Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 8 Configuring AAA Rules for Network Access
Configuring Authentication for Network Access
nat (inside,outside) static service tcp 111 889
Then users do not see the authentication page. Instead, the ASA sends an error message to the web
browser, indicating that the user must be authenticated before using the requested service.
When a mapped address is used for static PAT, it is automatically placed into the dynamic PAT pool.
For instance, this configuration,
object network my-ftp-server
host <real-server>
nat (inside,outside) static <mapped-server> ftp ftp
is equivalent to
object network my-ftp-server
host <real-server>
nat (inside,outside) static <mapped-server> ftp ftp
object network <internal>
nat (inside,outside) dynamic <mapped-server>
The second line ensures that all PAT bindings are accounted for.This accounting is necessary to avoid
connection failure from port collision.
As the the mapped address is placed under dynamic PAT, any additional service that is to be accessed
through the mapped address, must also be explicitly configured.
For example, the following is the correct configuration for three services through address
Additionally, the SMTP and HTTP services also reside at a host with the same address as the mapped
object network my-ftp-server
host <real-server>
nat (inside,outside) static <mapped-server> ftp ftp
object network my-ftp-server
host ""
nat (inside,outside) static smtp smtp
object network my-ftp-server
host ""
nat (inside,outside) static http http
Configuring Network Access Authentication
To configure network access authentication, perform the following steps:
Step 1 In the Configuration > Firewall > AAA Rules pane, choose Add > Add Authentication Rule.
The Add Authentication Rule dialog box appears.
Step 2 In the Interface drop-down list, choose the interface for applying the rule.
Tip In the Action field, click one of the following, depending on the implementation:
• Authenticate
• Do not Authenticate