Solved: Re: cut-through proxy with radius authencation

sansarav720e · ‎02-17-2011

Hi All ,

I have cut-through proxy setup enabled on pix515E in our network segment along with downloadable ACL from acs 4.2 , I can successful authenticate user during authenticating prompt , Similarly my downloadable acl are pushed from acs to pix appliance , I can see dynamic acl formed .

when i try to access the application , i can see continous hit count increase on dynamic acl , but i cant access the application .

when i see tcp conn status i am getting SaAB flag status .

My natting on pix box works perfectly . Apart from this configuration anything to be specified ,

Show uauth give me user authenctiation along with downloadable acl , Thank you

HTH Regards Santhosh Saravanan

Jennifer Halim · ‎02-18-2011

The connection flag of SaAB basically means that the SYN packet is sent out to the destination host, however, the PIX firewall is not receiving the SYN-ACK reply from the host. I would check the actual destination application that you are trying to reach.

View solution in original post

Jennifer Halim · ‎02-18-2011

The connection flag of SaAB basically means that the SYN packet is sent out to the destination host, however, the PIX firewall is not receiving the SYN-ACK reply from the host. I would check the actual destination application that you are trying to reach.

sansarav720e · ‎02-20-2011

Hi Jenni ,

Your are right over here , I had kept deny acl on my distributionswitch at L3 SVI interface level which is denying reverse ack packets towards firewall. I had altered the acl accordingly , now i can able to access destination machines , Thanx so much for postings.

HTH Regards Santhosh Saravanan