Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
939
Views
0
Helpful
2
Replies

Proxy behind ASA configuration questions

ryan.coakley93
Level 1
Level 1

‎07-05-2013 06:01 AM - edited ‎03-11-2019 07:07 PM

Hello,

I have an ASA sitting in front of a proxy server that directs users to certain internal remote sites. I have successfully set up HTTPS authenticaiton via remote LDAP on the ASA for traffic coming inbound. I can also get to Apaches test page on the proxy server if i have no proxy set up in my browser. However, I can not access anything after I authenticate when I have the proxy configured in my browser. I can ping from the proxy to my machine and vice-versa. I was wondering if there is a configuration setting I am missing that needs to be enabled when a proxy server is in place.

Labels:
0 Helpful
2 Replies 2

pankaj29in
Level 1
Level 1

‎07-05-2013 06:23 AM

Hi Ryan,

Please share ASA config, as we can not say from this where are you going wrong.

Cheers

Pankaj

0 Helpful

ryan.coakley93
Level 1
Level 1
In response to pankaj29in

‎07-05-2013 06:36 AM

ciscoasa(config)# show running-config

: Saved

:

ASA Version 8.2(4)

!

hostname ciscoasa

domain-name ciscoasa.xxx.xxx

enable password encrypted

passwd  encrypted

names

name 192.168.127.130 henrytown

!

interface GigabitEthernet0/0

nameif outside

security-level 99

ip address 192.168.12.245 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 0

ip address 10.16.16.4 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name ciscoasa.mitre.osis.gov

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service all

service-object ip

service-object icmp

service-object udp

service-object tcp

service-object tcp-udp eq www

service-object tcp eq www

service-object tcp eq https

service-object tcp eq ldap

service-object tcp eq ldaps

service-object udp eq www

object-group service tcp tcp

port-object eq ftp

port-object eq www

port-object eq https

port-object eq ldap

port-object eq ldaps

access-list inside_access_in extended permit object-group all 192.168.12.0 255.255.255.0 10.16.16.0 255.255.255.0 log debugging

access-list inside_access_in extended permit object-group all any host henrytown

access-list inside_authentication extended permit tcp any any

access-list inside_access_in_1 extended permit object-group all 10.16.16.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list 12-network_authentication extended permit tcp any 10.16.16.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

global (outside) 101 192.168.6.245 netmask 0.0.0.0

access-group inside_access_in in interface outside

access-group inside_access_in_1 in interface inside

route outside 0.0.0.0 0.0.0.0 10.16.16.2 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server ldap protocol ldap

aaa-server ldap (outside) host 192.168.12.101

ldap-base-dn ou=people

ldap-scope subtree

ldap-naming-attribute uid

aaa authentication ssh console LOCAL

aaa authentication match 12-network_authentication outside ldap

aaa authentication secure-http-client

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.12.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

auth-prompt prompt Authenticate

auth-prompt accept Hello!!!

auth-prompt reject Intruder Alert.

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 4691cd51

    308201ff 30820168 a0030201 02020446 91cd5130 0d06092a 864886f7 0d010105

    05003044 3111300f 06035504 03130863 6973636f 61736131 2f302d06 092a8648

    86f70d01 09021620 63697363 6f617361 2e636973 636f6173 612e6d69 7472652e

    6f736973 2e676f76 301e170d 31333037 30313132 30363034 5a170d32 33303632

    39313230 3630345a 30443111 300f0603 55040313 08636973 636f6173 61312f30

    2d06092a 864886f7 0d010902 16206369 73636f61 73612e63 6973636f 6173612e

    6d697472 652e6f73 69732e67 6f763081 9f300d06 092a8648 86f70d01 01010500

    03818d00 30818902 8181009a e0c80a44 a5fe7ec7 0eb54cf3 42917d74 721e70fd

    764b8abc 72c7b58d ce8ec3d6 14f84c45 39225e2c 9a0b1664 a2d99b1e 3651a5e2

    99c8b769 eb64549c 37364ee1 5306dc71 116d0f5f cd394ddb 8dec8474 10ff0011

    49ac6f84 770eb5bd 8785f31e aa0810bd 9dbced6c fddf2bdf 249378e3 46657d70

    5e34350b b6f00789 078a4f02 03010001 300d0609 2a864886 f70d0101 05050003

    81810032 66c3eda1 25ace7e3 8bfcccae be9b89b3 a63d96f3 6c910207 44f16d3f

    4625d8b1 342e9baa cb8834e0 650f6ea9 e61c92ff 3356faab 386cfbdb ee6e1424

    b77138e5 d4fdab5e e5487818 2357e4d0 4953ade4 1b2e03cb 1a0d3c80 a0167ce0

    89521b65 8de542aa 53cef75e ea596cd6 7871af52 6b5c7fc4 67a72a3b 230a73c8 1d4b70

  quit

telnet timeout 5

ssh 192.168.12.0 255.255.255.0 outside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip

ssl trust-point ASDM_TrustPoint0 outside

ssl trust-point ASDM_TrustPoint0 inside vpnlb-ip

ssl trust-point ASDM_TrustPoint0 inside

webvpn

username admin password encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

: end

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card