Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1571
Views
0
Helpful
3
Replies

ASA 5505 - Controling Internet Access for Users

Go to solution
mackeyuk
Level 1
Level 1

‎04-05-2009 12:28 PM - edited ‎03-10-2019 04:25 PM

Hello All,

I have a Cisco ASA 5505 device connecting my LAN to the internet using PAT/NAT. I want to restrict access to the internet on ports 80 and 443 on a per user basis.

I.e allow management staff access whilst restricting general staff.

I understand how to to this on a per device level by creating an access list blocking certain IPs out to the internet but I would like to restrict certain users.

I guess they will need to authenticate with the ASA some how.

Any pointers?

TIA.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎04-06-2009 12:51 PM

You need to set up Cut through proxy in ASA.

Here is the configuration which we need to add on ASA:-

access-list WEBAUTH permit tcp any any eq 80

access-list WEBAUTH permit tcp any any eq 443

aaa authentication match WEBAUTH inside LOCAL

aaa authentication secure-http-client

aaa authentication listener http inside port www redirect

aaa authentication listener https inside port https redirect

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/fwaaa.html#wp1043431

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1437427

Regards,

~JG

Do rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎04-06-2009 12:51 PM

You need to set up Cut through proxy in ASA.

Here is the configuration which we need to add on ASA:-

access-list WEBAUTH permit tcp any any eq 80

access-list WEBAUTH permit tcp any any eq 443

aaa authentication match WEBAUTH inside LOCAL

aaa authentication secure-http-client

aaa authentication listener http inside port www redirect

aaa authentication listener https inside port https redirect

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/fwaaa.html#wp1043431

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1437427

Regards,

~JG

Do rate helpful posts

0 Helpful

Go to solution
mackeyuk
Level 1
Level 1
In response to Jagdeep Gambhir

‎04-08-2009 12:08 PM

Many thanks for your help, this the info I was looking for!

0 Helpful

Go to solution
mackeyuk
Level 1
Level 1
In response to Jagdeep Gambhir

‎04-27-2009 07:45 AM

Thanks for your reply on this one.

Can you give me a few pointers on using a telnet session to authenticate instead of www redirect.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents