12-16-2011 05:39 AM - edited 03-10-2019 06:38 PM
I have an ASA 5510 on the outside with a Remote Access VPN. The user will need to get from the 5510, then go through an ASA 5540, then out to the subnet where they will be doing their work. I have a Cisco ACS version 5.2 that sits on a separte VLAN off of the 5540. I can authenticate users with Radius on the 5510 VPN and use DACLs from the ACS with no problems. However, the DACL only gets downloaded to the 5510 (as expected) and I need it to also download to the 5540. Is there a way to do this? I understand this could mean multiple authentications needed somehow.
Right now when I authenticate, the DACL shows up fine in the 5510, but I get blocked from the devices I need to get to because it of course is not getting added to the 5540 as well. Any help is appreciated. Thanks,
Here's the basic topology I have:
remote client
|
|
(outside--internet--VPN)
5510
(vlan X)
|
|
(vlan X)
5540-------------(vlan Y)ACS
(vlan Z)
|
|
devices being accessed
12-16-2011 11:17 AM
Jason,
You can have your clients authenticate to the 5510 through the vpn connection that you specified, for the dACL to work on the second ASA you will have to setup cut-through proxy. You can setup an ACL that matches any interesting traffic and they will be presented with a second authentication window where they can login and receive another dACL to let them through.
This is the guide you are looking for the second ASA:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_fwaaa.html#wp1150203
Thanks,
Tarik Admani
12-16-2011 11:37 AM
Thanks for the reply.
So if I understand correctly, I'll first set up a 2nd Radius between my 5540 and the ACS. Second I'll set up a AAA Rule that says if an address from the specific VPN pool on the 5510 hits the selected interface on the 5540, then the 5540 will provide a prompt for them to authenticate a second time and if it is successful, the DACL will download to the 5540 as well?
It make sense to work this way. Do I understand correctly?
12-16-2011 11:45 AM
What you will have to do on the second ASA is setup an ACL that inspect the "interesting" traffic. In your case will be the devices, keep in mind that if they are not using http, ftp, telnet and https, if you are blocking other ports then you will have to have the users authenticate directly to the ASA.
So yes after the clients vpn into the network the second ASA will also have to hit a radius server to get another dACL.
let me know if that clears it up for you.
Tarik Admani
12-16-2011 11:52 AM
The remote clients will of course use the Cisco VPN client to connect, and that works fine with ACS. After that, they'll be trying to get to the devices over a proprietary port, not http, ftp, telnet, or https. So are you saying the authentication will have to be directly from the ASA or can it still work with the ACS? Sorry if I'm missing something here. Thanks.
12-16-2011 12:25 PM
If this is a proprietary port you will have to authenticate directly to the ASA and here is a example of how to configure this.
1. Start with an acl to match the authentication traffic to the ASA (access-list
2. Configure authentication to the ASA - aaa authentication match
3. configure authorization for DACL - aaa authorization match
4. configure you listener - aaa authentication listener http
5 configure your dacl and radius server configuration on the ASA, ip of radius server, shared secret...etc
Then have you clients after they authenticate via vpn hit the following url:
http://asaip:xxxx/connstatus/netaccess.html
Once you get there you will see the authentication page and then login, the dACL from the radius should come down.
Then have your clients connect to the proprietary ports.
Thanks,
Tarik Admani
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide