Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

Cut through proxy for servers in DMZ only

I have this working with Microsoft RADIUS server however I only want to  restrict access to one server sitting in the DMZ using this method and  once users authenticate they can RDP to the server.  When I apply all  the settings I lose all access other than just to this server.  Can this  be done for one particular server in DMZ and rest of the traffic to the  Internet stays the way it is?

  • AAA Identity and NAC
15 REPLIES

Cut through proxy for servers in DMZ only

Mohammad,

What acl are you handing down to the client from the radius server? After the user authenticates can you paste the show access-lists?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

Cut through proxy for servers in DMZ only

This is what I created on the ASA:

access-list RDPAuth   remark "This ACL is for RDP access to the servers in the DMZ"
access-list RDPAuth extended permit tcp   any eq 3389 host 10.1.150.22 gt 1023
access-list RDPAuth extended permit tcp   any gt 1023 host 10.1.150.22 eq 3389
access-list RDPAuth extended permit tcp   any host 10.1.200.150 eq www
access-list RDPAuth extended permit tcp   any host 10.1.200.150 eq telnet

Then on the RADIUS server I have it like this:

ip:inacl#1=permit tcp   any eq 3389 host 10.1.150.22 gt 1023

ip:inacl#2=permit tcp   any gt 1023 host 10.1.150.22 eq 3389

ip:inacl#3=permit tcp   any host 10.1.200.150 eq www

ip:inacl#4=permit tcp   any host 10.1.200.150 eq telnet

Now once I signed in using cut through proxy all I was able to do was RDP to that IP and lost my access to the internet etc.  I am trying for rest of the traffic to keep going out the way it is now but this ACL I only want to kick in when some one is trying to access the server in the DMZ.

Re: Cut through proxy for servers in DMZ only

With Cut through proxy the per user acl should have taken place, can you paste the show access-lists | inc

Either you can hand down the ACL or you can assign the RDPAuth acl you created using the radius ietf filter attribute. However once you assign this ACL that is all you will have network access too.

Also on your interface access-lists do you have the per-user-override statement configured?

thanks.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

Cut through proxy for servers in DMZ only

Hi Tarik those dynamic ACL's did get applied I just removed them so that I can access other resources.  That whole part is working fine and it is doing what it needs to do and only giving me access to that one server.

But I want this limitation to be applied to the traffic going to the DMZ only not to the internet.

No I do not have the "per-user-override statement configured", what is the purpose of this command?

Cut through proxy for servers in DMZ only

Mohammad,

Can you please clarify what you are requesting, you still want access to the DMZ and the internet after you authenticate? Then add another attribute:

ip:inacl#5=permit ip any any

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

Cut through proxy for servers in DMZ only

I only want to use the cut through proxy for access to the DMZ servers, however it seems like that is not possible if I use that then it will also apply to the Internet and access to the other resrouces as well?

Cut through proxy for servers in DMZ only

If you want to use cut through proxy then you have to create the authentication match statement in order to match the traffic that you want to block that will trigger cut-through proxy. When you authenticate then the ACL that you hand down to the client is what will determine where they have access to.

Can you please share your configuration, i am curious to see how you have this configured.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

Cut through proxy for servers in DMZ only

I understand that and I am doing exactly that but like I said it is blocking my access to the internet so looks like I need to configure it so there is "ip any any" statement in there too for rest of the access.  What I was hoping to accomplish was only restrict access to the DMZ host not rest of the network.

access-list RDPAuth remark "This ACL is for RDP access to the servers in the DMZ"

access-list RDPAuth extended permit tcp any eq 3389 host 10.1.150.22 gt 1023

access-list RDPAuth extended permit tcp any gt 1023 host 10.1.150.22 eq 3389

access-list RDPAuth extended permit tcp any host 10.1.200.150 eq www

access-list RDPAuth extended permit tcp any host 10.1.200.150 eq telnet

Cut through proxy for servers in DMZ only

Please post your entire configuration.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
862
Views
0
Helpful
15
Replies