Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1118
Views
0
Helpful
3
Replies

ASA as both VPN end-point and Authentication front-end

rajiv.dhawale
Level 1
Level 1

‎05-13-2010 02:27 PM - edited ‎03-10-2019 05:08 PM

Hello Experts,

I have a fundamental design question.

I have a fairly large mobile population (cellular, wifi hotspots, etc) that need to access to access company resources. VPN is not an option for this user population due to the nature of devices.

Assuming I have this user population that uses a cellular network (private APN) and terminates on the cellular cloud. From the cellular cloud I want to build a site to site VPN to the company headend (ASA).

Step 1.

I want to be able to provide a re-directed web page (on the ASA ) for the user to present credentials.

Step 2.

From the ASA I want authenticate the user via RADIUS/AD

Step 3.

Based on the type of the user (returned from RADIUS), I want to allow certain IP Addresses and protocols.

The question I have is, do I need to use 2 ASA's. One for VPN and the other for the Authentication.

Has anyone implemented this scenario and willing to share config ideas.

Is there a better way to do this.

Appreciate your responses.

Labels:
0 Helpful
3 Replies 3

Jatin Katyal
Cisco Employee
Cisco Employee

‎05-13-2010 07:06 PM

Rajiv,


I don't know what do you mean by cellular cloud, Can this clould can serve as a firewall for you because site to site vpn tunnel can only be created either between firewall to fireall or firewall to router.


Scenario 1 ## If your have asked this questions in regards to both site to site vpn tunnel and web page authentication for users behind the ASA then yes you should have two firewalls (ASA) to achieve this.


Scenario 2 ##  If you can create tunnel between your cellular cloud and headend ASA and you are only concern about web page authentication for internal users then the headend device can solve both the issues.


If you want that users should be re-directed web page (on the ASA ) to enter their credentials before they access anything on the internet then this can be done by cut-through proxy.


You may view the below listed link for cut through proxy:


PIX/ASA : Cut-through Proxy for Network Access using TACACS+ and RADIUS Server Configuration Example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml



HTH

JK


Do rate helpul posts-

~Jatin
0 Helpful

rajiv.dhawale
Level 1
Level 1
In response to Jatin Katyal

‎05-14-2010 09:06 AM

Hi JK,

First of all, thanks for replying. I think I said somethings wrong.

When I mean Cellular cloud, yes it is going to be a GGSN or a PDSN on the cellular cloud that will initiate a VPN tunnel and serve as a source.

My users are all outside (untrusted network) and will be accessing inside the the corporate network (trusted network) various servers/protocols.

Before they get to any server/protocol, I would want to present them a webpage. (Do not prefer to use certificates). I would want to authenticate them against our AD.

So, if we are accessing the mobile device from the trusted network, then I dont care to authenticate as I will be reaching them through the VPN tunnel.

So, will a single ASA suffice both termination of a VPN tunnel and doing Authentication of the user or will I need 2 ASA's.

Does the cut-through proxy feature apply to traffic comming into the trusted network.

Regards
Rajiv

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to rajiv.dhawale

‎05-14-2010 09:20 AM

Rajiv,


Thats correct. Single ASA will suffice both termination of a VPN tunnel and doing Authentication of the user coming from internet to trusted network. Cut-through proxy can be used for both direction outside to inside // inside to outside.


If users coming from internet (not through VPN tunnel) want to access some non-standard port numbers.


Here is a sample config,


=======================================================

access-list outside_inside extended permit tcp any host --------> This should be un-used ip address and static too.

access-group outside-in in interface outside


aaa authentication match outside_inside outside CISCO_ACS



aaa-server CISCO_ACS protocol tacacs+
aaa-server CISCO_ACS host
key

=======================================================


Users from outside need to telnet to of the firewall we have used above, the user is  challenged for a username and password, and then authenticated by the  AAA server. Once authenticated, the user sees the message  "Authentication Successful." Then, the user can successfully access  other services that require authentication.


HTH


Regds,

JK


Do rate helpful posts-

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents