ASA - cut through proxy authentication for RDP?

I know how to set this up on a router (dynamic access-list - lock and key)... But, I'm having trouble understanding how to setup OUTSIDE to INSIDE cut through proxy authentication for RDP.
OUTSIDE to INSIDE RDP is currently working.
I have 2 servers I want RDP open for..
[*]OUTSIDE 1.1.1.1 to INSIDE 10.10.70.100
[*]OUTSIDE 1.1.1.2 to INSIDE 10.10.50.200
What's required for OUTSIDE users to authenticate on the ASA before allowing port 3389 opens? I was hoping for is a way to SSH into this ASA, login with a special user, then have the ASA add a dynamic ACE on the OUTSISE interface to open 3389 for a designated time limit. Is this possible?
Here is my current config.
[code]
ASA Version 8.2(5)
hostname ASA5505
names
name 10.10.0.0 LANTraffic
name 10.10.30.0 SALES
name 10.10.40.0 FoodServices
name 10.10.99.0 Management
name 10.10.20.0 Office
name 10.10.80.0 Printshop
name 10.10.60.0 Regional
name 10.10.70.0 Servers
name 10.10.50.0 ShoreTel
name 10.10.100.0 Surveillance
name 10.10.90.0 Wireless
interface Ethernet0/0
description TO INTERNET
switchport access vlan 11
interface Ethernet0/1
description TO INSIDE 3560X
switchport access vlan 10
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
security-level 50
no ip address
interface Vlan10
description Cisco 3560x
nameif INSIDE
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Vlan11
description Internet Interface
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.224
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2
domain-name test.local
access-list RDP-INBOUND extended permit tcp any host 1.1.1.1 eq 3389
access-list RDP-INBOUND extended permit tcp any host 1.1.1.2 eq 3389
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging device-id hostname
logging host INSIDE 10.10.70.100
mtu INSIDE 1500
mtu OUTSIDE 1500
ip verify reverse-path interface OUTSIDE
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 1 LANTraffic 255.255.0.0
static (INSIDE,OUTSIDE) tcp interface 3389 10.10.70.100 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 1.1.1.2 3389 10.10.50.200 3389 netmask 255.255.255.255
access-group RDP-INBOUND in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
route INSIDE LANTraffic 255.255.0.0 10.10.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http Management 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.10.70.100 255.255.255.255 INSIDE
ssh Management 255.255.255.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username scott password CNjeKgq88PLZXETE encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1e9d278ce656f22829809f4c46b04a07
: end
[/code]

You're running ASA 8.2(5). In 8.4(2) Cisco added support for what they call Identity Firewall rules. That is, you can make access-lists entries specific to users (or object groups containing users).
There's an overview document on this posted here. It's a bit dated but I believe the only change is that Cisco is now preferring use of the more current Context Directory Agent (CDA) - a free VM they provide - vs. the deprecated AD agent (software service that runs on your DC).

Similar Messages

ASA cut through proxy with RADIUS challenge response?

Have this working for IPSEC VPN on same box (tested on 8.2.1 and 8.2.3)
Want to do cut through proxy with challenge response - same ASA and same RADUIS server but using aaa authentication match command and this is what happens...
It looks like the ASA sends a completely different radius authentication request than with VPN authentication request. Is there any way to specify what request is sent?
What the RADIUS Server sees with ASA VPN auth - THIS WORKS OK (included for comparison)
Date: 15/11/2010
Time: 3:53:57 PM
Type: Information
Source: Server
Category: RADIUS
Code: I-006001
Description: A RADIUS Access-Request has been received.
AMID: 0xC8500B80B3D8F49C6CB37E5D32DA6682
Details:
Source Location : 10.xx.21.24
Client Location : 10.xx.21.230:1025
Request ID : 31
Password Protocol : PAP
Input Details : RADIUS Code:1, RADIUS Id:31, , User-Name:xxxx, User-Password:******, NAS-IP-Address:10.xx.21.230, NAS-Port:31, NAS-Port-Type:Virtual, vendor(9):attrib(1):0x1A2000000009011A69703A736F757263652D69703D31302E32312E352E313137, Calling-Station-Id:ip:source-ip=10.21.5.117
Action : Process
What the RADIUS Server sees with ASA cut thru - THIS FAILS (any help V welcome)
Date: 17/11/2010
Time: 2:29:31 PM
Type: Warning
Source: Server
Category: RADIUS
Code: W-006001
Description: An invalid RADIUS packet has been received.
AMID: 0xC19D988F83365F20151C3F6339DEC74B
Details:
Source Location : 10.xx.21.24:1812 (Authentication)
Client Location : 10.xx.21.230:1025
Reason : The sub-protocol of the received RADIUS packet cannot be determined
Request ID : 33
Input Details : 0x01210066055A8B6881266714BDB20380B9FE5FAC01066962333504060AC815E60506000000203D06000000051A2000000009011A69703A736F757263652D69703D31302E34302E352E3131311F1A69703A736F757263652D69703D31302E34302E352E313131
Request Type : Access-Request
Thanks in advance
IB

Hi Ian,
sorry for the late reaction - do you still need help with this?
The difference between the working (VPN) auth and the failing (CTP) auth seems to be that VPN is using PAP (so no challenge-response!) while the CTP is using MS-Chapv2
So my guess is that your Radius server does not support MS-Chapv2. If that is the case then you may want to try this:
aaa-server () host
no mschapv2-capable
Although this command is not really meant to be used in this scenario, so I'm not sure if it will work but I'm hoping it will make the ASA revert to PAP for all auth requests to this host.
Note that you won't be doing challenge/response, so your passwords will be transmitted over the wire (encrypted).
hth
Herbert

ASA - Cut-through proxy probleme

I have to configure my ASA 7.2.2 for cut-through proxy but when the users use authentication prompt ,
but only , for (http://1.1.0.2/netaccess/connstatus.html) the ASA send the following message:
User Authentication
User Authentication is not required.
help me
it is ok when one uses cut-through-proxy by ACL :
access-list ACL_INT extended permit tcp object-group PC-UAUTH_DYN host MVINCT19 eq www
access-list ACL_AUTH line 1 extended permit tcp host poste_auvinet host MVINCT19 eq www
aaa-server auth_inside protocol radius
aaa-server auth_inside host SVR-ACS-IN
key xxx
username admin password xxx privilege 15
aaa authentication match ACL_AUTH inside auth_inside
aaa authentication listener http inside port www
on a pix 525 is OK

Hi,
The config looks good. Please remember that successful authentication is cached (show uauth) and till it expires user will not need to authenticate again.
Please clear uauth and see if it helps.
Regards,
Vivek

ASA Cut through proxy configuration

Hi guys,
I would like to configure limited internet access to olnly a select group of Windows AD users.
I beleive cut-through proxy will allow me to do this, just not sure how to configure it on a Cisco ASA-5510
thanks

The link given will definitely work however you would not be able to select access based on the AD group, if that is what you need to achieve and you have ASA version 8.0 you can work Cut-Through-Proxy together with DAP.
Using Cut-Trough-Proxy with a standard authentication server will only allow or reject depending on the authentication result, but any user within your AD schema will be able to get internet access. If you need to restrict this based o Windows Groups as well your best shot is Cut-Through-Proxy with DAP and LDAP:
http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

Cut-Through Proxy / Authentication Proxy on Cisco ASA using ISE as AAA Server for allocating SGTs

Hi,
We are trying to setup ASA to do cut-through authentication proxy, and use ISE as RADIUS. We can successfully authenticate the user from Radius on the ASA, while he opens a web-page, but then it displays the error: authorization denied.
What we want:
ISE to allocate a security group tag to the user session when he logs in, that tag would carried within out cisco network infrastrucutre to define the access
policy for that user.
Can someone please help me with a sort of step by step thing for ISE configuration to allocate SGTs/SGACL for the user session after authentication is completed.
Thanks
Lovleen

Please refer to below step by step config guide for security group access policies
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sga_pol.html

ASA Cut Through (Authentication) Proxy for a Single ACL

I have a customer that wants to authenticate users at the ASA before being allowed access from the outside into a payroll server on the DMZ. I am aware of the cut through proxy feature, but doesn't that affect all traffic entering the DMZ? Is there a way to only authenticate users accessing one server?

Hi,
Seems to me the easiest way to do this is you are connecting to the destination server with either Browser or CLI based connection.
For example if its a browser based connection then you could configure
username password privilege
access-list PROXY-AUTH extended permit tcp any host eq http
access-list PROXY-AUTH extended permit tcp any host eq https
access-list PROXY-AUTH extended deny ip any any
aaa authentication match PROXY-AUTH LAN LOCAL
I don't think you even need the "deny" statement since there is an implicit deny at the end of each ACL
Where "LAN" is my interface "nameif" connect to my LAN network.
To my understanding if you are using some application for this connection that doesnt apply in this situation then you would have to configure this in another way and the user would have to first connect manually to the ASA for authentication and would then be allowed to connect to the resource.
Have a look at this document for some help
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml
Hope this helps
- Jouni

Cut-through/direct authentication connection being denied

I'm trying to set up a firewall so an outside user can authenticate to the firewall, then RDP directly to a workstation.
Here's what I've got:
aaa authentication match authmatch outside LOCAL
aaa authentication listener http outside port 5555
access-list authmatch extended permit tcp any host 111.111.111.162 eq 3391
access-list authmatch extended permit tcp any host 111.111.111.162 eq 5555
static (inside,outside) tcp interface 3391 192.168.1.101 3389 netmask 255.255.255.255
I can connect to the web page and authenticate successfully.
6          Aug 21 2012          06:00:33                    222.222.222.146          0 222.222.222.146          0          Authentication succeeded for user 'USER1' from 222.222.222.146/0 to 222.222.222.146/0 on interface outside
But, when I try to RDP in on 3391, it's not hitting the authmatch access list.   It's hitting the outside_access_in access list and it's denied by the default deny.
4          Aug 21 2012          06:04:26 222.222.222.146          50414 111.111.111.162          3391          Deny tcp src outside:222.222.222.146/50414 dst inside:111.111.111.162/3391 by access-group "outside_access_in" [0x0, 0x0]
Why won't it hit the correct access-list?
Thanks,
- Marc

Hello Marc,
What Karthik is telling you is the following:
-The cut through proxy adds additional control regarding the connections across your firewall, this by using the ASA as a proxy but you still need to allow the traffic on the proper ACL's on the interfaces of your ASA.
So just create an ACL entry into the outside acl permiting traffic to port 3391, of course only the users authenticated will succesfully connect
Regards,
Remember to rate all the helpful posts
Julio
CCSP

Pix cut-through proxy

a quick question since I do not have access to a pix I can not confirm it
say, I want to do pix cut-through proxy and authenticate access via tacacs on per user basis.
I want the user to access smtp user inside the pix will go through tacacs authentication.
my question is "do I need a statement for http on the access-list ?"
thank you.
here is the config
PIX-525# wr t
PIX Version 6.3(1)
access-list 100 permit tcp any host 155.1.1.4 eq http
access-list 100 permit tcp any host 155.1.1.4 eq smtp
access-list 150 permit tcp any host 155.1.1.4 eq http
access-list 150 permit tcp any host 155.1.1.4 eq smtp
access-group 100 in interface outside
static (inside,outside) 155.1.1.4 192.168.1.4 netmask 255.255.255.255 0 0
aaa-server AUTHEN protocol tacacs
aaa authentication match 150 outside AUTHEN

Cut-through proxy is a feature unique to PIX Firewall that allows user-based authentication of inbound or outbound connections. A proxy server analyzes every packet at layer seven of the OSI model, which is a time- and processing-intensive function. By contrast, the PIX Firewall uses cut-through proxy to authenticate a connection and then allow traffic to flow quickly and directly.
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172790.html

Strange problem with cut-through proxy

hi
i have configured cut- through proxy on the router with acs.i am facing a strange problem .
my routers's ethernet 3/0 interface ip add is 10.1.1.1/24 and the acs server is 10.1.1.2/24 and the host ip is 10.1.1.3/24
my routers' e2/0 interface is connected a server running a website .
int e2/0
no shutdown
ip add 20.1.1.1/24
exit
the webserver is running on 20.1.1.2
my router's config
aaa new-model
aaa authentication login default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa authorization exec default group tacacs+
tacacs-server host 10.1.1.2
tacacs-server key cisco
ip http server
ip http authentication aaa
ip access-list 101 permit tcp host 10.1.1.2 eq tacacs host 10.1.1.1
ip auth-proxy name auth http
int e3/0
no shutdown
ip add 10.1.1.1/24
ip access-group 101 in
ip auth-proxy auth
exit
on the acs server in the tacacs+ ios
i have selected auth-proxy in the services for users and groups
i have created a user john with privilege level 15
have selected auth-proxy and custom attributes
proxyacl#1=permit tcp any any priv-lvl=15
i get the auth-proxy login page when the host on 10.1.1.3 is trying to access 20.1.1.2 web site .
after putting the login credentials i get authentication failed
i tried the debug. i see the router is sending the authentication login and password and getting the status from the acs as pass. i also see the auth-proxy triggered. in there i see
AUTH-PROXY PROTOCOL NOT CONFIGURED.
could someone pls help me what could be the problem. i am have tried many times to get this work. but not fortunate enough.
am i missing on any commands on the router or on the acs. i tried doing as the example mentioned in the student guide but still failed. pls help. waiting for some reply.
sebastan

Check out the following link...
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b5e.html

Hasn't anyone out here worked with cut-through proxy

hasn't enyone out here worked with cut-through proxy with acs. is there no one out here to help me out with cut-through proxy.
sebastan

Hi Sebastan,
For your case, what's the scenario looks like?
Rgds,
AK

Http proxy authentication for JDev 10.1.3

Hi,
I found the http proxy settings in the "tools->preferences->Web Browser and Proxy" but there are no settings for the username and password. Is there some other way that I can add these.
The problem is that whenver JDeveloper wants to do some http stuff it (or something else is doing it) asks me for the proxy user name & password - this happens over and over again. If JDev is doing this then surely it should remember the username & password.
I sometimes get a JDeveloper dialog "waiting for the connection" come up over the proxy auth dialog and I have to cancel the function so I can authenticate, then re-request the function.
I wish I didn't have the proxy authentication but I have no choice in this dev environment. I do get to choose JDeveloper at least.
Regards,
Simon.

Hi,
I get it when I 'check for updates' and I get it again when I 'go to JavaDoc' - and this is the one where the "waiting for connection dialog" pops on top of the proxy log in and I have to cancel it to log in. Then all subsequent 'go to JavaDoc' requests go straight through.
I would prefer it if I could just configure (in proxy preferences) the username and password so it never asks me. I dont care if it less secure storing the password since I think authenticating proxies are a dumb idea anyway. If the password is not supplied then JDev can ask for it like it does now to keep the security-paranoid people happy.
Also, this morning I got this Exception which appeared at the same time I got a proxy auth window. When JDev finally started all my previously open windows were lost. No real problem but unexpected. Here is the stack dump:
java.lang.NullPointerException
     at oracle.jdevimpl.webdav.api.DAVAuthenticator.getPasswordAuthentication(DAVAuthenticator.java:79)
     at java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:300)
     at sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:267)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:263)
     at sun.net.www.protocol.http.HttpURLConnection.getHttpProxyAuthentication(HttpURLConnection.java:1427)
     at sun.net.www.protocol.http.HttpURLConnection.resetProxyAuthentication(HttpURLConnection.java:1246)
     at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:950)
     at oracle.ide.net.HttpURLFileSystemHelper.exists(HttpURLFileSystemHelper.java:191)
     at oracle.jdevimpl.webdav.net.WebDAVURLFileSystemHelper.exists(WebDAVURLFileSystemHelper.java:423)
     at oracle.ide.net.URLFileSystem.exists(URLFileSystem.java:498)
     at oracle.ideimpl.editor.EditorUtil.getNode(EditorUtil.java:126)
     at oracle.ideimpl.editor.EditorUtil.loadContext(EditorUtil.java:91)
     at oracle.ideimpl.editor.TabGroupState.loadStateInfo(TabGroupState.java:950)
     at oracle.ideimpl.editor.TabGroup.loadLayout(TabGroup.java:1758)
     at oracle.ideimpl.editor.TabGroupXMLLayoutPersistence.loadComponent(TabGroupXMLLayoutPersistence.java:31)
     at oracle.ideimpl.controls.dockLayout.DockLayoutInfoLeaf.loadLayout(DockLayoutInfoLeaf.java:123)
     at oracle.ideimpl.controls.dockLayout.AbstractDockLayoutInfoNode.loadLayout(AbstractDockLayoutInfoNode.java:631)
     at oracle.ideimpl.controls.dockLayout.AbstractDockLayoutInfoNode.loadLayout(AbstractDockLayoutInfoNode.java:628)
     at oracle.ideimpl.controls.dockLayout.AbstractDockLayoutInfoNode.loadLayout(AbstractDockLayoutInfoNode.java:614)
     at oracle.ideimpl.controls.dockLayout.DockLayout.loadLayout(DockLayout.java:302)
     at oracle.ideimpl.controls.dockLayout.DockLayoutPanel.loadLayout(DockLayoutPanel.java:128)
     at oracle.ideimpl.editor.Desktop.loadLayout(Desktop.java:353)
     at oracle.ideimpl.editor.EditorManagerImpl.init(EditorManagerImpl.java:1824)
     at oracle.ide.layout.Layouts.activate(Layouts.java:758)
     at oracle.ide.layout.Layouts.activateLayout(Layouts.java:179)
     at oracle.ideimpl.MainWindowImpl$2.runImpl(MainWindowImpl.java:734)
     at oracle.javatools.util.SwingClosure$1Closure.run(SwingClosure.java:50)
     at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:199)
     at java.awt.EventQueue.dispatchEvent(EventQueue.java:461)
     at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchThread.java:242)
     at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:163)
     at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:157)
     at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:149)
     at java.awt.EventDispatchThread.run(EventDispatchThread.java:110)

Proxy authentication for Internet

I have searched high and low for an answer to this and cant belive nokia havn't included it as part of the firmware.
At work on my laptop I connect via wireless to a access point that then passes my connection to a proxy server.
When I try and access the internet on my phone I get No Gateway Reply
Now my laptop requires I am authenticated on the network
(username, password, domain) before allowing me access to the web/email etc
How do I get these credentials on to my phone??NOKIA 5800 XM)
someone out there must know

I'm afraid you can't. S60 does not support proxy authentication.
Was this post helpful? If so, please click on the white "Kudos!" star below. Thank you!

Proxy authentication for multiple users

Hi, I'm hoping someone can help me out with the following situation.
I need to deploy a number of iPads to students.
An iPad may be used by more than 1 student.
Our network requires authenticating against our proxy server to allow internet access.
I do not want to cache the credentials of a user.
Is there a way to 're-authenticate' access to the proxy?
What is the best way of deploying iPads with multiple users?

Thanks for posting the link. I have seen it, however I did notice some helpful information towards the bottom of the document.
Unfortunately though, I didn't answer my question.
Yes, I want the proxy credentials to be required every time they go on the internet. (Even if it's just Safari, and I can push all other access (apps etc) through a transparent proxy.
Either way, the proxy credentials need to be renewed frequently, as the device may be used by multiple people throughout the day.

Proxy authentication for existing Java application

Hi all,
I'm trying to run Protege - http://protege.stanford.edu - and it needs to fetch some files from the net, so I have to make it pass my company's proxy, which requires authentication.
I tried to add the following options in the .lax file, but got a 407 / proxy auth error
lax.nl.java.option.additional=-Dhttp.proxySet=true
-Dhttp.proxyHost=YOUR_PROXY_HOST -Dhttp.proxyPort=YOUR_PROXY_PORT
-Dhttp.proxyUser=YOUR_PROXY_USER -Dhttp.proxyPassword=YOUR_PROXY_PASSWOR
The only way I found to make an application accept proxy auth is http://www.javaworld.com/javaworld/javatips/jw-javatip42.html but I'll need to hack my application source code, recompile ...
Is there a way to pass such proxy auth parameters to an existing app without changing any line in its source code ? Or a way to create a wrapper around it that will catch HTTP connections to add proxy parameters to it ?
Thanks a lot for any hint !

-Dhttp.proxyUser=YOUR_PROXY_USER
-Dhttp.proxyPassword=YOUR_PROXY_PASSWORAs far as I can tell these two settings seem to be urban myth, or specific to some non-Sun vendor or external package. They do nothing in the JDK.

Authentication for a particular ACL

Hi,
I am trying to implement Authentication for a particular ACL on the ASA, i.e. whenever that particular ACL is matched, the ASA will authenticate the user with either local database or AAA server.
I have seen the document "Configuring AAA for cut-through proxy", but that says it works only for http, https and ftp etc, whereas in my case i m looking to authenticate the users trying to access my sql server, for which i need to match a particular ACL.
regards,
Mohsin

Mohsin,
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html#wp1063502
You will have to setup a virtual http, ftp portal so that when users hit the ACL setup for cut-through proxy for the sql ports, that they will have to fire up a telnet, ftp or http session, enter their credentials and then will be permitted access to the sql server.
Give this a shot and let us know if there is anything else that you need help with.
thanks,
Tarik

ASA - cut through proxy authentication for RDP?

Similar Messages

Maybe you are looking for