall interoperability with Microsoft IIS, but is useful for other authentication servers.

When using HTTP authentication to a site running Microsoft IIS that has "Basic text authentication" or "NT Challenge" enabled, users may be denied access from the Microsoft IIS server. This occurs because the browser appends the string: "Authorization: Basic=Uuhjksdkfhk==" to the HTTP GET commands. This string contains the firewall authentication credentials.

Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the firewall username password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.

To solve this problem, firewall provides the virtual http command which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL which the user originally requested.

Once authenticated, a user never has to reauthenticate no matter how low the firewall uauth timeout is set. This is because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can only be cleared when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use.

If you want double authentication through the authentication and web browser, configure the authentication server to not accept anonymous connections.

Do not set the timeout uauth duration to 0 seconds when using the virtual command because this will prevent HTTP connections to the real web server.

For both the virtual http and virtual telnet commands, if the connection is started on either an outside or perimeter interface, a static and access-list command pair is required for the fictitious IP address.

The virtual telnet command allows the Virtual telnet server to provide a way to pre-authenticate users who require connections through the firewall using services or protocols that do not support authentication.

The virtual telnet command can be used both to log in and log out of the firewall. When an unauthenticated user Telnets to the virtual IP address, they are challenged for their username and password, and then authenticated with the TACACS+ or RADIUS server. Once authenticated, they see the message "Authentication Successful" and their authentication credentials are cached in the firewall for the duration of the uauth timeout.

If a user wishes to log out and clear their entry in the firewall uauth cache, the user can again telnet to the virtual address. The user is prompted for their username and password, the firewall removes the associated credentials from the uauth cache, and the user will receive a "Logout Successful" message.

If inbound users on either the perimeter or outside interfaces need access to the Virtual telnet server, a static and access-list command pair must accompany use of the virtual telnet command. The global IP address in the static command must be a real IP address. The local address in the static command is the IP address of the virtual server.

The Virtual telnet server provides a way to pre-authenticate users who require connections through the firewall using services or protocols that do not support authentication. Users first connect to the Virtual telnet server IP address, where the user is prompted for a username and password.


Examples

The following example shows the commands required to use the virtual http command for an inbound connection:

     static (inside, outside) 209.165.201.1 192.168.1.1 netmask 255.255.255.255
     access-list acl_out permit tcp any host 209.165.201.1 eq 80 
     access-group acl_out in  interface outside
     aaa authentication include any inbound 192.168.1.1 255.255.255.255 0 0 tacacs+
    virtual  http 209.165.201.1
The next example displays the show virtual command output:
    show virtual http
    virtual  http 209.165.201.1

After adding the virtual telnet command to the configuration and writing the configuration to Flash memory, users wanting to start PPTP sessions through firewall use telnet to access the ip_address as shown in the following example:

  1. On the firewall:
        virtual  telnet 209.165.201.25
         static (inside,outside) 209.165.201.25 10.8.8.11 netmask 255.255.255.255
         access-list acl_out permit tcp any host 209.165.201.25 eq  telnet 
         access-group acl_out in  interface outside
         write memory
    

  2. On an inside host:
         /unix/host%telnet 209.165.201.30
         Trying 209.165.201.30...
         Connected to 209.165.201.30.
         Escape character is `^]'.
    
         username: username 
          TACACS+ Password: password 
         Authentication Successful
    
         Connection closed by foreign host.
    
         /unix/host%
    

The username and password are those for the user on the TACACS+ server.