Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1414
Views
0
Helpful
1
Replies

Cut through Proxy ASA

amar_5664
Level 1
Level 1

‎03-28-2012 09:32 PM - edited ‎03-11-2019 03:48 PM

Hi Guys,

Hope someone can help. I want to enable a cut through proxy solution on my firewall, in a way that internal users get authenticated to the firewall and are allowed access.

I have users connecting on FTP and i understand ASA is capable of direct FTP auth. In this scenario, internal user will require cuthrough to internet.

User --------- int INTF [A S A] ext INTF--------DMZ------- [EXT Firewall]---------------Internet FTP server

I want user authenticate to ASA and then allow FTP connection out to the FTP server, please note FTP server has its own authentication [un/pass]

Has anyone implemented this sort of design, or what would be the best approach to have this solution implemented.

Appreciate any help

Regards

AP

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎03-29-2012 12:08 AM

Hi,

I've only configured HTTP/HTTPS connection cut through proxy for some virtual ASA FWs that only handle customers own guest networks traffic

To my understanding something similiar could be done to FTP in the following way

access-list CUT-THROUGH-PROXY-FTP permit tcp any any eq ftp

aaa authentication match CUT-THROUGH-PROXY-FTP LOCAL (or AAA servergroup)

Using "show run timeout" will show what the timeout value for the authenticated user is, for example

ASA# show run timeout

timeout xlate 9:00:00

timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 8:00:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

You need to set the "uauth" value to something desirable for your situation

I think the authentication itself works that you give both the ASA LOCAL/SERVER-GROUP and FTP -server username/password in the format

@

@

You should be able to find some tips on the ASA configuration manual and command reference applicable to your ASAs software. There might have been some changes in the format between the older software and 8.4 atleast.

Hope this helps

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card