https://community.cisco.com/t5/network-security/cut-through-proxy-asa/m-p/1924519#M457635 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I've only configured HTTP/HTTPS connection cut through proxy for some virtual ASA FWs that only handle customers own guest networks traffic</P><P></P><P>To my understanding something similiar could be done to FTP in the following way</P><P></P><P></P><P>access-list CUT-THROUGH-PROXY-FTP permit tcp any any eq ftp</P><P></P><P>aaa authentication match CUT-THROUGH-PROXY-FTP <INTERFACE> LOCAL (or AAA servergroup)</INTERFACE></P><P></P><P></P><P>Using "show run timeout" will show what the timeout value for the authenticated user is, for example</P><P></P><P></P><P>ASA# show run timeout</P><P></P><P>timeout xlate 9:00:00</P><P>timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 8:00:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P></P><P>You need to set the "uauth" value to something desirable for your situation</P><P></P><P></P><P>I think the authentication itself works that you give both the ASA LOCAL/SERVER-GROUP and FTP -server username/password in the format</P><P></P><P><ASA-USERNAME>@<FTP-USERNAME></FTP-USERNAME></ASA-USERNAME></P><P><ASA-PASSWORD>@<FTP-PASSWORD></FTP-PASSWORD></ASA-PASSWORD></P><P></P><P>You should be able to find some tips on the ASA configuration manual and command reference applicable to your ASAs software. There might have been some changes in the format between the older software and 8.4 atleast.</P><P></P><P>Hope this helps</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 29 Mar 2012 07:08:04 GMT Jouni Forss 2012-03-29T07:08:04Z https://community.cisco.com/t5/network-security/cut-through-proxy-asa/m-p/1924518#M457632 <P>Hi Guys,</P><P></P><P>Hope someone can help. I want to enable a cut through proxy solution on my firewall, in a way that internal users get authenticated to the firewall and are allowed access.</P><P></P><P>I have users connecting on FTP and i understand ASA is capable of direct FTP auth. In this scenario, internal user will require cuthrough to internet. </P><P></P><P>User --------- int INTF [A S A] ext INTF--------DMZ------- [EXT Firewall]---------------Internet FTP server</P><P></P><P>I want user authenticate to ASA and then allow FTP connection out to the FTP server, please note FTP server has its own authentication [un/pass]</P><P></P><P>Has anyone implemented this sort of design, or what would be the best approach to have this solution implemented.</P><P></P><P></P><P>Appreciate any help</P><P></P><P>Regards</P><P>AP</P> Mon, 11 Mar 2019 22:48:13 GMT https://community.cisco.com/t5/network-security/cut-through-proxy-asa/m-p/1924518#M457632 amar_5664 2019-03-11T22:48:13Z https://community.cisco.com/t5/network-security/cut-through-proxy-asa/m-p/1924519#M457635 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I've only configured HTTP/HTTPS connection cut through proxy for some virtual ASA FWs that only handle customers own guest networks traffic</P><P></P><P>To my understanding something similiar could be done to FTP in the following way</P><P></P><P></P><P>access-list CUT-THROUGH-PROXY-FTP permit tcp any any eq ftp</P><P></P><P>aaa authentication match CUT-THROUGH-PROXY-FTP <INTERFACE> LOCAL (or AAA servergroup)</INTERFACE></P><P></P><P></P><P>Using "show run timeout" will show what the timeout value for the authenticated user is, for example</P><P></P><P></P><P>ASA# show run timeout</P><P></P><P>timeout xlate 9:00:00</P><P>timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 8:00:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P></P><P>You need to set the "uauth" value to something desirable for your situation</P><P></P><P></P><P>I think the authentication itself works that you give both the ASA LOCAL/SERVER-GROUP and FTP -server username/password in the format</P><P></P><P><ASA-USERNAME>@<FTP-USERNAME></FTP-USERNAME></ASA-USERNAME></P><P><ASA-PASSWORD>@<FTP-PASSWORD></FTP-PASSWORD></ASA-PASSWORD></P><P></P><P>You should be able to find some tips on the ASA configuration manual and command reference applicable to your ASAs software. There might have been some changes in the format between the older software and 8.4 atleast.</P><P></P><P>Hope this helps</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 29 Mar 2012 07:08:04 GMT https://community.cisco.com/t5/network-security/cut-through-proxy-asa/m-p/1924519#M457635 Jouni Forss 2012-03-29T07:08:04Z