Re: problem with cut-through proxy on asa

From: Tarun Pahuja (pahujat@gmail.com)
Date: Thu Jun 21 2007 - 08:02:26 ART

• Next message: Gary Duncanson: "Re: RE: RE : Attack by Proctor"
• Previous message: sam s: "RE: RE : Attack by Proctor"
• Maybe in reply to: sebastan bach: "problem with cut-through proxy on asa"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sebastan,
               Let me take am example to clarify how ASA works with AAA for
cut-through proxy.

aaa-server tacacs-servers protocol tacacs+
aaa-server tacacs-servers (inside) host 10.10.10.10 cisco
aaa-server tacacs-servers (inside) host 10.10.10.11 cisco
aaa authentication include any inside 10.10.10.0 255.255.255.0 0 0
tacacs-servers
aaa authentication exclude udp/53 inside 10.10.10.0 255.255.255.0 0 0
tacacs-server
aaa authentication secure-http-client

Remember that only Telnet,ssh,ftp,http and https can actually trigger a
prompt. In the configuration above you are allowing(exclude command) dns to
pass through so that users on the inside can resolve addresses before being
prompted for user authentication. The (Match command) is matching
the networks that need to be authenticated. 10.10.10.0/24 is the inside
network(secure) of the ASA. You can also use ACLs to trigger authentication
process(gives more granularity). You can also enable authorisation and
accounting on end user connection through the firewall using ACS server.

HTH,
Tarun Pahuja
CCIE#7707(R&S,security,SP,Voice,Storage),CCSI

On 6/21/07, sebastan bach <sebastan.bach@gmail.com> wrote:
>
> hi i am configuring cut-through proxy on the asa with the acs server.
>
> my host is on the inside and is trying to access the web server which is
> in
> the dmz.
>
> the question is when we do cut-through proxy in routers in the incoming
> interface where the host and acs server resides we configure a access-list
> permitting only tacacs traffic from the acs server to the routers;s
> interface .once the user gets authenticated then his acl gets downloaded
> from the acs server and gets access,.
>
> but here in the asa if i put a acl the same way the asa doesn;t ask for
> authenication . without the acl the host is prompted for authentication.
>
> but without the acl the host is any way able to send other kinds of
> traffic
> which are not authenticated like ping.how can i control this behaviour.
>
> can someone pls help me on this.
>
> regards
>
> sebastan
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Gary Duncanson: "Re: RE: RE : Attack by Proctor"
• Previous message: sam s: "RE: RE : Attack by Proctor"
• Maybe in reply to: sebastan bach: "problem with cut-through proxy on asa"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:50 ART