ASA Cut Through (Authentication) Proxy for a Single ACL

I have a customer that wants to authenticate users at the ASA before being allowed access from the outside into a payroll server on the DMZ.  I am aware of the cut through proxy feature, but doesn't that affect all traffic entering the DMZ?  Is there a way to only authenticate users accessing one server?

Hi,
Seems to me the easiest way to do this is you are connecting to the destination server with either Browser or CLI based connection.
For example if its a browser based connection then you could configure
username password privilege
access-list PROXY-AUTH extended permit tcp any host eq http
access-list PROXY-AUTH extended permit tcp any host eq https
access-list PROXY-AUTH extended deny ip any any
aaa authentication match PROXY-AUTH LAN LOCAL
I don't think you even need the "deny" statement since there is an implicit deny at the end of each ACL
Where "LAN" is my interface "nameif" connect to my LAN network.
To my understanding if you are using some application for this connection that doesnt apply in this situation then you would have to configure this in another way and the user would have to first connect manually to the ASA for authentication and would then be allowed to connect to the resource.
Have a look at this document for some help
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml
Hope this helps
- Jouni

Similar Messages

  • Cut-through authentication vs. virtual telnet/http

    Hi,
    I'm having difficulties understanding the meaning of the virtual telnet/http commands on the ASA.
    I have configured an ASA and defined an access-list with all the traffic which is to be authenticated. These are protocols like RDP, which can't be intercepted by the ASA, but also HTTP and HTTPS which can indeed be intercepted (this is also referred as cut-trough authentication).
    The setup principially works. Then a few consultants came and checked my config for errors. They also performed a portscan, where they found out that all protected services (which should only work after authenticating) were answered by the ASA (a tcp-session was started), so an attacker would know what potential services are behind the firewall.
    The customer (and me) disliked this behaviour, and I thought this could be solved by using the virtual http feature. Define a seperate IP-Adress, to which you can connect via HTTPs and authenticate, after which you can reach all other services.
    Can this be done with this feature? My testresults showed just the behaviour, that you can authenticate at the virtual http-address, but the cut-through authentication is still active, so that's not the solution.
    To be honest, I even believe that the virtual telnet/http feature is completely useless! Why? Because to make it work, you have to
    1) allow the ip an the inbound ACL
    2) add the ip in the ACL where the authenticated traffic is defined
    3) configure a NAT for this ip to be routed inside
    I don't really see a practical reason for this command - Thanks for your thought...
    Florian

    Hi Florian / Jeff
    I agree largely with what you are saying and have found similiar issues with it. if you are already authenticating to a web service the additional config of a virtual http service seems unnecessary.
    But i think one instance where virtual telnet is useful is if you have services such as RDP etc. that you need to authenticate but you don't have a web server or telnet server to authenticate against.
    Without virtual telnet i'm not sure how you could setup access to these services so you would need virtual telnet in this case.
    Where i find the command particularly useless is that i want to authenticate people accessing for example terminal servers on a particular subnet. This subnet is also running web servers.
    Now say i want to do this via http authentication. I'm trying to authentciate them because i don't know their IP addresses. So i enter an authentication command for http but now everyone who wants to use http has to authenticate and not just people who are going to be using terminal services.
    Regards

  • How to use Axis to access a web service through Authentication  proxy

    Using axis access internat web service is success,but access a web service through Authentication proxy is failure.But other java classes connect through a proxy to the internet which works very well:
    please help me ,thank you!!!
    import org.apache.axis.client.Call;
    import org.apache.axis.client.Service;
    import javax.xml.namespace.QName;
    //this is my access webservice faliure   codes
    public class TestClient
       public static void main(String [] args) {
           try {
                System.getProperties().setProperty("http.proxySet", "true");
                System.getProperties().setProperty("http.proxyHost","proxy.com");
                System.getProperties().setProperty("http.proxyPort", "8080");
                System.getProperties().setProperty("http.proxyUser", "username");
                System.getProperties().setProperty("http.proxyPassword","password");
               String endpoint =
                        "http://nagoya.apache.org:5049/axis/services/echo";
               Service  service = new Service();
               Call     call    = (Call) service.createCall();
               call.setTargetEndpointAddress( new java.net.URL(endpoint) );
               call.setOperationName(new QName("http://soapinterop.org/", "echoString") );
               String ret = (String) call.invoke( new Object[] { "Hello!" } );
               System.out.println("Sent 'Hello!', got '" + ret + "'");
           } catch (Exception e) {
               System.err.println(e.toString());
       }I get an "(407)Proxy authorization required" error?

    I am also looking for a solution. Does any one know how to do through code instead of jvm settings?
    Thanks in advance!

  • ASA - cut through proxy authentication for RDP?

    I know how to set this up on a router (dynamic access-list - lock and key)... But, I'm having trouble understanding how to setup OUTSIDE to INSIDE cut through proxy authentication for RDP.
    OUTSIDE to INSIDE RDP is currently working.
    I have 2 servers I want RDP open for..
    [*]OUTSIDE 1.1.1.1 to INSIDE 10.10.70.100
    [*]OUTSIDE 1.1.1.2 to INSIDE 10.10.50.200
    What's required for OUTSIDE users  to authenticate on the ASA before allowing port 3389 opens? I was hoping for is a way to SSH into this ASA, login with a special user, then have the ASA add a dynamic ACE on the OUTSISE interface to open 3389 for a designated time limit. Is this possible?
    Here is my current config.
    [code]
    ASA Version 8.2(5)
    hostname ASA5505
    names
    name 10.10.0.0 LANTraffic
    name 10.10.30.0 SALES
    name 10.10.40.0 FoodServices
    name 10.10.99.0 Management
    name 10.10.20.0 Office
    name 10.10.80.0 Printshop
    name 10.10.60.0 Regional
    name 10.10.70.0 Servers
    name 10.10.50.0 ShoreTel
    name 10.10.100.0 Surveillance
    name 10.10.90.0 Wireless
    interface Ethernet0/0
    description TO INTERNET
    switchport access vlan 11
    interface Ethernet0/1
    description TO INSIDE 3560X
    switchport access vlan 10
    interface Ethernet0/2
    shutdown
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    interface Vlan1
    no nameif
    security-level 50
    no ip address
    interface Vlan10
    description Cisco 3560x
    nameif INSIDE
    security-level 100
    ip address 10.10.1.1 255.255.255.252
    interface Vlan11
    description Internet Interface
    nameif OUTSIDE
    security-level 0
    ip address 1.1.1.1 255.255.255.224
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns domain-lookup OUTSIDE
    dns server-group DefaultDNS
    name-server 8.8.8.8
    name-server 4.2.2.2
    domain-name test.local
    access-list RDP-INBOUND extended permit tcp any host 1.1.1.1 eq 3389
    access-list RDP-INBOUND extended permit tcp any host 1.1.1.2 eq 3389
    pager lines 24
    logging enable
    logging timestamp
    logging trap warnings
    logging device-id hostname
    logging host INSIDE 10.10.70.100
    mtu INSIDE 1500
    mtu OUTSIDE 1500
    ip verify reverse-path interface OUTSIDE
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (OUTSIDE) 1 interface
    nat (INSIDE) 1 LANTraffic 255.255.0.0
    static (INSIDE,OUTSIDE) tcp interface 3389 10.10.70.100 3389 netmask 255.255.255.255
    static (INSIDE,OUTSIDE) tcp 1.1.1.2 3389 10.10.50.200 3389 netmask 255.255.255.255
    access-group RDP-INBOUND in interface OUTSIDE
    route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
    route INSIDE LANTraffic 255.255.0.0 10.10.1.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http Management 255.255.255.0 INSIDE
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh 10.10.70.100 255.255.255.255 INSIDE
    ssh Management 255.255.255.0 INSIDE
    ssh 0.0.0.0 0.0.0.0 OUTSIDE
    ssh timeout 5
    ssh version 2
    console timeout 0
    threat-detection basic-threat
    threat-detection scanning-threat shun
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    webvpn
    username scott password CNjeKgq88PLZXETE encrypted privilege 15
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:1e9d278ce656f22829809f4c46b04a07
    : end
    [/code]

    You're running ASA 8.2(5). In 8.4(2) Cisco added support for what they call Identity Firewall rules. That is, you can make access-lists entries specific to users (or object groups containing users).
    There's an overview document on this posted here. It's a bit dated but I believe the only change is that Cisco is now preferring use of the more current Context Directory Agent (CDA) - a free VM they provide - vs. the deprecated AD agent (software service that runs on your DC).

  • ASA cut through proxy with RADIUS challenge response?

    Have this working for IPSEC VPN on same box (tested on 8.2.1 and 8.2.3)
    Want to do cut through proxy with challenge response - same ASA and same RADUIS server but using aaa authentication match command and this is what happens...
    It looks like the ASA sends a completely different radius authentication request than with VPN authentication request. Is there any way to specify what request is sent?
    What the RADIUS Server sees with ASA VPN auth - THIS WORKS OK (included for comparison)
    Date: 15/11/2010
    Time: 3:53:57 PM
    Type: Information
    Source: Server
    Category: RADIUS
    Code: I-006001
    Description: A RADIUS Access-Request has been received.
    AMID: 0xC8500B80B3D8F49C6CB37E5D32DA6682
    Details:
    Source Location : 10.xx.21.24
    Client Location : 10.xx.21.230:1025
    Request ID : 31
    Password Protocol : PAP
    Input Details : RADIUS Code:1, RADIUS Id:31, , User-Name:xxxx, User-Password:******, NAS-IP-Address:10.xx.21.230, NAS-Port:31, NAS-Port-Type:Virtual, vendor(9):attrib(1):0x1A2000000009011A69703A736F757263652D69703D31302E32312E352E313137, Calling-Station-Id:ip:source-ip=10.21.5.117
    Action : Process
    What the RADIUS Server sees with ASA cut thru - THIS FAILS (any help V welcome)
    Date: 17/11/2010
    Time: 2:29:31 PM
    Type: Warning
    Source: Server
    Category: RADIUS
    Code: W-006001
    Description: An invalid RADIUS packet has been received.
    AMID: 0xC19D988F83365F20151C3F6339DEC74B
    Details:
    Source Location : 10.xx.21.24:1812 (Authentication)
    Client Location : 10.xx.21.230:1025
    Reason : The sub-protocol of the received RADIUS packet cannot be determined
    Request ID : 33
    Input Details : 0x01210066055A8B6881266714BDB20380B9FE5FAC01066962333504060AC815E60506000000203D06000000051A2000000009011A69703A736F757263652D69703D31302E34302E352E3131311F1A69703A736F757263652D69703D31302E34302E352E313131
    Request Type : Access-Request
    Thanks in advance
    IB

    Hi Ian,
    sorry for the late reaction - do you still need help with this?
    The difference between the working (VPN) auth and the failing (CTP) auth seems to be that VPN is using PAP (so no challenge-response!) while the CTP is using MS-Chapv2
    So my guess is that your Radius server does not support MS-Chapv2. If that is the case then you may want to try this:
    aaa-server () host
    no mschapv2-capable
    Although this command is not really meant to be used in this scenario, so I'm not sure if it will work but I'm hoping it will make the ASA revert to PAP for all auth requests to this host.
    Note that you won't be doing challenge/response, so your passwords will be transmitted over the wire (encrypted).
    hth
    Herbert

  • ASA - Cut-through proxy probleme

    I have to configure my ASA 7.2.2 for cut-through proxy but when the users use authentication prompt ,
    but only , for (http://1.1.0.2/netaccess/connstatus.html) the ASA send the following message:
    User Authentication
    User Authentication is not required.
    help me
    it is ok when one uses cut-through-proxy by ACL :
    access-list ACL_INT extended permit tcp object-group PC-UAUTH_DYN host MVINCT19 eq www
    access-list ACL_AUTH line 1 extended permit tcp host poste_auvinet host MVINCT19 eq www
    aaa-server auth_inside protocol radius
    aaa-server auth_inside host SVR-ACS-IN
    key xxx
    username admin password xxx privilege 15
    aaa authentication match ACL_AUTH inside auth_inside
    aaa authentication listener http inside port www
    on a pix 525 is OK

    Hi,
    The config looks good. Please remember that successful authentication is cached (show uauth) and till it expires user will not need to authenticate again.
    Please clear uauth and see if it helps.
    Regards,
    Vivek

  • ASA Cut through proxy configuration

    Hi guys,
    I would like to configure limited internet access to olnly a select group of Windows AD users.
    I beleive cut-through proxy will allow me to do this, just not sure how to configure it on a Cisco ASA-5510
    thanks

    The link given will definitely work however you would not be able to select access based on the AD group, if that is what you need to achieve and you have ASA version 8.0 you can work Cut-Through-Proxy together with DAP.
    Using Cut-Trough-Proxy with a standard authentication server will only allow or reject depending on the authentication result, but any user within your AD schema will be able to get internet access. If you need to restrict this based o Windows Groups as well your best shot is Cut-Through-Proxy with DAP and LDAP:
    http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

  • Authenticated proxy for cert revocation check

    Hi guys,
    Since upgrading to Java 7u25, Web Start will do a certificate revocation check at startup. Problem is, it seems to be ignoring the proxy authentication settings (I have it set up to user browser settings; tried switching to manual but there's no way to specify a username and password!) and it's locking my account because it tries to access the proxy without credentials. Even stranger, it seems to pass the revocation check eventually... so it seems it's only ignoring it long enough to fire a few failed login attempts. Any ideas how to get around this?

    Hi,
    Please try the following method.
    Certificate revocation checked failed:
    http://blogs.technet.com/b/bshukla/archive/2012/04/30/certificate-revocation-checked-failed.aspx
    Wendy Liu
    TechNet Community Support

  • Cut-Through Proxy / Authentication Proxy on Cisco ASA using ISE as AAA Server for allocating SGTs

    Hi,
    We are trying to setup ASA to do cut-through authentication proxy, and use ISE as RADIUS. We can successfully authenticate the user from Radius on the ASA, while he opens a web-page, but then it displays the error: authorization denied.
    What we want:
    ISE to allocate a security group tag to the user session when he logs in, that tag would carried within out cisco network infrastrucutre to define the access
    policy for that user.
    Can someone please help me with a sort of step by step thing for ISE configuration to allocate SGTs/SGACL for the user session after authentication is completed.
    Thanks
    Lovleen

    Please refer to below step by step config guide for security group access policies
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sga_pol.html

  • ASA: Smart Tunnel and proxy problem

    Hello
    I are having problem that some of my external users that has a proxy setup on theres end can't use the smart tunnel.
    They get proxy warning when they click on a bookmark.
    If I skipp using Smart tunnel the user can't start the citrix app, get corrupted ica file.
    Is it a common problem if so is there a soultion ?
    KR
    Daniel

    Hi Daniel,
    "Smart tunnel supports only proxies placed between computers running Microsoft Windows and the security appliance. Smart tunnel uses the Internet Explorer configuration (that is, the one intended for system-wide use in Windows). If the remote computer requires a proxy server to reach the ASA,
    the URL of the terminating end of the connection must be in the list of URLs excluded from proxy services
    . If the proxy configuration specifies that traffic destined for the ASA goes through a proxy, all smart tunnel traffic goes through the proxy."
    You can get more information from following link:-
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_clientless_ssl.html#wp1321610
    HTH!!
    Regards,
    Naresh

  • IOS 4.3 - Authenticated Proxy + Wireless issues

    Okay, I can see a lot of similar titled posts, but none quite have the same issues as we are facing here, so I decided to create a post of my own.
    What we have is an 802.1X (AD/RADIUS) wireless network configured (on the iDevices) as a "WPA2 Enterprise" network and using a self-signed certificate. Once configured we also specify an authenticated proxy for the connection. Now, we've supported iDevices here for quite some time without too many issues (aside from the other occassional issue with updated phones, etc). We have everything on our network from "iPhone OS 3.1.2" through iPads with "iOS 4.3" and have been very successful in supporting these devices in the past... until v4.3.
    With the new update, we have devices that worked perfectly before (and have been correctly configured) now asking for a username and password when browsing in Safari. We have devices that, on entering the correct information, give us messages such as "Incorrect username or password" or "Unable to join the network <name>". The same devices worked perfectly with iOS 4.2.1 installed. We've tried;
    a) Forgetting the networks and setting them up again.
    b) Changing the user's password and setting things up again.
    c) Resetting network connections and trying again.
    d) Resetting the entire phone and trying again.
    But to no avail. If you can get wireless configured without either of the above errors messages, it will simply fail to work with the proxy server and cause issues in Safari, etc.
    This is emmensly frustrating. We've had to put out a notice to all users to NOT update to v4.3 until this is resolved... which is not cool.
    Interestingly, we also had a 3G rock up to the helpdesk today. It had iOS 4.2.1 installed (the latest availaqble for that odel, apparently) and it was exhibiting the same sort of behaviour (and is the only non-4.3 device to do so).
    Any thoughts. Do we just need to wait until iOS 4.3.1 to get this fixed (like last time)?

    So, I updated a couple of iPads and a few more iPhones yesterday and today. Around 50% success rate - which is weird. Tried the hard-off, reset network, forget network type stuff again, and no joy. Here's an intersting thing though;
    a) We can now tap on the SSID and it figures out that it's an enterprise network. Saves chosing the options after tapping the "Other" setting. This also appears to improve the success of accepting the certificate as well. Neat. This didn't used to work.
    b) Although the setup looks good, and Exchange just works... we were STILL getting an authentication box in Safari and things were not working correctly. As a test we entered credentials (using email address format - which also appears more successful) and it didn't appear to fix anything, or so we thought. on entering the auth details in Safari, the page that requested it stayed 75% loaded and didn't looks to be working. On closing that window and trying others like "Apple", etc, it appears to work.
    I have done this on all the devices that failed and so far so good. So, forget your current network, set up the new enterprise wireless by tapping on the SSID (don't configure using "Other"), enter credentials as email addresses, and authenticate in Safari when you are asked the first time. Reload the page and test.
    While this shouldn't make any difference (and is similar to what we tested in v4.3.0), it appears to work for us at the moment.

  • Pass-through authentication failing

    The enviroment:
    Server A: Windows Server 2008 R2 / IIS 7
    Server B: Windows Server 2003 R2
    Domain Controller: Windows Server 2003 R2
    Both server A and B are part of the same domain.
    The issue:
    We have files stored in server B that are being shared as \\B\Files. We want to have a virtual directory/application in IIS on server A to make those files available on a web browser,
    but, we want access to be controlled by NTFS permissions, and access granted to the user accessing the website by pass-through authentication (challenged for user and password by the browser).
    We have set up an application pool, and have set the identity of it to a user that has
    read NTFS permissions to \\B\Files. We then set up an Application and set its application pool to the one mentioned above, and have pointed it physical location to \\B\Files. In the advanced settings, we set the physical path credentials
    to Application user (pass-though authentication).
    In the authentication settings for the application, we disabled all but Windows Authentication, and in the providers, we have removed everything but NTLM, which is the one we want.
    When we test it (https://serverb.com/Files) however, we are challenged (user/password prompt comes up) as expected, but despite what we put in, the prompt comes back, as if the user/password was wrong, or as if the user did not have enough permissions
    to access the files. We checked permissions and that's not it. And we have also checked the domain controller to see if the request is getting there, and it is, which means that it is authenticating properly. We can only assume there is a communication
    problem, or restriction somewhere.
    We are not sure where else to look, and any ideas would be greatly appreciated.
    Thank you

    On Wed, 5 Feb 2014 17:48:47 +0000, ucis wrote:
    We are not sure where else to look, and any ideas would be greatly appreciated.
    Since this is really an IIS question you should post to the official IIS
    forums:
    http://forums.iis.net
    Paul Adare - FIM CM MVP
    It used to be said [...] that AIX looks like one space alien discovered
    Unix, and described it to another different space alien who then
    implemented
    AIX. But their universal translators were broken and they'd had to gesture
    a lot. -- Paul Tomblin

  • Telnet Authentication Proxy

    Hi,
    For telnet ip authentication proxy, is it true that the router only sends username and password to Radius servers? Not the ip source address of the initiated host. So how does source ip of initiated host get added to the downloaded acl from the Radius server? The router adds it?
    Thanks.

    The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.
    Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.
    Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.
    http://www.cisco.com/en/US/products/products_security_advisory09186a00805117cb.shtml

  • Cut-through/direct authentication connection being denied

    I'm trying to set up a firewall so an outside user can authenticate to the firewall, then RDP directly to a workstation.
    Here's what I've got:
    aaa authentication match authmatch outside LOCAL
    aaa authentication listener http outside port 5555
    access-list authmatch extended permit tcp any host 111.111.111.162 eq 3391
    access-list authmatch extended permit tcp any host 111.111.111.162 eq 5555
    static (inside,outside) tcp interface 3391 192.168.1.101 3389 netmask 255.255.255.255
    I can connect to the web page and authenticate successfully.
    6          Aug 21 2012          06:00:33                    222.222.222.146          0 222.222.222.146          0          Authentication succeeded for user 'USER1' from 222.222.222.146/0 to 222.222.222.146/0 on interface outside
    But, when I try to RDP in on 3391, it's not hitting the authmatch access list.   It's hitting the outside_access_in access list and it's denied by the default deny.
    4          Aug 21 2012          06:04:26 222.222.222.146          50414 111.111.111.162          3391          Deny tcp src outside:222.222.222.146/50414 dst inside:111.111.111.162/3391 by access-group "outside_access_in" [0x0, 0x0]
    Why won't it hit the correct access-list?
    Thanks,
    - Marc

    Hello Marc,
    What Karthik is telling you is the following:
    -The cut through proxy adds additional control regarding the connections across your firewall, this by using the ASA as a proxy but you still need to allow the traffic on the proper ACL's on the interfaces of your ASA.
    So just create an ACL entry into the outside acl permiting traffic to port 3391, of course only the users authenticated will succesfully connect
    Regards,
    Remember to rate all the helpful posts
    Julio
    CCSP

  • Pix cut-through proxy

    a quick question since I do not have access to a pix I can not confirm it
    say, I want to do pix cut-through proxy and authenticate access via tacacs on per user basis.
    I want the user to access smtp user inside the pix will go through tacacs authentication.
    my question is "do I need a statement for http on the access-list ?"
    thank you.
    here is the config
    PIX-525# wr t
    PIX Version 6.3(1)
    access-list 100 permit tcp any host 155.1.1.4 eq http
    access-list 100 permit tcp any host 155.1.1.4 eq smtp
    access-list 150 permit tcp any host 155.1.1.4 eq http
    access-list 150 permit tcp any host 155.1.1.4 eq smtp
    access-group 100 in interface outside
    static (inside,outside) 155.1.1.4 192.168.1.4 netmask 255.255.255.255 0 0
    aaa-server AUTHEN protocol tacacs
    aaa authentication match 150 outside AUTHEN

    Cut-through proxy is a feature unique to PIX Firewall that allows user-based authentication of inbound or outbound connections. A proxy server analyzes every packet at layer seven of the OSI model, which is a time- and processing-intensive function. By contrast, the PIX Firewall uses cut-through proxy to authenticate a connection and then allow traffic to flow quickly and directly.
    http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172790.html

Maybe you are looking for