08-21-2012 07:30 AM - edited 03-11-2019 04:44 PM
I'm trying to set up a firewall so an outside user can authenticate to the firewall, then RDP directly to a workstation.
Here's what I've got:
aaa authentication match authmatch outside LOCAL
aaa authentication listener http outside port 5555
access-list authmatch extended permit tcp any host 111.111.111.162 eq 3391
access-list authmatch extended permit tcp any host 111.111.111.162 eq 5555
static (inside,outside) tcp interface 3391 192.168.1.101 3389 netmask 255.255.255.255
I can connect to the web page and authenticate successfully.
6 Aug 21 2012 06:00:33 222.222.222.146 0 222.222.222.146 0 Authentication succeeded for user 'USER1' from 222.222.222.146/0 to 222.222.222.146/0 on interface outside
But, when I try to RDP in on 3391, it's not hitting the authmatch access list. It's hitting the outside_access_in access list and it's denied by the default deny.
4 Aug 21 2012 06:04:26 222.222.222.146 50414 111.111.111.162 3391 Deny tcp src outside:222.222.222.146/50414 dst inside:111.111.111.162/3391 by access-group "outside_access_in" [0x0, 0x0]
Why won't it hit the correct access-list?
Thanks,
- Marc
Solved! Go to Solution.
08-23-2012 11:30 AM
Hello Marc,
What Karthik is telling you is the following:
-The cut through proxy adds additional control regarding the connections across your firewall, this by using the ASA as a proxy but you still need to allow the traffic on the proper ACL's on the interfaces of your ASA.
So just create an ACL entry into the outside acl permiting traffic to port 3391, of course only the users authenticated will succesfully connect
Regards,
Remember to rate all the helpful posts
Julio
CCSP
08-21-2012 09:32 AM
Hi Marc,
I suggest you should permit that in the ACL which you apply for inbound (outside) interface. And then your AAA configuration should have the proxy authentication ACL pointed to go for firewall authentication to make this work.
In auth ACL you have to permit when you need that to go through via authentication when you have the deny it will go as unauthenticated access. Normally we will have the radius server as the cut through proxy. Still you can do that with the local as well i guess.
Please do rate if the given information helps.
By
Karthik
08-23-2012 06:35 AM
Karthik,
I'm not sure I'm completely following. Could you give an example configuration?
- Marc
08-23-2012 11:30 AM
Hello Marc,
What Karthik is telling you is the following:
-The cut through proxy adds additional control regarding the connections across your firewall, this by using the ASA as a proxy but you still need to allow the traffic on the proper ACL's on the interfaces of your ASA.
So just create an ACL entry into the outside acl permiting traffic to port 3391, of course only the users authenticated will succesfully connect
Regards,
Remember to rate all the helpful posts
Julio
CCSP
08-23-2012 12:47 PM
Man, was it really that easy??? I thought if I added that entry it would always permit the traffic (even if not authenticated).
I added the ACL entry and that seemed to do it. Not authenticated I could not connect. Authenticated I was able to connect.
I was following the website below to set up and they negelected to mention that entry.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml
Thanks!!
- Marc
08-23-2012 12:53 PM
Hello Marc,
Glad is working now
Yeah sometimes the documentation is not that explicit, that's why we are here
Please mark the question as answered so future users with the same query can learn from this,
Thanks for the rating and any other question just let me know,
Regards
Julio
08-23-2012 10:25 PM
Great News Marc!!!
One more point.... If you need unauthenticated access for any users.... Then you can have the deny rules for that specific flow so that it can skip the authentication... when you have permit in proxy ACL it will go for authentication... when you deny it will go as unauthenticated....
By
Karthik
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: