https://community.cisco.com/t5/network-security/cut-thru-proxy-on-asa/m-p/730255#M972814 <HTML><HEAD></HEAD><BODY><P>thanks for your reply . but unfortunately i am not looking for that solution . i completely understand the acl required to permit rdp traffic, (as mentioned in the link.)</P><P></P><P>what i need to know is , how to stop unauthorized access from getting across the asa. i want the unauthorized access to rdp to be denied by the acs server.</P><P></P><P>thanks</P><P>kirti.</P><P></P></BODY></HTML> Thu, 26 Jul 2007 16:59:50 GMT kirti_bapat 2007-07-26T16:59:50Z https://community.cisco.com/t5/network-security/cut-thru-proxy-on-asa/m-p/730253#M972812 <P>hi all,</P><P></P><P>i am configuring cut-thru proxy on asa.</P><P></P><P>the config guide says that the authorization acl should be a subset of the acl used for authentication.</P><P></P><P>in my scenario i am using telnet to auhenticate the user and i want to authorize traffic from 2.1.1.2 to 1.1.1.2 for http only.</P><P></P><P>my asa config is as follows:</P><P>-------------------------------------</P><P></P><P>aaa-server cisco proto tacacs+</P><P>aaa-server host 1.1.1.2</P><P>key cisco</P><P></P><P>access-l 101 permit tcp host 2.1.1.2 host 1.1.1.2 eq 23</P><P>access-l 102 permit tcp host 2.1.1.2 host 1.1.1.2 eq 80</P><P></P><P>access-group 101 in int outside</P><P></P><P>aaa authentication match 101 outside cisco</P><P>aaa authorization match 102 outside cisco</P><P></P><P>-------------------------------------------</P><P></P><P>with this configuraion on the asa the user gets autheticated successfully , but cannot browse the webpage on 1.1.1.2.</P><P>this happened becoz my acl 101 applied on the outside does not allow http traffic ; and also acl 102 is not a subset of 101.</P><P></P><P>hence i reconfigured 101 as - access-l 101 permit ip host 2.1.1.2 host 1.1.1.2</P><P></P><P>now the user gets autheticated successfully , also the authorization is a PASS and the webpage can be accessed on 1.1.1.2.</P><P></P><P>now if i try to access the remote desktop port of 1.1.1.2 it works successfully. i havent authorized this on the acs , why dont i get authorization failure for traffic destined for rdp on 1.1.1.2 ?</P><P></P><P>on acs for the user cisco , i have configured under the shell command authorization</P><P>---------------------------------</P><P>unmatched ios commands - deny</P><P>command - http</P><P>argument - permit 1.1.1.2</P><P>unlisted arguments - deny</P><P></P><P>please let me know where i am going wrong in the configuration.</P><P></P><P>thanks</P><P>kirti.</P> Mon, 11 Mar 2019 10:47:25 GMT https://community.cisco.com/t5/network-security/cut-thru-proxy-on-asa/m-p/730253#M972812 kirti_bapat 2019-03-11T10:47:25Z https://community.cisco.com/t5/network-security/cut-thru-proxy-on-asa/m-p/730254#M972813 <HTML><HEAD></HEAD><BODY><P>I think in acl 101 you should only permit for port 80 (default port for http). Following link may help you</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml</A></P></BODY></HTML> Thu, 26 Jul 2007 14:01:37 GMT https://community.cisco.com/t5/network-security/cut-thru-proxy-on-asa/m-p/730254#M972813 bwalchez 2007-07-26T14:01:37Z https://community.cisco.com/t5/network-security/cut-thru-proxy-on-asa/m-p/730255#M972814 <HTML><HEAD></HEAD><BODY><P>thanks for your reply . but unfortunately i am not looking for that solution . i completely understand the acl required to permit rdp traffic, (as mentioned in the link.)</P><P></P><P>what i need to know is , how to stop unauthorized access from getting across the asa. i want the unauthorized access to rdp to be denied by the acs server.</P><P></P><P>thanks</P><P>kirti.</P><P></P></BODY></HTML> Thu, 26 Jul 2007 16:59:50 GMT https://community.cisco.com/t5/network-security/cut-thru-proxy-on-asa/m-p/730255#M972814 kirti_bapat 2007-07-26T16:59:50Z