I have an ASA 5510 on the outside with a Remote Access VPN. The user will need to get from the 5510, then go through an ASA 5540, then out to the subnet where they will be doing their work. I have a Cisco ACS version 5.2 that sits on a separte VLAN off of the 5540. I can authenticate users with Radius on the 5510 VPN and use DACLs from the ACS with no problems. However, the DACL only gets downloaded to the 5510 (as expected) and I need it to also download to the 5540. Is there a way to do this? I understand this could mean multiple authentications needed somehow.
Right now when I authenticate, the DACL shows up fine in the 5510, but I get blocked from the devices I need to get to because it of course is not getting added to the 5540 as well. Any help is appreciated. Thanks,
You can have your clients authenticate to the 5510 through the vpn connection that you specified, for the dACL to work on the second ASA you will have to setup cut-through proxy. You can setup an ACL that matches any interesting traffic and they will be presented with a second authentication window where they can login and receive another dACL to let them through.
This is the guide you are looking for the second ASA:
So if I understand correctly, I'll first set up a 2nd Radius between my 5540 and the ACS. Second I'll set up a AAA Rule that says if an address from the specific VPN pool on the 5510 hits the selected interface on the 5540, then the 5540 will provide a prompt for them to authenticate a second time and if it is successful, the DACL will download to the 5540 as well?
It make sense to work this way. Do I understand correctly?
What you will have to do on the second ASA is setup an ACL that inspect the "interesting" traffic. In your case will be the devices, keep in mind that if they are not using http, ftp, telnet and https, if you are blocking other ports then you will have to have the users authenticate directly to the ASA.
So yes after the clients vpn into the network the second ASA will also have to hit a radius server to get another dACL.
The remote clients will of course use the Cisco VPN client to connect, and that works fine with ACS. After that, they'll be trying to get to the devices over a proprietary port, not http, ftp, telnet, or https. So are you saying the authentication will have to be directly from the ASA or can it still work with the ACS? Sorry if I'm missing something here. Thanks.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...