Normally, services such as HTTP, FTP, and Telnet can be authenticated using cut-through proxy. However, other services might need access through the PIX firewall. For example, if Jack's users need to access TFTP servers or Microsoft servers using NetBIOS, ports 69 and 139 would be used. Cut-through proxy does not work in these cases. You do have can use virtual telnet to allow users through. Also cut-through proxy may have some authentication issues with HTTP and Web browsers. If this is a problem the another service called Virtual HTTP can be used. This and Virtual Telnet are covered in the next section.
Virtual Telnet enables users to preauthenticate using a virtual Telnet session before executing the application that needs to pass through the PIX. For example, when Jack needs TFTP access, he must first open a Telnet session with PIX to a virtual Telnet IP address and then enter his username and password. The PIX caches the successful user logon and allows TFTP traffic through.
To use virtual Telnet, the virtual telnet command is needed. Its syntax is as follows :
pixfirewall(config)# [no] virtual telnet <ip>
The ip option is the IP address of the virtual Telnet server running on the PIX firewall. This address is the IP address clients use to enter their usernames and passwords. After authentication takes place, the user is allowed to pass traffic through the PIX. To log out, the user only has to connect using Telnet again and reenter her username and password.
The example shown here requires TFTP traffic to be authenticated before TFTP traffic is allowed through the PIX firewall. The user will create a Telnet session with 192.168.1.252:
pixfirewall(config)# aaa-server PIXAuth protocol tacacs+ pixfirewall(config)# aaa-server PIXAuth host 192.168.1.10 dog pixfirewall(config)# aaa authentication include tcp/69 outbound 0 0 0 0 PIXAuth pixfirewall(config)# virtual telnet 192.168.1.252
Virtual HTTP enables browser and Web server authentication to work correctly with the PIX when authentication with cut-through proxy is problematic . Web browsers can cache authentication requests , potentially causing future authentication problems. The Virtual HTTP works by redirecting the user's initial internal Web server request to a virtual HTTP server on the PIX. The user then authenticates his username and password and is redirected back to the original URL.
This example creates a virtual HTTP server that is used to catch HTTP traffic:
pixfirewall(config)# aaa-server PIXAuth protocol tacacs+ pixfirewall(config)# aaa-server PIXAuth host 192.168.1.10 dog pixfirewall(config)# aaa authentication include any inbound 0 0 0 0 PIXAuth pixfirewall(config)# virtual http 192.168.1.251