Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

aaa network access restrictions with secure authen (asa device)

Hi all,

I've been reading a lot about how to configure the cut-through-proxy to allow certain network traffic only after being authenticated. The procedures seem pretty straightforward when using plain telnet or ftp (works pretty good).

However, doing so securely seems to be a bit more "fuzzy".

I don't like the idea of authenticating users over clear text telnet or ftp, and https has its own issues (weird timeouts that i can't seem to figure out).

Is it not possible to simply log in to the ASA (or whatever) device securely (ssh?), to authenticate and authorize other network traffic?

I see people talking about ssh not being proxy-able. I do not want to "proxy" the ssh connection, i just want to tell the ASA:

"Hey, this is me, allow me this (acl) traffic when i'm coming from this IP address, for X minutes or untill i log off again. Please.".

Sounds simple to me. :-)

Perhaps i'm looking at the wrong thing? Perhaps i do not need the cut-through-proxy for this?

I've been looking at articles like this:

And some of Cisco's ASA AAA articles, like this:

They all pretty much seems to do what i want, except that they seem to want to "proxy" my traffic for some reason, and authenticate me in clear-text.

Do i have any other options? Like logging on directly to the device to do the authentication?

Using fixed or named access lists or even downloadable access lists doesn't really matter, i would just like a secure way of activating those access lists.

I'm currently investigating my options, like using a VPN client or script some acl injection, but that just sounds so disturbing.

Thanks a lot.


/Sune T.

CreatePlease to create content