Solved: Cut-Through Proxy Not Working with ASA 5520

Vivek Bannore · ‎01-16-2012

Hi,

I'm trying to configure an ASA 5520 with cut-through proxy feature. The user is required to be authenticated when trying to access an outside resource from the inside. This is a test lab before it is implemented in production. Following is the configuration -

ciscoasa# sh run

: Saved

:

ASA Version 8.3(1)

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

nameif inside

security-level 100

ip address 192.168.50.254 255.255.255.0

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 192.168.100.254 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.200.254 255.255.255.0

management-only

!

boot system disk0:/asa831-k8.bin

ftp mode passive

object network InternalLAN

subnet 192.168.50.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list inside_access_in extended permit tcp object InternalLAN any eq www

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:03:00 absolute uauth 0:02:00 inactivity

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication match inside_access_in inside LOCAL

aaa proxy-limit 128

aaa local authentication attempts max-fail 3

aaa authentication listener http inside port www redirect

http server enable

http server session-timeout 15

http 192.168.200.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

auth-prompt prompt THIS IS A TEST LOGON PAGE

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username test password P4ttSyrm33SV8TYp encrypted

username admin password f3UhLvUj1QsXsuK7 encrypted!!prompt hostname context
<snip>Cryptochecksum:ce425897ddd74c003034d095e4a2c2d9

: end

ciscoasa#

I also use a 3524XL in this setup (default-gateway set to 192

Physical Connections --

Laptop (192.168.50.13/24) ---- 3524XL (Port 1 - Access VLAN 50)

ASA Gi0/2 (Inside) ---- 3524XL (Port 2 - Access VLAN 50)

ASA Gi0/3 (Outside) ---- 3524XL (Port 24 - Access VLAN 100)

From the laptop I can ping the Inside interface and vice-versa.

From the laptop if I browse to an ip address such as http://10.10.10.20 and I would have expected that the ASA will prompt for credentials - no prompts just get the cannot find the server - which is obvious.

From the laptop if I browse to "http://192.168.50.254/netaccess/connstatus.html", I do get the network access webpage but this is the manual process and not very interesting.

I have already gone through the following guides -

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/access_fwaaa.html

https://supportforums.cisco.com/docs/DOC-14695

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

I'm obviously missing a key element here so would really appreciate if someone can point it out.

Thanks

Vivek

Julio Carvajal · ‎01-17-2012

Hello Vivek,

That is correct! I did a lab recreation with your configuration just to test it and it worked perfect!

The next step ( captures) will tell us what is going on....

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎01-17-2012

Hello Vivek,

Please remove the following commands and then put the ones I placed back and give it a try:

no aaa authentication match inside_access_in inside LOCAL
no aaa proxy-limit 128
no aaa local authentication attempts max-fail 3
no aaa authentication listener http inside port www redirect

aaa authentication match inside_access_in inside LOCAL
aaa proxy-limit 128
aaa local authentication attempts max-fail 3


Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Vivek Bannore · ‎01-17-2012

Unfortunately Julio, those commands didn't make any difference.

I also created a host entry on the laptop (61.88.88.88 testsite.com) and then tried browsing to it, still no authentication prompt.

Also, I cannot view the login page when manually browsing to "http://192.168.50.254/netaccess/connstatus.html".

I'm now more inclined towards the switch being the problem since the cut-through proxy commands are not many but very simple commands - can't fault them.

I'll run packet captures and report back.

Julio Carvajal · ‎01-17-2012

Hello Vivek,

That is correct! I did a lab recreation with your configuration just to test it and it worked perfect!

The next step ( captures) will tell us what is going on....

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Vivek Bannore · ‎01-17-2012

okay, so I think I have cracked it.

I changed the gateway address on the laptop to be the ASA Inside interface IP - 192.168.50.254 instead of the 3524XL Switch IP to which the laptop is connected.

Configured - aaa authentication listener http inside port www

Authentication prompt comes up now.

If I configured - aaa authentication listener http inside port www redirect

And browsed to testsite.com, it would redirect to the page to " http://192.168.50.254/netaccess/connstatus.html ".

The switch 3524XL only allows "ip default-gateway" command and contains "ip default-gateway 192.168.50.254". There is no "ip route" command. But then again this should not cause the authentication prompts from not popping up because pings from laptop to asa inside interface works so the default gateway must be working.

Is it possible that cut-through proxy only works when end users are directly connected to the ASA Inside interface ?

In my scenario, just a mere change of gateway IP on the laptop has fixed cut-through proxy.

Julio Carvajal · ‎01-17-2012

Hello Vivek,

No, as long as the host is behind the interface you select on the AAA configuration its okay.

Great to hear that know everything is working as expected.

Please mark the question as answered so future users can check this discussion and learn from your resolution,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Vivek Bannore · ‎01-17-2012

If thats the case then I guess the 3524XL's "ip default-gateway" must have been causing the issues.

Also, I have been told my cisco partner presales that for HTTP/HTTPS cut-though proxy a limit of 16 concurrent authenticating sessions exists and as soon as a user gets authenticated, that session frees up for the next user.

I did see on

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_fwaaa.html#wp1150551 that for HTTPS it is documented however nothing similar has been mentioned for HTTP.

Have you heard the same ?

Also, I did set a proxy-limit as 128 and this command limits the number of concurrent proxy connections allowed per user (min = 16 and max = 128). Can we track this via CLI or ASDM ?

Vivek Bannore · ‎01-17-2012

Hi Julio,

I tried the same setup with a c3750 and the findings are the same.

If the laptop's gateway IP is set to the SVI of that VLAN on Switch - no auth prompt

If the laptop's gateway IP is set to the ASA inside interface - auth prompt comes up

So not really sure whats happening here.

Could you kindly inform me of your lab setup ?

Thanks

Vivek

Julio Carvajal · ‎01-17-2012

Hello Vivek,

I did it with my pc plugged to a layer 2 switch going to an asa with the following configuration:

access-list test extended permit tcp any any eq www

access-list test extended permit tcp any any eq https

aaa authentication match test inside LOCAL

aaa local authentication attempts max-fail 3

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Vivek Bannore · ‎01-17-2012

What gateway IP did you use on your test PC ?

Julio Carvajal · ‎01-17-2012

I used the ASA as the default gateway!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Vivek Bannore · ‎01-17-2012

Seems like it may only work when a direct connection to ASA is available.

When you get a chance try to create an SVI on the L2 switch and see if you change the test pc gateway to be the L2/L3 switch IP, does the authentication prompt comes up or not.

Julio Carvajal · ‎01-17-2012

Hello,

I will test it using a pc on a not directly connected subnet and inform you Vivek.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Vivek Bannore · ‎01-17-2012

Thanks Julio, much appreciated.

Vivek Bannore · ‎01-18-2012

Hi Julio,

You don't need to do the test. The issue was with my switch.

I have changed it with another switch and it works now. So the end user certainly doesn't need to be connected directed (logically) for cut through proxy to work.