Showing results for 
Search instead for 
Did you mean: 

ASA Cut Through (Authentication) Proxy for a Single ACL

Michael Lyons

I have a customer that wants to authenticate users at the ASA before being allowed access from the outside into a payroll server on the DMZ.  I am aware of the cut through proxy feature, but doesn't that affect all traffic entering the DMZ?  Is there a way to only authenticate users accessing one server?

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni


Have not had to deal with this that many times myself but I would guess that you can only include this certain traffic for the AAA and exclude all other traffic so that it is not affected by the feature.

Will have to see if I have the time to test this at home.

- Jouni

Jouni Forss
VIP Alumni
VIP Alumni


Seems to me the easiest way to do this is you are connecting to the destination server with either Browser or CLI based connection.

For example if its a browser based connection then you could configure

username password privilege

access-list PROXY-AUTH extended permit tcp any host eq http

access-list PROXY-AUTH extended permit tcp any host eq https

access-list PROXY-AUTH extended deny ip any any

aaa authentication match PROXY-AUTH LAN LOCAL

I don't think you even need the "deny" statement since there is an implicit deny at the end of each ACL

Where "LAN" is my interface "nameif" connect to my LAN network.

To my understanding if you are using some application for this connection that doesnt apply in this situation then you would have to configure this in another way and the user would have to first connect manually to the ASA for authentication and would then be allowed to connect to the resource.

Have a look at this document for some help

Hope this helps

- Jouni

Hi Jouni,

Thanks very much for your response.  That certainly points me in the right direction.  I just got dragged into the emergency of the day (nature of our business I suppose), but I'll try this out and let you know how it works out.


Just to add:

Make sure the connection will be done to HTTP, HTTPS,Telnet or FTP.

Otherwise you will need to configure virtual-telnet virtual HTTP or HTTP redirect.

I can provide help if any of those is needed.

Just let us know and remember to rate all of the helpful posts



Follow me on

Julio Carvajal
Senior Network Security and Core Specialist
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: