https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123804#M394453 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Can anyone tell me what is needed to achieve above requirement? I mean if ASA alone cannot fulfill the requirement.</P><P></P><P>Regards,</P></BODY></HTML> Sun, 09 Dec 2012 08:35:15 GMT Sirajhussain 2012-12-09T08:35:15Z https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123798#M394447 <P>Hi,</P><P></P><P>traffic redirects..</P> Tue, 12 Mar 2019 00:34:43 GMT https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123798#M394447 Sirajhussain 2019-03-12T00:34:43Z https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123799#M394448 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Well I'm not exactly sure if this is what you are looking for but you can define on the ASA that when certain users initiate for example a http/https connection that they will have to authenticate with the ASA first either using LOCAL or AAA-SERVER.</P><P></P><P>Initiating a HTTP/HTTPS connection should direct the users connection to ASA which asks for authentication before allowing the connection.</P><P></P><P>I for example tested on my home ASA just now with following configurations (This was just something i configured fast so it might be lacking)</P><P></P><P>Basic Configuration</P><P></P><UL><LI><STRONG>username proxy password test privilege 0</STRONG></LI><LI><STRONG>access-list PROXY-TEST permit tcp host 10.0.0.5 any eq http</STRONG></LI><LI><STRONG>access-list PROXY-TEST permit tcp host 10.0.0.5 any eq https</STRONG></LI><LI><STRONG>aaa authentication match PROXY-TEST LAN LOCAL</STRONG></LI><LI><STRONG>aaa authentication listener http LAN port https redirect</STRONG></LI><LI><STRONG>aaa authentication listener https LAN port https redirect</STRONG></LI></UL><P></P><P>Where</P><UL><LI>LAN = my LAN interface</LI><LI>LOCAL = Refers to the ASAs LOCAL AAA</LI></UL><P></P><P>Additional Commands</P><P></P><UL><LI><STRONG>show uauth</STRONG><UL><LI>Show Authenticated users</LI></UL></LI><LI><STRONG>clear uauth <USERNAME></USERNAME></STRONG><UL><LI>Clear authenticated user (or without username all)</LI></UL></LI><LI><STRONG>timeout uauth xx:xx:xx absolute/inactivity</STRONG><UL><LI>Set the timeout value for authenticated user</LI></UL></LI></UL><P></P><P>If you want to know more about this you should Google for ASA Cut Through Proxy or check the same thing from the Configuration Guide.</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 07 Dec 2012 18:47:45 GMT https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123799#M394448 Jouni Forss 2012-12-07T18:47:45Z https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123800#M394449 <HTML><HEAD></HEAD><BODY><P>Also,</P><P></P><P>I think you can modify the Prompts the user gets when attempting the connection</P><P></P><P>There are commands:</P><P></P><UL><LI><STRONG>auth-prompt prompt <TEXT></TEXT></STRONG></LI><LI><STRONG>auth-prompt accept <TEXT></TEXT></STRONG></LI><LI><STRONG>auth-prompt reject <TEXT></TEXT></STRONG></LI></UL><P></P><P>- Jouni</P></BODY></HTML> Fri, 07 Dec 2012 19:00:57 GMT https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123800#M394449 Jouni Forss 2012-12-07T19:00:57Z https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123801#M394450 <HTML><HEAD></HEAD><BODY><P>Yes, its the same</P></BODY></HTML> Fri, 07 Dec 2012 19:25:54 GMT https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123801#M394450 Sirajhussain 2012-12-07T19:25:54Z https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123802#M394451 <HTML><HEAD></HEAD><BODY><P>What I posted earlier will only make it so that certain users couldnt access the Internet unless they authenticate with the ASA first.</P><P></P><P>I dont think the ASA alone can do what you are asking with regards to redirecting users to a certain site. It would on the other hand block their connection attempts unless they had username/password needed to pass the authentication</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 07 Dec 2012 19:30:29 GMT https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123802#M394451 Jouni Forss 2012-12-07T19:30:29Z https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123803#M394452 <HTML><HEAD></HEAD><BODY><P>I understand that but thats not i want achieve</P></BODY></HTML> Fri, 07 Dec 2012 20:52:24 GMT https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123803#M394452 Sirajhussain 2012-12-07T20:52:24Z https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123804#M394453 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Can anyone tell me what is needed to achieve above requirement? I mean if ASA alone cannot fulfill the requirement.</P><P></P><P>Regards,</P></BODY></HTML> Sun, 09 Dec 2012 08:35:15 GMT https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123804#M394453 Sirajhussain 2012-12-09T08:35:15Z https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123805#M394454 <HTML><HEAD></HEAD><BODY><P>You can redirect http traffic to certain IP address but not url if that solves your problem also?<BR /><BR />1. create network object for those IPs that don't have access to internet:<BR />object network banned-ips<BR /> subnet 1.2.3.0 255.255.255.0<BR /><BR />2. create network object for all ip addresses:<BR />object network internet<BR /> subnet 0.0.0.0 0.0.0.0<BR /><BR />3. create network object for web server<BR />object network web-server<BR /> host 11.22.33.44<BR /><BR />4. create service object for http traffic<BR />object service http-traffic<BR /> service tcp destination eq http<BR /><BR />4. create nat rule to translate http traffic to web server<BR />nat(inside,outside) 10 source static banned-ips interface destination static internet web-server service http-traffic http-traffic<BR /><BR />Hope that solves your problem.<BR /></P></BODY></HTML> Sun, 09 Dec 2012 09:04:21 GMT https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123805#M394454 Jernej Vodopivec 2012-12-09T09:04:21Z https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123806#M394455 <HTML><HEAD></HEAD><BODY><P>Well that command will not accept in current version</P></BODY></HTML> Sun, 09 Dec 2012 12:53:45 GMT https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123806#M394455 Sirajhussain 2012-12-09T12:53:45Z https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123807#M394456 <HTML><HEAD></HEAD><BODY><P>Hi Sirajhusen,</P><P>sorry, I overlooked you're still running pre 8.3 version you mentioned in your first post.</P><P>I would recommend you upgrade to post 8.2 version which offers you much more flexibility when configuring nat rules. And you could also benefit from new features like AD integration, scansafe connector...</P><P>Is this possible in your case?</P></BODY></HTML> Sun, 09 Dec 2012 15:54:36 GMT https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123807#M394456 Jernej Vodopivec 2012-12-09T15:54:36Z https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123808#M394457 <HTML><HEAD></HEAD><BODY><P>Thanks Jernej,</P><P></P><P>You mean the pre 8.3 version will not solve the problem, right? This an urgent requirement pls suggest if any other way.</P><P></P><P>I already gone through the below link of pre 8.3 to 8.3 NAT config examples</P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-9129">https://supportforums.cisco.com/docs/DOC-9129</A></P><P></P><P>Regards,</P></BODY></HTML> Sun, 09 Dec 2012 16:14:36 GMT https://community.cisco.com/t5/network-security/traffic-redirects/m-p/2123808#M394457 Sirajhussain 2012-12-09T16:14:36Z