cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2449
Views
0
Helpful
15
Replies

Cut through proxy for servers in DMZ only

ALIAOF_
Level 6
Level 6

I have this working with Microsoft RADIUS server however I only want to  restrict access to one server sitting in the DMZ using this method and  once users authenticate they can RDP to the server.  When I apply all  the settings I lose all access other than just to this server.  Can this  be done for one particular server in DMZ and rest of the traffic to the  Internet stays the way it is?

15 Replies 15

Tarik Admani
VIP Alumni
VIP Alumni

Mohammad,

What acl are you handing down to the client from the radius server? After the user authenticates can you paste the show access-lists?

Thanks,

Tarik Admani
*Please rate helpful posts*

This is what I created on the ASA:

access-list RDPAuth   remark "This ACL is for RDP access to the servers in the DMZ"
access-list RDPAuth extended permit tcp   any eq 3389 host 10.1.150.22 gt 1023
access-list RDPAuth extended permit tcp   any gt 1023 host 10.1.150.22 eq 3389
access-list RDPAuth extended permit tcp   any host 10.1.200.150 eq www
access-list RDPAuth extended permit tcp   any host 10.1.200.150 eq telnet

Then on the RADIUS server I have it like this:

ip:inacl#1=permit tcp   any eq 3389 host 10.1.150.22 gt 1023

ip:inacl#2=permit tcp   any gt 1023 host 10.1.150.22 eq 3389

ip:inacl#3=permit tcp   any host 10.1.200.150 eq www

ip:inacl#4=permit tcp   any host 10.1.200.150 eq telnet

Now once I signed in using cut through proxy all I was able to do was RDP to that IP and lost my access to the internet etc.  I am trying for rest of the traffic to keep going out the way it is now but this ACL I only want to kick in when some one is trying to access the server in the DMZ.

With Cut through proxy the per user acl should have taken place, can you paste the show access-lists | inc

Either you can hand down the ACL or you can assign the RDPAuth acl you created using the radius ietf filter attribute. However once you assign this ACL that is all you will have network access too.

Also on your interface access-lists do you have the per-user-override statement configured?

thanks.

Tarik Admani
*Please rate helpful posts*

Hi Tarik those dynamic ACL's did get applied I just removed them so that I can access other resources.  That whole part is working fine and it is doing what it needs to do and only giving me access to that one server.

But I want this limitation to be applied to the traffic going to the DMZ only not to the internet.

No I do not have the "per-user-override statement configured", what is the purpose of this command?

Mohammad,

Can you please clarify what you are requesting, you still want access to the DMZ and the internet after you authenticate? Then add another attribute:

ip:inacl#5=permit ip any any

Tarik Admani
*Please rate helpful posts*

I only want to use the cut through proxy for access to the DMZ servers, however it seems like that is not possible if I use that then it will also apply to the Internet and access to the other resrouces as well?

If you want to use cut through proxy then you have to create the authentication match statement in order to match the traffic that you want to block that will trigger cut-through proxy. When you authenticate then the ACL that you hand down to the client is what will determine where they have access to.

Can you please share your configuration, i am curious to see how you have this configured.

Thanks,

Tarik Admani
*Please rate helpful posts*

I understand that and I am doing exactly that but like I said it is blocking my access to the internet so looks like I need to configure it so there is "ip any any" statement in there too for rest of the access.  What I was hoping to accomplish was only restrict access to the DMZ host not rest of the network.

access-list RDPAuth remark "This ACL is for RDP access to the servers in the DMZ"

access-list RDPAuth extended permit tcp any eq 3389 host 10.1.150.22 gt 1023

access-list RDPAuth extended permit tcp any gt 1023 host 10.1.150.22 eq 3389

access-list RDPAuth extended permit tcp any host 10.1.200.150 eq www

access-list RDPAuth extended permit tcp any host 10.1.200.150 eq telnet

Please post your entire configuration.

Thanks,

Tarik Admani
*Please rate helpful posts*

access-list RDPAuth remark "This ACL is for RDP access to the servers in the DMZ"

access-list RDPAuth extended permit tcp any eq 3389 host 10.1.150.22 gt 1023

access-list RDPAuth extended permit tcp any gt 1023 host 10.1.150.22 eq 3389

access-list RDPAuth extended permit tcp any host 10.1.200.150 eq www

access-list RDPAuth extended permit tcp any host 10.1.200.150 eq telnet

!

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 10.1.5.236

key *****

!

virtual http 10.1.200.150

!

aaa authentication match RDPAuth inside RADIUS

Mohammad,

I do not see any cut through proxy configuring present in this configuration. Here is the configuration guide on how to create cut-through proxy:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_fwaaa.html#wp1150203

Thanks,

Tarik Admani
*Please rate helpful posts*

It is there you wanted the full config so I pasted it. I updated it with just the config related to cut through proxy.  And I already have seen that guide.  Like I said it is working but it is being applied to all the traffic I just need to know if there is a way to apply it to the traffic to DMZ ONLY.

Really?

I didnt see any of the authenticaiton match statements in the configuration you posted.

Usually when you add the authentication match statement (that forces authenticaiton for the traffic configured in the ACL).

thanks,

Tarik Admani
*Please rate helpful posts*

You are telling me you still don't see it?  And previously Authentication match statement was in "bold".