Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
725
Views
0
Helpful
2
Replies

cut-thru proxy on asa

kirti_bapat
Level 1
Level 1

‎07-20-2007 11:40 PM - edited ‎03-11-2019 03:47 AM

hi all,

i am configuring cut-thru proxy on asa.

the config guide says that the authorization acl should be a subset of the acl used for authentication.

in my scenario i am using telnet to auhenticate the user and i want to authorize traffic from 2.1.1.2 to 1.1.1.2 for http only.

my asa config is as follows:

-------------------------------------

aaa-server cisco proto tacacs+

aaa-server host 1.1.1.2

key cisco

access-l 101 permit tcp host 2.1.1.2 host 1.1.1.2 eq 23

access-l 102 permit tcp host 2.1.1.2 host 1.1.1.2 eq 80

access-group 101 in int outside

aaa authentication match 101 outside cisco

aaa authorization match 102 outside cisco

-------------------------------------------

with this configuraion on the asa the user gets autheticated successfully , but cannot browse the webpage on 1.1.1.2.

this happened becoz my acl 101 applied on the outside does not allow http traffic ; and also acl 102 is not a subset of 101.

hence i reconfigured 101 as - access-l 101 permit ip host 2.1.1.2 host 1.1.1.2

now the user gets autheticated successfully , also the authorization is a PASS and the webpage can be accessed on 1.1.1.2.

now if i try to access the remote desktop port of 1.1.1.2 it works successfully. i havent authorized this on the acs , why dont i get authorization failure for traffic destined for rdp on 1.1.1.2 ?

on acs for the user cisco , i have configured under the shell command authorization

---------------------------------

unmatched ios commands - deny

command - http

argument - permit 1.1.1.2

unlisted arguments - deny

please let me know where i am going wrong in the configuration.

thanks

kirti.

Labels:
0 Helpful
2 Replies 2

bwalchez
Level 4
Level 4

‎07-26-2007 07:01 AM

I think in acl 101 you should only permit for port 80 (default port for http). Following link may help you

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml

0 Helpful

kirti_bapat
Level 1
Level 1
In response to bwalchez

‎07-26-2007 09:59 AM

thanks for your reply . but unfortunately i am not looking for that solution . i completely understand the acl required to permit rdp traffic, (as mentioned in the link.)

what i need to know is , how to stop unauthorized access from getting across the asa. i want the unauthorized access to rdp to be denied by the acs server.

thanks

kirti.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card