Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How can configure CISCO ASA AAA for a DMZ service

Outside user access to 150.1.7.60 on port 9007 using specific URL:9007. This service is at the DMZ. Packet get translated in asa to 172.16.15.8.

How I can authenticate that traffic?

ADDITIONAL INFORMATION:

I have configured a TACACS server at 172.16.10.60 on INSIDE zone. Test from ASA for a user in TACACS server is successful.

My ISP has got 1.1.1.216/248 block assigned for my company. 1.1.1.217  is in the ISP part. 1.1.1.218 is my asa outside interface address.  1.1.1.221 in my URL addresses DNS entry at ISP.

5 REPLIES

How can configure CISCO ASA AAA for a DMZ service

Ahmed,

It looks like you want to use cut-through proxy which is supported on native ports. I do not think non-standard ports are allowed but here is a guide that will shed some light on this topic.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml

There are some backup methods that will allow your design to work in case direct authentication isnt supported on the 9007 port.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

How can configure CISCO ASA AAA for a DMZ service

Hello Tarik Admani,

Thank you for your reply. What happened now is that I had to type different url like "http://:/netaccess/connstatus.htm" and authenticate first and then go to "URL:9007".

What i need is when I put "URL:9007" it will redirect me to the authentication page. and after the authentication it will open the "URL:9007".

How can I do that?

Thanks

How can configure CISCO ASA AAA for a DMZ service

You may have to open a tac case however I do not think that is part of the design for "direct authentication" since this is on a non standard port that the ASA doesnt listen on for the experience that you are looking to accomplish.

The backup method based on the configuration guides explicitly mentions that you have to hit the portal from the ASA so then the user ip is allowed access to the resource on 9007, while I understand that this is running http services, the ASA firewall doesnt not know that because of the non-standard port it listens for.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

How can configure CISCO ASA AAA for a DMZ service

What you say about:

Enabling Secure Authentication of Web Clients

section of http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html#wp1043431

Thanks and regards

Ahmed ehtesham zaedi

New Member

Re: How can configure CISCO ASA AAA for a DMZ service

Assalamu alikum brother,

I have configured an https authentication. But the problem is I cannot customize the https page. Is there any way to customize AAA https authentication page in asa.

Another question is, can I redirect to my url like http://a.b.c.d:9007/abc after successful login.

I cisco catalyst switch there are some command like:

ip admission proxy http login page file device:login-filename

ip admission proxy http success page file device:success-filename

ip admission proxy http failure page file device:fail-filename

ip admission proxy http expired page file device:expired-filename

commands but can I do this sort of thing in cisco ASA or there are some alternative commands that I need to follow.

Thanks in advance

354
Views
0
Helpful
5
Replies