Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
667
Views
0
Helpful
3
Replies

ASA act like router's "lock & key" ???

Go to solution
Charles_Chi4
Level 1
Level 1

‎05-05-2010 08:12 AM - edited ‎03-11-2019 10:41 AM

Hi all,

I just want to ask if ASA can perform like lock & key like router's IOS security feature???

The point is I want to put ASA as the access control between 2 internal departments. I want the ASA to be transparent so there's no hop and no NAT between them. I just want if people from department A want to access servers in department B, they have tobe authenticated first and a dynamic acl would be applied in the ASA to allow the traffic according to their priviledge. Is this feature called "cut through proxy"?

And I want to authenticate it using radius from ACS and ASA should retrieve dynamic acl from ACS according to user database, and if the ACS would fall, ASA would use local database and predefined dynamic acl in it.

Regards,

Charles Chia

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Charles_Chi4

‎05-05-2010 09:37 AM

The acl before is only just used for triggering the authenticationright?Yes

and after the authentication is successful, ASA could getdynamic acl applied based on the user, right?You don't see the ACL like on the router but it practically denies the host.

And could it be applied in transparent mode ASA? Yes

Could you provide me the link of complete guide regarding all the feature and options for configuring this ASA proxy???

Here it is http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

I hope it helps.

PK

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎05-05-2010 09:13 AM

Yes that is auth proxy functionality.

The ASA proxy matches  traffic on and ACL and first authenticates the users that match it.

It can authenticate against RADIUS, LOCAL, or TACACS.

I hope it helps.

PK

0 Helpful

Go to solution
Charles_Chi4
Level 1
Level 1
In response to Panos Kampanakis

‎05-05-2010 09:26 AM

Hi PK,

When u said that the ASA proxy will match the traffic on ACL defined in matched statement, it then will be authenticated. The acl before is only just used for triggering the authentication right? and after the authentication is successful, ASA could get dynamic acl applied based on the user, right? And could it be applied in transparent mode ASA?

Could you provide me the link of complete guide regarding all the feature and options for configuring this ASA proxy???

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Charles_Chi4

‎05-05-2010 09:37 AM

The acl before is only just used for triggering the authenticationright?Yes

and after the authentication is successful, ASA could getdynamic acl applied based on the user, right?You don't see the ACL like on the router but it practically denies the host.

And could it be applied in transparent mode ASA? Yes

Could you provide me the link of complete guide regarding all the feature and options for configuring this ASA proxy???

Here it is http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

I hope it helps.

PK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card