Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
0
Helpful
5
Replies

How can configure CISCO ASA AAA for a DMZ service

zaediahmedccna
Level 1
Level 1

‎10-28-2013 12:42 AM - edited ‎03-10-2019 09:02 PM

Outside user access to 150.1.7.60 on port 9007 using specific URL:9007. This service is at the DMZ. Packet get translated in asa to 172.16.15.8.

How I can authenticate that traffic?

ADDITIONAL INFORMATION:

I have configured a TACACS server at 172.16.10.60 on INSIDE zone. Test from ASA for a user in TACACS server is successful.

My ISP has got 1.1.1.216/248 block assigned for my company. 1.1.1.217  is in the ISP part. 1.1.1.218 is my asa outside interface address.  1.1.1.221 in my URL addresses DNS entry at ISP.

Labels:
0 Helpful
5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

‎10-28-2013 09:14 PM

Ahmed,

It looks like you want to use cut-through proxy which is supported on native ports. I do not think non-standard ports are allowed but here is a guide that will shed some light on this topic.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml

There are some backup methods that will allow your design to work in case direct authentication isnt supported on the 9007 port.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

zaediahmedccna
Level 1
Level 1
In response to Tarik Admani

‎10-29-2013 11:57 PM

Hello Tarik Admani,

Thank you for your reply. What happened now is that I had to type different url like "http://:/netaccess/connstatus.htm" and authenticate first and then go to "URL:9007".

What i need is when I put "URL:9007" it will redirect me to the authentication page. and after the authentication it will open the "URL:9007".

How can I do that?

Thanks

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to zaediahmedccna

‎10-30-2013 09:42 AM

You may have to open a tac case however I do not think that is part of the design for "direct authentication" since this is on a non standard port that the ASA doesnt listen on for the experience that you are looking to accomplish.

The backup method based on the configuration guides explicitly mentions that you have to hit the portal from the ASA so then the user ip is allowed access to the resource on 9007, while I understand that this is running http services, the ASA firewall doesnt not know that because of the non-standard port it listens for.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

zaediahmedccna
Level 1
Level 1
In response to Tarik Admani

‎10-30-2013 08:56 PM

What you say about:

Enabling Secure Authentication of Web Clients

section of http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html#wp1043431

Thanks and regards

Ahmed ehtesham zaedi

0 Helpful

zaediahmedccna
Level 1
Level 1
In response to Tarik Admani

‎11-24-2013 08:17 PM

Assalamu alikum brother,

I have configured an https authentication. But the problem is I cannot customize the https page. Is there any way to customize AAA https authentication page in asa.

Another question is, can I redirect to my url like http://a.b.c.d:9007/abc after successful login.

I cisco catalyst switch there are some command like:

ip admission proxy http login page file device:login-filename

ip admission proxy http success page file device:success-filename

ip admission proxy http failure page file device:fail-filename

ip admission proxy http expired page file device:expired-filename

commands but can I do this sort of thing in cisco ASA or there are some alternative commands that I need to follow.

Thanks in advance

0 Helpful
Customers Also Viewed These Support Documents