https://community.cisco.com/t5/network-security/asa-cut-through-authentication-proxy-for-a-single-acl/m-p/2420104#M307741 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Have not had to deal with this that many times myself but I would guess that you can only include this certain traffic for the AAA and exclude all other traffic so that it is not affected by the feature.</P><P></P><P>Will have to see if I have the time to test this at home.</P><P></P><P>- Jouni</P></BODY></HTML> Wed, 04 Dec 2013 14:51:38 GMT Jouni Forss 2013-12-04T14:51:38Z https://community.cisco.com/t5/network-security/asa-cut-through-authentication-proxy-for-a-single-acl/m-p/2420103#M307739 <P>I have a customer that wants to authenticate users at the ASA before being allowed access from the outside into a payroll server on the DMZ.&nbsp; I am aware of the cut through proxy feature, but doesn't that affect all traffic entering the DMZ?&nbsp; Is there a way to only authenticate users accessing one server?</P> Tue, 12 Mar 2019 03:12:41 GMT https://community.cisco.com/t5/network-security/asa-cut-through-authentication-proxy-for-a-single-acl/m-p/2420103#M307739 Michael Lyons 2019-03-12T03:12:41Z https://community.cisco.com/t5/network-security/asa-cut-through-authentication-proxy-for-a-single-acl/m-p/2420104#M307741 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Have not had to deal with this that many times myself but I would guess that you can only include this certain traffic for the AAA and exclude all other traffic so that it is not affected by the feature.</P><P></P><P>Will have to see if I have the time to test this at home.</P><P></P><P>- Jouni</P></BODY></HTML> Wed, 04 Dec 2013 14:51:38 GMT https://community.cisco.com/t5/network-security/asa-cut-through-authentication-proxy-for-a-single-acl/m-p/2420104#M307741 Jouni Forss 2013-12-04T14:51:38Z https://community.cisco.com/t5/network-security/asa-cut-through-authentication-proxy-for-a-single-acl/m-p/2420105#M307745 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Seems to me the easiest way to do this is you are connecting to the destination server with either Browser or CLI based connection.</P><P></P><P>For example if its a browser based connection then you could configure</P><P></P><P><STRONG>username <USERNAME> password <PASSWORD> privilege <PRIVILEGE level=""></PRIVILEGE></PASSWORD></USERNAME></STRONG></P><P></P><P><STRONG>access-list PROXY-AUTH extended permit tcp any host <DESTINATION host=""> eq http</DESTINATION></STRONG></P><P><STRONG>access-list PROXY-AUTH extended permit tcp any host <DESTINATION host=""> eq https</DESTINATION></STRONG></P><P><STRONG>access-list PROXY-AUTH extended deny ip any any</STRONG></P><P></P><P><STRONG>aaa authentication match PROXY-AUTH LAN LOCAL</STRONG></P><P></P><P>I don't think you even need the "deny" statement since there is an implicit deny at the end of each ACL</P><P></P><P>Where <STRONG>"LAN"</STRONG> is my interface <STRONG>"nameif" </STRONG>connect to my LAN network.</P><P></P><P>To my understanding if you are using some application for this connection that doesnt apply in this situation then you would have to configure this in another way and the user would have to first connect manually to the ASA for authentication and would then be allowed to connect to the resource.</P><P></P><P>Have a look at this document for some help</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml">http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml</A></P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Wed, 04 Dec 2013 16:50:02 GMT https://community.cisco.com/t5/network-security/asa-cut-through-authentication-proxy-for-a-single-acl/m-p/2420105#M307745 Jouni Forss 2013-12-04T16:50:02Z https://community.cisco.com/t5/network-security/asa-cut-through-authentication-proxy-for-a-single-acl/m-p/2420106#M307751 <HTML><HEAD></HEAD><BODY><P>Hi Jouni,</P><P></P><P>Thanks very much for your response.&nbsp; That certainly points me in the right direction.&nbsp; I just got dragged into the emergency of the day (nature of our business I suppose), but I'll try this out and let you know how it works out.</P></BODY></HTML> Wed, 04 Dec 2013 18:23:40 GMT https://community.cisco.com/t5/network-security/asa-cut-through-authentication-proxy-for-a-single-acl/m-p/2420106#M307751 Michael Lyons 2013-12-04T18:23:40Z https://community.cisco.com/t5/network-security/asa-cut-through-authentication-proxy-for-a-single-acl/m-p/2420107#M307754 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Just to add:</P><P></P><P>Make sure the connection will be done to HTTP, HTTPS,Telnet or FTP.</P><P></P><P>Otherwise you will need to configure virtual-telnet virtual HTTP or HTTP redirect.</P><P></P><P>I can provide help if any of those is needed.</P><P></P><P>Just let us know and remember to rate all of the helpful posts <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/grin.gif"></SPAN></P><P></P><P></P><P>Regards, <BR /> <BR />Jcarvaja <BR /> <BR /><SPAN>Follow me on </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Wed, 04 Dec 2013 19:55:42 GMT https://community.cisco.com/t5/network-security/asa-cut-through-authentication-proxy-for-a-single-acl/m-p/2420107#M307754 Julio Carvajal 2013-12-04T19:55:42Z