Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cut-through/direct authentication connection being denied

I'm trying to set up a firewall so an outside user can authenticate to the firewall, then RDP directly to a workstation.

Here's what I've got:

aaa authentication match authmatch outside LOCAL

aaa authentication listener http outside port 5555

access-list authmatch extended permit tcp any host 111.111.111.162 eq 3391

access-list authmatch extended permit tcp any host 111.111.111.162 eq 5555

static (inside,outside) tcp interface 3391 192.168.1.101 3389 netmask 255.255.255.255

I can connect to the web page and authenticate successfully.

6          Aug 21 2012          06:00:33                    222.222.222.146          0 222.222.222.146          0          Authentication succeeded for user 'USER1' from 222.222.222.146/0 to 222.222.222.146/0 on interface outside

But, when I try to RDP in on 3391, it's not hitting the authmatch access list.   It's hitting the outside_access_in access list and it's denied by the default deny.

4          Aug 21 2012          06:04:26 222.222.222.146          50414 111.111.111.162          3391          Deny tcp src outside:222.222.222.146/50414 dst inside:111.111.111.162/3391 by access-group "outside_access_in" [0x0, 0x0]

Why won't it hit the correct access-list?

Thanks,

- Marc

1 ACCEPTED SOLUTION

Accepted Solutions

Cut-through/direct authentication connection being denied

Hello Marc,

What Karthik is telling you is the following:

-The cut through proxy adds additional control regarding the connections across your firewall, this by using the ASA as a proxy but you still need to allow the traffic on the proper ACL's on the interfaces of your ASA.

So just create an ACL entry into the outside acl permiting traffic to port 3391, of course only the users authenticated will succesfully connect

Regards,

Remember to rate all the helpful posts

Julio

CCSP

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
6 REPLIES

Cut-through/direct authentication connection being denied

Hi Marc,

I suggest you should permit that in the ACL which you apply for inbound (outside) interface. And then your AAA configuration should have the proxy authentication ACL pointed to go for firewall authentication to make this work.

In auth ACL you have to permit when you need that to go through via authentication when you have the deny it will go as unauthenticated access. Normally we will have the radius server as the cut through proxy. Still you can do that with the local as well i guess.

Please do rate if the given information helps.

By

Karthik

New Member

Cut-through/direct authentication connection being denied

Karthik,

I'm not sure I'm completely following.   Could you give an example configuration?

- Marc

Cut-through/direct authentication connection being denied

Hello Marc,

What Karthik is telling you is the following:

-The cut through proxy adds additional control regarding the connections across your firewall, this by using the ASA as a proxy but you still need to allow the traffic on the proper ACL's on the interfaces of your ASA.

So just create an ACL entry into the outside acl permiting traffic to port 3391, of course only the users authenticated will succesfully connect

Regards,

Remember to rate all the helpful posts

Julio

CCSP

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Cut-through/direct authentication connection being denied

Man, was it really that easy???    I thought if I added that entry it would always permit the traffic (even if not authenticated).

I added the ACL entry and that seemed to do it.  Not authenticated I could not connect.   Authenticated I was able to connect.

I was following the website below  to set up and they negelected to mention that entry.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml

Thanks!!

- Marc

Cut-through/direct authentication connection being denied

Hello Marc,

Glad is working now

Yeah sometimes the documentation is not that explicit, that's why we are here

Please mark the question as answered so future users with the same query can learn from this,

Thanks for the rating and any other question just let me know,

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Cut-through/direct authentication connection being denied

Great News Marc!!!

One more point.... If you need unauthenticated access for any users.... Then you can have the deny rules for that specific flow so that it can skip the authentication... when you have permit in proxy ACL it will go for authentication... when you deny it will go as unauthenticated....

By

Karthik

454
Views
5
Helpful
6
Replies
CreatePlease to create content