Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
828
Views
5
Helpful
6
Replies

Cut-through/direct authentication connection being denied

Go to solution
marc.reiter
Level 1
Level 1

‎08-21-2012 07:30 AM - edited ‎03-11-2019 04:44 PM

I'm trying to set up a firewall so an outside user can authenticate to the firewall, then RDP directly to a workstation.

Here's what I've got:

aaa authentication match authmatch outside LOCAL

aaa authentication listener http outside port 5555

access-list authmatch extended permit tcp any host 111.111.111.162 eq 3391

access-list authmatch extended permit tcp any host 111.111.111.162 eq 5555

static (inside,outside) tcp interface 3391 192.168.1.101 3389 netmask 255.255.255.255

I can connect to the web page and authenticate successfully.

6          Aug 21 2012          06:00:33                    222.222.222.146          0 222.222.222.146          0          Authentication succeeded for user 'USER1' from 222.222.222.146/0 to 222.222.222.146/0 on interface outside

But, when I try to RDP in on 3391, it's not hitting the authmatch access list.   It's hitting the outside_access_in access list and it's denied by the default deny.

4          Aug 21 2012          06:04:26 222.222.222.146          50414 111.111.111.162          3391          Deny tcp src outside:222.222.222.146/50414 dst inside:111.111.111.162/3391 by access-group "outside_access_in" [0x0, 0x0]

Why won't it hit the correct access-list?

Thanks,

- Marc

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to BroncoMarc_2

‎08-23-2012 11:30 AM

Hello Marc,

What Karthik is telling you is the following:

-The cut through proxy adds additional control regarding the connections across your firewall, this by using the ASA as a proxy but you still need to allow the traffic on the proper ACL's on the interfaces of your ASA.

So just create an ACL entry into the outside acl permiting traffic to port 3391, of course only the users authenticated will succesfully connect

Regards,

Remember to rate all the helpful posts

Julio

CCSP

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

6 Replies 6

Go to solution
nkarthikeyan
Level 7
Level 7

‎08-21-2012 09:32 AM

Hi Marc,

I suggest you should permit that in the ACL which you apply for inbound (outside) interface. And then your AAA configuration should have the proxy authentication ACL pointed to go for firewall authentication to make this work.

In auth ACL you have to permit when you need that to go through via authentication when you have the deny it will go as unauthenticated access. Normally we will have the radius server as the cut through proxy. Still you can do that with the local as well i guess.

Please do rate if the given information helps.

By

Karthik

0 Helpful

Go to solution
BroncoMarc_2
Level 1
Level 1
In response to nkarthikeyan

‎08-23-2012 06:35 AM

Karthik,

I'm not sure I'm completely following.   Could you give an example configuration?

- Marc

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to BroncoMarc_2

‎08-23-2012 11:30 AM

Hello Marc,

What Karthik is telling you is the following:

-The cut through proxy adds additional control regarding the connections across your firewall, this by using the ASA as a proxy but you still need to allow the traffic on the proper ACL's on the interfaces of your ASA.

So just create an ACL entry into the outside acl permiting traffic to port 3391, of course only the users authenticated will succesfully connect

Regards,

Remember to rate all the helpful posts

Julio

CCSP

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
BroncoMarc_2
Level 1
Level 1
In response to Julio Carvajal

‎08-23-2012 12:47 PM

Man, was it really that easy???    I thought if I added that entry it would always permit the traffic (even if not authenticated).

I added the ACL entry and that seemed to do it.  Not authenticated I could not connect.   Authenticated I was able to connect.

I was following the website below  to set up and they negelected to mention that entry.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml

Thanks!!

- Marc

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to BroncoMarc_2

‎08-23-2012 12:53 PM

Hello Marc,

Glad is working now

Yeah sometimes the documentation is not that explicit, that's why we are here

Please mark the question as answered so future users with the same query can learn from this,

Thanks for the rating and any other question just let me know,

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to BroncoMarc_2

‎08-23-2012 10:25 PM

Great News Marc!!!

One more point.... If you need unauthenticated access for any users.... Then you can have the deny rules for that specific flow so that it can skip the authentication... when you have permit in proxy ACL it will go for authentication... when you deny it will go as unauthenticated....

By

Karthik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card