07-20-2007 11:40 PM - edited 03-11-2019 03:47 AM
hi all,
i am configuring cut-thru proxy on asa.
the config guide says that the authorization acl should be a subset of the acl used for authentication.
in my scenario i am using telnet to auhenticate the user and i want to authorize traffic from 2.1.1.2 to 1.1.1.2 for http only.
my asa config is as follows:
-------------------------------------
aaa-server cisco proto tacacs+
aaa-server host 1.1.1.2
key cisco
access-l 101 permit tcp host 2.1.1.2 host 1.1.1.2 eq 23
access-l 102 permit tcp host 2.1.1.2 host 1.1.1.2 eq 80
access-group 101 in int outside
aaa authentication match 101 outside cisco
aaa authorization match 102 outside cisco
-------------------------------------------
with this configuraion on the asa the user gets autheticated successfully , but cannot browse the webpage on 1.1.1.2.
this happened becoz my acl 101 applied on the outside does not allow http traffic ; and also acl 102 is not a subset of 101.
hence i reconfigured 101 as - access-l 101 permit ip host 2.1.1.2 host 1.1.1.2
now the user gets autheticated successfully , also the authorization is a PASS and the webpage can be accessed on 1.1.1.2.
now if i try to access the remote desktop port of 1.1.1.2 it works successfully. i havent authorized this on the acs , why dont i get authorization failure for traffic destined for rdp on 1.1.1.2 ?
on acs for the user cisco , i have configured under the shell command authorization
---------------------------------
unmatched ios commands - deny
command - http
argument - permit 1.1.1.2
unlisted arguments - deny
please let me know where i am going wrong in the configuration.
thanks
kirti.
07-26-2007 07:01 AM
I think in acl 101 you should only permit for port 80 (default port for http). Following link may help you
07-26-2007 09:59 AM
thanks for your reply . but unfortunately i am not looking for that solution . i completely understand the acl required to permit rdp traffic, (as mentioned in the link.)
what i need to know is , how to stop unauthorized access from getting across the asa. i want the unauthorized access to rdp to be denied by the acs server.
thanks
kirti.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide