Re: Cut through proxy

From: Kal Han (calikali2006@gmail.com)
Date: Fri Sep 15 2006 - 02:54:29 ART

• Next message: Angelo De Guzman: "Re:Policy-map order"
• Previous message: Pierre-Alex: "Re: BGP with NAT"
• Maybe in reply to: 2nd CCIE: "Cut through proxy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Cut Thru Proxy is PIX is very similar to auth-proxy in IOS.
.. its just that auth-proxy is triggered by http traffic but
cut thru proxy is triggered by any traffic that matches the AAA access-list.
----> the above is doing inline authentication. Your connections stays alive
after AAA authentication.

But since, not all applications can provide username password when requested
you have a virtual telnet ( yes, it is similar to the lock and key acls )
----> here you are doing out of band authentication. which means your
original
connection gets disconnected. and you have to connect to the final
destination again.

in your example, when you try to access the email ( say from a browser )
it will prompt you to enter username and password ( this is comming from AAA
)
and then you might again be prompted for username/password by the email
server
itself. But your tcp connection is alive after AAA authentication and it
proceeds to
the email server.

You need virtual telnet only for applications that cannot be authenticated
in the
above fasion. any custom applications running on weired port numbers.

HTH
Kal

On 9/14/06, 2nd CCIE <doubleccie@yahoo.com> wrote:
>
> Guys ;
> I am trying to understand the concept of Cut through proxy.
> lets say i want to authenticate traffic passing through the pix which is
> not http or telnet .
>
> the documents give two options , either i need to telnet (or http) first
> or i can enable the virtual telnet .
>
> is this something like lock and key ..where i need to telnet to the device
> first to get some dynamic entries after that ?
>
>
> say i want to authenicate any traffic other than telnet or http (say smtp)
> from inside to outside
>
> R1--------pix>>-------------R2
>
> access-list cut_through permit tcp any any eq 25
> access-list cut_through permit tcp any any eq 23
>
> aaa authentication match cut_through inside local
>
> does this mean everytime i need to access email , i have to telnet to an
> outside device first to get the authentication of SMTP?
>
>
>
>
>
>
>
> ---------------------------------
> Get your email and more, right on the new Yahoo.com

• Next message: Angelo De Guzman: "Re:Policy-map order"
• Previous message: Pierre-Alex: "Re: BGP with NAT"
• Maybe in reply to: 2nd CCIE: "Cut through proxy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART