07-20-2007 11:40 PM - edited 03-11-2019 03:47 AM
hi all,
i am configuring cut-thru proxy on asa.
the config guide says that the authorization acl should be a subset of the acl used for authentication.
in my scenario i am using telnet to auhenticate the user and i want to authorize traffic from 2.1.1.2 to 1.1.1.2 for http only.
my asa config is as follows:
-------------------------------------
aaa-server cisco proto tacacs+
aaa-server host 1.1.1.2
key cisco
access-l 101 permit tcp host 2.1.1.2 host 1.1.1.2 eq 23
access-l 102 permit tcp host 2.1.1.2 host 1.1.1.2 eq 80
access-group 101 in int outside
aaa authentication match 101 outside cisco
aaa authorization match 102 outside cisco
-------------------------------------------
with this configuraion on the asa the user gets autheticated successfully , but cannot browse the webpage on 1.1.1.2.
this happened becoz my acl 101 applied on the outside does not allow http traffic ; and also acl 102 is not a subset of 101.
hence i reconfigured 101 as - access-l 101 permit ip host 2.1.1.2 host 1.1.1.2
now the user gets autheticated successfully , also the authorization is a PASS and the webpage can be accessed on 1.1.1.2.
now if i try to access the remote desktop port of 1.1.1.2 it works successfully. i havent authorized this on the acs , why dont i get authorization failure for traffic destined for rdp on 1.1.1.2 ?
on acs for the user cisco , i have configured under the shell command authorization
---------------------------------
unmatched ios commands - deny
command - http
argument - permit 1.1.1.2
unlisted arguments - deny
please let me know where i am going wrong in the configuration.
thanks
kirti.
07-26-2007 07:01 AM
I think in acl 101 you should only permit for port 80 (default port for http). Following link may help you
07-26-2007 09:59 AM
thanks for your reply . but unfortunately i am not looking for that solution . i completely understand the acl required to permit rdp traffic, (as mentioned in the link.)
what i need to know is , how to stop unauthorized access from getting across the asa. i want the unauthorized access to rdp to be denied by the acs server.
thanks
kirti.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: