Cut-Through Proxy / Authentication Proxy on Cisco ASA using ISE as AAA Server for allocating SGTs

Similar Messages

• Cisco ASA 8.3 ldap AAA server setup Microsoft active directory fails

  Hello,
  I'm trying to set up ldap authentication for remote ssl vpn users like the picture below:
  When I try the test button, and enter any username and password I get the message "Authentication Rejected: User was not found"
  Why??? Please help, I'm running out of options here... Many many thanks in advance.

  Use the login DN in the following format.
  admin-user-name@domain_name and let me know how it goes.
  If the above suggestion doesn't work then please run the debug ldap 255 and paste the output here.
  Rgds,  Jatin
  Do rate helpful posts-

• Cut-through/direct authentication connection being denied

  I'm trying to set up a firewall so an outside user can authenticate to the firewall, then RDP directly to a workstation.
  Here's what I've got:
  aaa authentication match authmatch outside LOCAL
  aaa authentication listener http outside port 5555
  access-list authmatch extended permit tcp any host 111.111.111.162 eq 3391
  access-list authmatch extended permit tcp any host 111.111.111.162 eq 5555
  static (inside,outside) tcp interface 3391 192.168.1.101 3389 netmask 255.255.255.255
  I can connect to the web page and authenticate successfully.
  6          Aug 21 2012          06:00:33                    222.222.222.146          0 222.222.222.146          0          Authentication succeeded for user 'USER1' from 222.222.222.146/0 to 222.222.222.146/0 on interface outside
  But, when I try to RDP in on 3391, it's not hitting the authmatch access list.   It's hitting the outside_access_in access list and it's denied by the default deny.
  4          Aug 21 2012          06:04:26 222.222.222.146          50414 111.111.111.162          3391          Deny tcp src outside:222.222.222.146/50414 dst inside:111.111.111.162/3391 by access-group "outside_access_in" [0x0, 0x0]
  Why won't it hit the correct access-list?
  Thanks,
  - Marc

  Hello Marc,
  What Karthik is telling you is the following:
  -The cut through proxy adds additional control regarding the connections across your firewall, this by using the ASA as a proxy but you still need to allow the traffic on the proper ACL's on the interfaces of your ASA.
  So just create an ACL entry into the outside acl permiting traffic to port 3391, of course only the users authenticated will succesfully connect
  Regards,
  Remember to rate all the helpful posts
  Julio
  CCSP

• Cisco ASA using Multiple DNS Names

  Hi,
  I am trying to setup a Cisco ASA for SSL vpn; however due to load balancing/traffic redirection performed by a different device; I was wondering if it may be possible perform a certificaate signing request/certificate required for it to have multiple address? An example would be:
  IP: 1.1.1.1, fqdn: vpn1.asa.com
  IP: 1.1.1.2, fqdn: vpn2.asa.com
  IP: 1.1.1.3 fqdn: vpn3.asa.com 
  Not too sure on how to perform the CSR for it on the ASA? Do I create the csr cert with a single cn=vpn1.asa.com and ask the CA vendor to sign it off with SANsof vpn2.asa.com and vpn3.asa.com?
  Client performing ssl vpn on vpn1.asa.com or vpn2.asa.com or vpn3.asa.com  should not be prompted certificate warning.
  Thanks.

  Hi,
  Appreciate the input. For the setup; the different fqdn is used due to different authentications/locations/etc... used. I have further illustrate the setup using the same interface for vpn access:
  vpn3.asa.com (Extranet Vendor Access)--------------------------------|
                                                                                             |
                                                                                            |
                                                                                            |
  vpn1.asa.com (External branch offices)-------------------------------ASA -------------Internal authentication servers
                                                                                             |
                                                                                             |
  vpn2.asa.com(HQ/Corporate Users)-----------------------------------------
  Not too sure for the creation of the CSR with a single cn=vpn1.asa.com and ask the CA vendor to sign  it off with SANs of vpn2.asa.com and vpn3.asa.com as well as vpn1.asa.com?
  Thanks.

• Which clients are using my Sun One server for authentication?

  We use Sun One ver. 5.2 .
  Our LDAP clients use it for authentication.
  How can I list which clients recently used the Sun One server to authenticate?
  The reason I need that is because I want to upgrade the Sun One server and I want to notify the clients that I'm about to do it.
  Thanks.

  https://www.redhat.com/archives/fedora-directory-users/2005-September/msg00010.html
  Useful script to extract LDAP based user posixGroup memberships information
  ===
  Assuming you are using posixGroup objectclass and memberUid attribute to
  store your membership information, you may find my shell script useful
  and handy.
  It works on Solaris LDAP Client with "ldapaddent" and "ldaplist"
  commands, and works against FDS, SUN DS or OpenLDAP.
  ===
  Gary

• After 10.9.2 update, https doesn't load web pages through an authenticated proxy

  Hi all,
  Recently I have updated my MacBook Pro with the 10.9.2 update. The laptop is connected to the company's network with wifi. The proxy was setup correctly to reach internet. After having restarted with this new update, I noticed I couldn't open any web pages with HTTPS. Any browser (Safari, Chrome and Firefox) shows that the web page is charging... but nothing happens... Page status stays in pending.
  I got the confirmation from the admin that no change has been recorded on the network configuration. I tested with another MacBook Pro on Lion with my credentials and it did work. Also I double checked by connecting my iphone to the wifi and using the proxy. It worked properly. I could visit any HTTPS websites.
  Do you have any idea about the root of this issue and what can I do to fix it?
  Thanks
  Nic

  For some mysterious reasons Sophos Antivirus blocked all https requests. I uninstalled it and now it's cruising pretty well.
  The next step is to install it again and set it up properly to make it working with the proxy.

• Cisco Smart Call Connector / Advanced Client / Server for UC500

  Would like to hear from Cisco:
  Is there still development in progress on Cisco Smart Call Connector, the advanced client, server and operator involving compatibility and support for Windows 8 / Outlook 2013 / and IE 10 32 and 64 bit ?
  Please vote this up if interested !

  jeliasoncisco wrote:Hello. I have a growing practice selling UC500 and would like to know this too. Cisco, please keep selling and developing this. Thanks a million!
  Check forums here or talk to your Channel Account Manager.
  Cisco doesn't care for the UC500 anymore and will not continue selling it for much longer.

• Is it possible to use a 10.9 server for authentication to apple clients without providing a network home?

  We are testing 10.9 server with 2 10.9 clients.  We would like to get away from Network Homes completely, but still provide authentication from our servers.  All users homes need to be on the local Workstations.  So far we have had no success.  Test user accounts that we have created with homes on the 10.9 server login fine.  However, user accounts that we have created with no homes get the infamous shake.  I havent been able to find anything in the logfiles on the server that indicate what the problem might be.  Im thinking this setup may not even be possible.
  ddh

  Firstly not only is this more than possible but it really should be easy.
  Let's pretend the local account on one of your workstation's is 'dwayne' and has a password to match. You'd create a user account using the Server App with the same credentials (username and password). On configured shares add that user account to the share as an ACL (not a POSIX user), apply desired permissions and propagate.
  Alternatively create an account that is not related to the dwayne local account in any way. Let's call it 'user' instead with a password to match. You use that instead to connect to the server.
  Treat every other user in the same way.
  By connect I mean "Connect to Server" from the Go Menu. When using the Go Menu you can either use the server's IP address (eg: 172.16.16.254) or it's FQDN (assuming DNS is set up correctly) or even it's Bonjour name (eg: server.local).
  It really makes no difference whether you create a user with a network home or for services only. It's all about how you connect to the Server. If you've gone for networked homes you could bind client workstations to the server if you wish (although there's no real requirement for you to do so) and providing the required network elements are in place and functioning correctly (we're rmostly talking about DNS here) users with networked accounts will be able to log in and access their home folders on any workstation that's been bound to the mac server. But you could just as easily not bind client workstations and use the same account details to access a properly configured server shares (and additionally the user's network home folder) by selecting "Connect to Server" from the Go Menu instead.

• Mac Adobe Flash Player not supporting Web Proxy Authentication

  Anyone else got an enterprise network where you use web proxies with web authentication and no traffic allowed out except through the proxies?
  You may need to be in the UK for this, but try accessing BBC iPlayer content - http://www.bbc.co.uk/iplayer and you should discover that the content won't play. the error says "This content doesn't seem to be working. Try again later.". The content will never work as the Mac version of Flash (currently 10.1.53.64) is not able to respond to web proxy authentication requests. The BBC use various streaming server which are randomly selected when a user starts a stream and they have no DNS. Just IP addresses. They don't publish a list for security reasons. So it is almost impossible to exempt all their servers from authentication.
  I've logged a bug with Adobe. If you have this issue too, please add a comment and vote so that they can begin to grasp the impact of this problem:
  https://bugs.adobe.com/jira/browse/FP-5161

  I have the same issues in Australia trying to access flash content from the ABC website. The strange thing is the content will play if your leave the browser open for 5min.
  After several packet data captures we identified that it has to do with the amount of time it takes the Mac timeout from the proxy before it plays the video content.
  No solution yet.

• Safari crashes when logging into websites behind authenticated proxy

  Hi,
  After the most recent automatic updates, Safari has now taken to crashing whenever I try to login to sites like gmail or hotmail. This only occurs at my home where I access the internet through an authenticated proxy (Unix-based using Squid) but at college I have no problems logging in. Since the crash reporter also can't get past the authenticated proxy I can't submit the report that way. So,
  (a) does anyone else have this problem? (There is at least one other person using a new macbook on the same network as me, and he's having this problem)
  (b) if no one has a solution, can I submit the crash report some other way so that Apple can fix this?
  Thanks,
  Russell
  PS. I tried Authoxy the other morning but couldn't get it to work. It wasn't authenticating and so couldn't access the internet. But I have a simple pac file that works fine for Safari. Of course, iTunes and similar programs are a dead loss. So a more general improvement in my proxy situation would also be appreciated.

  Hi Russ
  Welcome to Apple Discussions
  Have a look here.

• Automatic tunnel group selection through radius on Cisco ASA

  Hi all. I try to let Cisco ASA automatic select a tunnel group for users, after user input username and password. I try to do this without user selection a connection profile on login page. Authentication on ASA<>ACS 5.3<>MS AD. How i can will do this? Radius attribute class=group_policy don't work.
  May be someone did expirience this?

  You can't select a tunnel-group from RADIUS. But you can assign the right group-policy for your user with the class-attribute. For that you need to have different group-policies configured on your ASA. Alternatively instead of assigning the group-policy you can assign the individual parameters like IP, VPN-filter and so on.
  Sent from Cisco Technical Support iPad App

• Cisco ASA 5505 VPN Routing/Networking Question

  I have a very basic question about Cisco ASA 5505 IPsec Site to Site VPNs.  I want to install a Cisco ASA 5505 at a Data Center, in a LAN subnet that utilizes publicly routable IP addresses.  I would like to install a second Cisco ASA 5505 in a remote branch office as its peer. 
  Regardless of whether I use publicly routable IPs at the branch office in the "inside" network or non-routable IPs, how would the devices and servers at the Data Center know to route IP packets destined for the branch office back through the Cisco ASA instead of through the default gateway at the Data Center?  I can see accomplishing this if every single device at the Data Center is configured with routing table entries, but that isn't feasible.  It also isn't feasible to use the Cisco ASA 5505 as the default gateway for all of the devices as the Data Center, allowing it to decide where the traffic should go.
  What am I missing?  Is the solution to try to map branch office IPs to IP addresses within the Data Center's LAN subnet so that all of the traffic is on the same subnet?

  You can do it in several different ways.
  One way is to tell the server that if it has traffic to network x then it needs to go to the ASA all other traffic is to head for the default gateway.
  In windows this is done via the route command
  do not forget to make it "persistent" otherwise the route will disapear when your reboot the server.
  in unix/linux
  It is also the route command
  Or you can tell your "default gateway" to route that network to the ASA
  Good luck
  HTH

• Azure Site to Site VPN with Cisco ASA 5505

  I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
  IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
  Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
  Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
  Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
  Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
  I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
  (Does azure support 9.x version of asa?)
  How can i fix it?

  Hi,
  As of now, we do not have any scripts for Cisco ASA 9x series.
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
  demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  Did you download the VPN configuration file from the dashboard and copy the content of the configuration
  file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
  According to the
  Cisco ASA template, it should be similar to this:
  access-list <RP_AccessList>
  extended permit ip object-group
  <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
  nat (inside,outside) source static <RP_OnPremiseNetwork>
  <RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
  <RP_AzureNetwork>
  Based on my experience, to establish
  IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
  VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
  compatible for dynamic routing, please make sure that you chose the static routing.
  Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
  Hope this helps you.
  Girish Prajwal

• Doese Cisco ASA 5500 has module increase performance VPN?

  Dear All,
  Doese Cisco ASA 5510 and 5505 has module for increase performance VPN ?
  Best Regards,
  Rechard

  Rechard,
  There is one built into every ASA. If you need better performance because you're limited by engine performance... you need to most likely move up to a bigged model.
  Here is the datasheet for reference:
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  M.

• Cisco ASA models features

  Hi,
  I am little confused with different models of Cisco ASA Firewalls.  I am trying to understand the real benefit of ASA Next-GEN ASA Firewalls. I understand the next-gen has visibility up to layer 7 but:
  - with CX the previous gen of ASA Firewall had same or similar capability?
  - Is CX removed from Next-Gen FW?
  - Is AVC something apart from CX and new featue in the Next-Gen FW?
  - What is the real advantage of upgrading to next-gen FW from older gen ASA Firewalls? 
  Thanks

  Next Generation Firewall (NGFW) is partly a marketing term. Wikipedia has a definition (as does Gartner and a host of others). Typically it's understood to mean something more than a simple stateful firewall that only looks at packets up to the TCP session level.
  Cisco ASA has had add-on features for years like IPS modules and the ability to use Identities in access-lists that could arguably called NGFW. More recently they had the CX module (now Approaching End of Sales). It had several NGFW features including AVC, Web Security Essentials (WSE) and IPS.
  The current product lineup include the FirePOWER modules with technology acquired from Sourcefire being developed and integrated into the Cisco security portfolio, including ASAs. Those also have AVC (basically the ability to look deep into a flow and determine application-specific (or even "microapplication") information. You leverage that with the addition of IPS, Web filtering and/or Advanced Malware Protection (AMP) licenses on the FirePOWER modules.
  The advantage is that you are able to protect your enterprise from modern-day threats. With the vast majority of malware being exploits from web pages (or at least carried over http/https), the traditional firewall with a rule allowing, say, only http from inside clients does nothing to protect against those threats. Client side anti-malware software can help, but it may be too late once the malware has been identified.