Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
4
Replies

ASA Cut Through (Authentication) Proxy for a Single ACL

Michael Lyons
Level 1
Level 1

‎12-04-2013 06:45 AM - edited ‎03-11-2019 08:12 PM

I have a customer that wants to authenticate users at the ASA before being allowed access from the outside into a payroll server on the DMZ.  I am aware of the cut through proxy feature, but doesn't that affect all traffic entering the DMZ?  Is there a way to only authenticate users accessing one server?

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎12-04-2013 06:51 AM

Hi,

Have not had to deal with this that many times myself but I would guess that you can only include this certain traffic for the AAA and exclude all other traffic so that it is not affected by the feature.

Will have to see if I have the time to test this at home.

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni

‎12-04-2013 08:50 AM

Hi,

Seems to me the easiest way to do this is you are connecting to the destination server with either Browser or CLI based connection.

For example if its a browser based connection then you could configure

username password privilege

access-list PROXY-AUTH extended permit tcp any host eq http

access-list PROXY-AUTH extended permit tcp any host eq https

access-list PROXY-AUTH extended deny ip any any

aaa authentication match PROXY-AUTH LAN LOCAL

I don't think you even need the "deny" statement since there is an implicit deny at the end of each ACL

Where "LAN" is my interface "nameif" connect to my LAN network.

To my understanding if you are using some application for this connection that doesnt apply in this situation then you would have to configure this in another way and the user would have to first connect manually to the ASA for authentication and would then be allowed to connect to the resource.

Have a look at this document for some help

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml

Hope this helps

- Jouni

0 Helpful

Michael Lyons
Level 1
Level 1
In response to Jouni Forss

‎12-04-2013 10:23 AM

Hi Jouni,

Thanks very much for your response.  That certainly points me in the right direction.  I just got dragged into the emergency of the day (nature of our business I suppose), but I'll try this out and let you know how it works out.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Michael Lyons

‎12-04-2013 11:55 AM

Hello,

Just to add:

Make sure the connection will be done to HTTP, HTTPS,Telnet or FTP.

Otherwise you will need to configure virtual-telnet virtual HTTP or HTTP redirect.

I can provide help if any of those is needed.

Just let us know and remember to rate all of the helpful posts

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card