topic Re: Cut through proxy for servers in DMZ only in Network Access Control

Cut through proxy for servers in DMZ only

ALIAOF_ — Mon, 11 Mar 2019 02:25:37 GMT

I have this working with Microsoft RADIUS server however I only want to restrict access to one server sitting in the DMZ using this method and once users authenticate they can RDP to the server. When I apply all the settings I lose all access other than just to this server. Can this be done for one particular server in DMZ and rest of the traffic to the Internet stays the way it is?

Cut through proxy for servers in DMZ only

Tarik Admani — Tue, 14 Aug 2012 20:27:54 GMT

Mohammad,

What acl are you handing down to the client from the radius server? After the user authenticates can you paste the show access-lists?

Thanks,

Tarik Admani
*Please rate helpful posts*

Cut through proxy for servers in DMZ only

ALIAOF_ — Tue, 14 Aug 2012 20:37:35 GMT

This is what I created on the ASA:

access-list RDPAuth remark "This ACL is for RDP access to the servers in the DMZ"

access-list RDPAuth extended permit tcp any eq 3389 host 10.1.150.22 gt 1023

access-list RDPAuth extended permit tcp any gt 1023 host 10.1.150.22 eq 3389

access-list RDPAuth extended permit tcp any host 10.1.200.150 eq www

access-list RDPAuth extended permit tcp any host 10.1.200.150 eq telnet

Then on the RADIUS server I have it like this:

ip:inacl#1=permit tcp any eq 3389 host 10.1.150.22 gt 1023

ip:inacl#2=permit tcp any gt 1023 host 10.1.150.22 eq 3389

ip:inacl#3=permit tcp any host 10.1.200.150 eq www

ip:inacl#4=permit tcp any host 10.1.200.150 eq telnet

Now once I signed in using cut through proxy all I was able to do was RDP to that IP and lost my access to the internet etc. I am trying for rest of the traffic to keep going out the way it is now but this ACL I only want to kick in when some one is trying to access the server in the DMZ.

Re: Cut through proxy for servers in DMZ only

Tarik Admani — Tue, 14 Aug 2012 20:42:56 GMT

With Cut through proxy the per user acl should have taken place, can you paste the show access-lists | inc

Either you can hand down the ACL or you can assign the RDPAuth acl you created using the radius ietf filter attribute. However once you assign this ACL that is all you will have network access too.

Also on your interface access-lists do you have the per-user-override statement configured?

thanks.

Tarik Admani
*Please rate helpful posts*

Cut through proxy for servers in DMZ only

ALIAOF_ — Tue, 14 Aug 2012 21:17:42 GMT

Hi Tarik those dynamic ACL's did get applied I just removed them so that I can access other resources. That whole part is working fine and it is doing what it needs to do and only giving me access to that one server.

But I want this limitation to be applied to the traffic going to the DMZ only not to the internet.

No I do not have the "per-user-override statement configured", what is the purpose of this command?

Cut through proxy for servers in DMZ only

Tarik Admani — Tue, 14 Aug 2012 21:22:58 GMT

Mohammad,

Can you please clarify what you are requesting, you still want access to the DMZ and the internet after you authenticate? Then add another attribute:

ip:inacl#5=permit ip any any

Tarik Admani
*Please rate helpful posts*

Cut through proxy for servers in DMZ only

ALIAOF_ — Tue, 14 Aug 2012 22:37:51 GMT

I only want to use the cut through proxy for access to the DMZ servers, however it seems like that is not possible if I use that then it will also apply to the Internet and access to the other resrouces as well?

Cut through proxy for servers in DMZ only

Tarik Admani — Tue, 14 Aug 2012 22:45:37 GMT

If you want to use cut through proxy then you have to create the authentication match statement in order to match the traffic that you want to block that will trigger cut-through proxy. When you authenticate then the ACL that you hand down to the client is what will determine where they have access to.

Can you please share your configuration, i am curious to see how you have this configured.

Thanks,

Tarik Admani
*Please rate helpful posts*

Cut through proxy for servers in DMZ only

ALIAOF_ — Wed, 15 Aug 2012 15:59:05 GMT

I understand that and I am doing exactly that but like I said it is blocking my access to the internet so looks like I need to configure it so there is "ip any any" statement in there too for rest of the access. What I was hoping to accomplish was only restrict access to the DMZ host not rest of the network.

access-list RDPAuth remark "This ACL is for RDP access to the servers in the DMZ"

access-list RDPAuth extended permit tcp any eq 3389 host 10.1.150.22 gt 1023

access-list RDPAuth extended permit tcp any gt 1023 host 10.1.150.22 eq 3389

access-list RDPAuth extended permit tcp any host 10.1.200.150 eq www

access-list RDPAuth extended permit tcp any host 10.1.200.150 eq telnet

Cut through proxy for servers in DMZ only

Tarik Admani — Wed, 15 Aug 2012 16:06:20 GMT

Please post your entire configuration.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: Cut through proxy for servers in DMZ only

ALIAOF_ — Wed, 15 Aug 2012 17:46:59 GMT

access-list RDPAuth remark "This ACL is for RDP access to the servers in the DMZ"

access-list RDPAuth extended permit tcp any eq 3389 host 10.1.150.22 gt 1023

access-list RDPAuth extended permit tcp any gt 1023 host 10.1.150.22 eq 3389

access-list RDPAuth extended permit tcp any host 10.1.200.150 eq www

access-list RDPAuth extended permit tcp any host 10.1.200.150 eq telnet

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 10.1.5.236

key *****

virtual http 10.1.200.150

aaa authentication match RDPAuth inside RADIUS

Re: Cut through proxy for servers in DMZ only

Tarik Admani — Wed, 15 Aug 2012 17:55:40 GMT

Mohammad,

I do not see any cut through proxy configuring present in this configuration. Here is the configuration guide on how to create cut-through proxy:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_fwaaa.html#wp1150203

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: Cut through proxy for servers in DMZ only

ALIAOF_ — Thu, 16 Aug 2012 15:58:20 GMT

It is there you wanted the full config so I pasted it. I updated it with just the config related to cut through proxy. And I already have seen that guide. Like I said it is working but it is being applied to all the traffic I just need to know if there is a way to apply it to the traffic to DMZ ONLY.

Re: Cut through proxy for servers in DMZ only

Tarik Admani — Thu, 16 Aug 2012 16:02:29 GMT

Really?

I didnt see any of the authenticaiton match statements in the configuration you posted.

Usually when you add the authentication match statement (that forces authenticaiton for the traffic configured in the ACL).

thanks,

Tarik Admani
*Please rate helpful posts*

Re: Cut through proxy for servers in DMZ only

ALIAOF_ — Thu, 16 Aug 2012 16:24:32 GMT

You are telling me you still don't see it? And previously Authentication match statement was in "bold".

Re: Cut through proxy for servers in DMZ only

Tarik Admani — Thu, 16 Aug 2012 19:03:50 GMT

Sorry about that I tried to look for the entire config again...what is weird I did a grep for authentication but didn't get the match to the statement that is included in the update configuration. I see it now.

Can you post the entire config again so i can take a look one more time.

Based on the ACL that you are using everything should work fine and it should only trigger authentication for traffic destined to those servers.

Did you try adding a deny ip any any (it should be implicit) at the end of this access-list just to see if that helps?

Thanks,

Tarik Admani
*Please rate helpful posts*