07-05-2013 06:01 AM - edited 03-11-2019 07:07 PM
Hello,
I have an ASA sitting in front of a proxy server that directs users to certain internal remote sites. I have successfully set up HTTPS authenticaiton via remote LDAP on the ASA for traffic coming inbound. I can also get to Apaches test page on the proxy server if i have no proxy set up in my browser. However, I can not access anything after I authenticate when I have the proxy configured in my browser. I can ping from the proxy to my machine and vice-versa. I was wondering if there is a configuration setting I am missing that needs to be enabled when a proxy server is in place.
07-05-2013 06:23 AM
Hi Ryan,
Please share ASA config, as we can not say from this where are you going wrong.
Cheers
Pankaj
07-05-2013 06:36 AM
ciscoasa(config)# show running-config
: Saved
:
ASA Version 8.2(4)
!
hostname ciscoasa
domain-name ciscoasa.xxx.xxx
enable password encrypted
passwd encrypted
names
name 192.168.127.130 henrytown
!
interface GigabitEthernet0/0
nameif outside
security-level 99
ip address 192.168.12.245 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 0
ip address 10.16.16.4 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ciscoasa.mitre.osis.gov
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service all
service-object ip
service-object icmp
service-object udp
service-object tcp
service-object tcp-udp eq www
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ldap
service-object tcp eq ldaps
service-object udp eq www
object-group service tcp tcp
port-object eq ftp
port-object eq www
port-object eq https
port-object eq ldap
port-object eq ldaps
access-list inside_access_in extended permit object-group all 192.168.12.0 255.255.255.0 10.16.16.0 255.255.255.0 log debugging
access-list inside_access_in extended permit object-group all any host henrytown
access-list inside_authentication extended permit tcp any any
access-list inside_access_in_1 extended permit object-group all 10.16.16.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list 12-network_authentication extended permit tcp any 10.16.16.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
global (outside) 101 192.168.6.245 netmask 0.0.0.0
access-group inside_access_in in interface outside
access-group inside_access_in_1 in interface inside
route outside 0.0.0.0 0.0.0.0 10.16.16.2 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ldap protocol ldap
aaa-server ldap (outside) host 192.168.12.101
ldap-base-dn ou=people
ldap-scope subtree
ldap-naming-attribute uid
aaa authentication ssh console LOCAL
aaa authentication match 12-network_authentication outside ldap
aaa authentication secure-http-client
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.12.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Authenticate
auth-prompt accept Hello!!!
auth-prompt reject Intruder Alert.
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 4691cd51
308201ff 30820168 a0030201 02020446 91cd5130 0d06092a 864886f7 0d010105
05003044 3111300f 06035504 03130863 6973636f 61736131 2f302d06 092a8648
86f70d01 09021620 63697363 6f617361 2e636973 636f6173 612e6d69 7472652e
6f736973 2e676f76 301e170d 31333037 30313132 30363034 5a170d32 33303632
39313230 3630345a 30443111 300f0603 55040313 08636973 636f6173 61312f30
2d06092a 864886f7 0d010902 16206369 73636f61 73612e63 6973636f 6173612e
6d697472 652e6f73 69732e67 6f763081 9f300d06 092a8648 86f70d01 01010500
03818d00 30818902 8181009a e0c80a44 a5fe7ec7 0eb54cf3 42917d74 721e70fd
764b8abc 72c7b58d ce8ec3d6 14f84c45 39225e2c 9a0b1664 a2d99b1e 3651a5e2
99c8b769 eb64549c 37364ee1 5306dc71 116d0f5f cd394ddb 8dec8474 10ff0011
49ac6f84 770eb5bd 8785f31e aa0810bd 9dbced6c fddf2bdf 249378e3 46657d70
5e34350b b6f00789 078a4f02 03010001 300d0609 2a864886 f70d0101 05050003
81810032 66c3eda1 25ace7e3 8bfcccae be9b89b3 a63d96f3 6c910207 44f16d3f
4625d8b1 342e9baa cb8834e0 650f6ea9 e61c92ff 3356faab 386cfbdb ee6e1424
b77138e5 d4fdab5e e5487818 2357e4d0 4953ade4 1b2e03cb 1a0d3c80 a0167ce0
89521b65 8de542aa 53cef75e ea596cd6 7871af52 6b5c7fc4 67a72a3b 230a73c8 1d4b70
quit
telnet timeout 5
ssh 192.168.12.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 inside
webvpn
username admin password encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
: end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide