cut-thru proxy on asa

Unanswered Question
Jul 20th, 2007

hi all,

i am configuring cut-thru proxy on asa.

the config guide says that the authorization acl should be a subset of the acl used for authentication.

in my scenario i am using telnet to auhenticate the user and i want to authorize traffic from to for http only.

my asa config is as follows:


aaa-server cisco proto tacacs+

aaa-server host

key cisco

access-l 101 permit tcp host host eq 23

access-l 102 permit tcp host host eq 80

access-group 101 in int outside

aaa authentication match 101 outside cisco

aaa authorization match 102 outside cisco


with this configuraion on the asa the user gets autheticated successfully , but cannot browse the webpage on

this happened becoz my acl 101 applied on the outside does not allow http traffic ; and also acl 102 is not a subset of 101.

hence i reconfigured 101 as - access-l 101 permit ip host host

now the user gets autheticated successfully , also the authorization is a PASS and the webpage can be accessed on

now if i try to access the remote desktop port of it works successfully. i havent authorized this on the acs , why dont i get authorization failure for traffic destined for rdp on ?

on acs for the user cisco , i have configured under the shell command authorization


unmatched ios commands - deny

command - http

argument - permit

unlisted arguments - deny

please let me know where i am going wrong in the configuration.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kirti_bapat Thu, 07/26/2007 - 09:59

thanks for your reply . but unfortunately i am not looking for that solution . i completely understand the acl required to permit rdp traffic, (as mentioned in the link.)

what i need to know is , how to stop unauthorized access from getting across the asa. i want the unauthorized access to rdp to be denied by the acs server.




This Discussion