ASA act like router's "lock & key" ???

Answered Question
May 5th, 2010

Hi all,

I just want to ask if ASA can perform like lock & key like router's IOS security feature???

The point is I want to put ASA as the access control between 2 internal departments. I want the ASA to be transparent so there's no hop and no NAT between them. I just want if people from department A want to access servers in department B, they have tobe authenticated first and a dynamic acl would be applied in the ASA to allow the traffic according to their priviledge. Is this feature called "cut through proxy"?

And I want to authenticate it using radius from ACS and ASA should retrieve dynamic acl from ACS according to user database, and if the ACS would fall, ASA would use local database and predefined dynamic acl in it.

Regards,

Charles Chia

I have this problem too.
0 votes
Correct Answer by Panos Kampanakis about 6 years 7 months ago

The acl before is only just used for triggering the authenticationright?Yes

and after the authentication is successful, ASA could getdynamic acl applied based on the user, right?You don't see the ACL like on the router but it practically denies the host.

And could it be applied in transparent mode ASA? Yes

Could you provide me the link of complete guide regarding all the feature and options for configuring this ASA proxy???

Here it is http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

I hope it helps.

PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Panos Kampanakis Wed, 05/05/2010 - 09:13

Yes that is auth proxy functionality.

The ASA proxy matches  traffic on and ACL and first authenticates the users that match it.

It can authenticate against RADIUS, LOCAL, or TACACS.

I hope it helps.

PK

Charles_Chi4 Wed, 05/05/2010 - 09:26

Hi PK,

When u said that the ASA proxy will match the traffic on ACL defined in matched statement, it then will be authenticated. The acl before is only just used for triggering the authentication right? and after the authentication is successful, ASA could get dynamic acl applied based on the user, right? And could it be applied in transparent mode ASA?

Could you provide me the link of complete guide regarding all the feature and options for configuring this ASA proxy???

Correct Answer
Panos Kampanakis Wed, 05/05/2010 - 09:37

The acl before is only just used for triggering the authenticationright?Yes

and after the authentication is successful, ASA could getdynamic acl applied based on the user, right?You don't see the ACL like on the router but it practically denies the host.

And could it be applied in transparent mode ASA? Yes

Could you provide me the link of complete guide regarding all the feature and options for configuring this ASA proxy???

Here it is http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

I hope it helps.

PK

Actions

This Discussion