Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

cut-thru proxy on asa

hi all,

i am configuring cut-thru proxy on asa.

the config guide says that the authorization acl should be a subset of the acl used for authentication.

in my scenario i am using telnet to auhenticate the user and i want to authorize traffic from 2.1.1.2 to 1.1.1.2 for http only.

my asa config is as follows:

-------------------------------------

aaa-server cisco proto tacacs+

aaa-server host 1.1.1.2

key cisco

access-l 101 permit tcp host 2.1.1.2 host 1.1.1.2 eq 23

access-l 102 permit tcp host 2.1.1.2 host 1.1.1.2 eq 80

access-group 101 in int outside

aaa authentication match 101 outside cisco

aaa authorization match 102 outside cisco

-------------------------------------------

with this configuraion on the asa the user gets autheticated successfully , but cannot browse the webpage on 1.1.1.2.

this happened becoz my acl 101 applied on the outside does not allow http traffic ; and also acl 102 is not a subset of 101.

hence i reconfigured 101 as - access-l 101 permit ip host 2.1.1.2 host 1.1.1.2

now the user gets autheticated successfully , also the authorization is a PASS and the webpage can be accessed on 1.1.1.2.

now if i try to access the remote desktop port of 1.1.1.2 it works successfully. i havent authorized this on the acs , why dont i get authorization failure for traffic destined for rdp on 1.1.1.2 ?

on acs for the user cisco , i have configured under the shell command authorization

---------------------------------

unmatched ios commands - deny

command - http

argument - permit 1.1.1.2

unlisted arguments - deny

please let me know where i am going wrong in the configuration.

thanks

kirti.

2 REPLIES
Community Member

Re: cut-thru proxy on asa

I think in acl 101 you should only permit for port 80 (default port for http). Following link may help you

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml

Community Member

Re: cut-thru proxy on asa

thanks for your reply . but unfortunately i am not looking for that solution . i completely understand the acl required to permit rdp traffic, (as mentioned in the link.)

what i need to know is , how to stop unauthorized access from getting across the asa. i want the unauthorized access to rdp to be denied by the acs server.

thanks

kirti.

510
Views
0
Helpful
2
Replies
CreatePlease to create content