Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

cut-thru proxy on asa

hi all,

i am configuring cut-thru proxy on asa.

the config guide says that the authorization acl should be a subset of the acl used for authentication.

in my scenario i am using telnet to auhenticate the user and i want to authorize traffic from to for http only.

my asa config is as follows:


aaa-server cisco proto tacacs+

aaa-server host

key cisco

access-l 101 permit tcp host host eq 23

access-l 102 permit tcp host host eq 80

access-group 101 in int outside

aaa authentication match 101 outside cisco

aaa authorization match 102 outside cisco


with this configuraion on the asa the user gets autheticated successfully , but cannot browse the webpage on

this happened becoz my acl 101 applied on the outside does not allow http traffic ; and also acl 102 is not a subset of 101.

hence i reconfigured 101 as - access-l 101 permit ip host host

now the user gets autheticated successfully , also the authorization is a PASS and the webpage can be accessed on

now if i try to access the remote desktop port of it works successfully. i havent authorized this on the acs , why dont i get authorization failure for traffic destined for rdp on ?

on acs for the user cisco , i have configured under the shell command authorization


unmatched ios commands - deny

command - http

argument - permit

unlisted arguments - deny

please let me know where i am going wrong in the configuration.



Community Member

Re: cut-thru proxy on asa

I think in acl 101 you should only permit for port 80 (default port for http). Following link may help you

Community Member

Re: cut-thru proxy on asa

thanks for your reply . but unfortunately i am not looking for that solution . i completely understand the acl required to permit rdp traffic, (as mentioned in the link.)

what i need to know is , how to stop unauthorized access from getting across the asa. i want the unauthorized access to rdp to be denied by the acs server.



CreatePlease to create content