12-07-2012 10:10 AM - edited 03-11-2019 05:34 PM
12-07-2012 10:47 AM
Hi,
Well I'm not exactly sure if this is what you are looking for but you can define on the ASA that when certain users initiate for example a http/https connection that they will have to authenticate with the ASA first either using LOCAL or AAA-SERVER.
Initiating a HTTP/HTTPS connection should direct the users connection to ASA which asks for authentication before allowing the connection.
I for example tested on my home ASA just now with following configurations (This was just something i configured fast so it might be lacking)
Basic Configuration
Where
Additional Commands
If you want to know more about this you should Google for ASA Cut Through Proxy or check the same thing from the Configuration Guide.
- Jouni
12-07-2012 11:00 AM
Also,
I think you can modify the Prompts the user gets when attempting the connection
There are commands:
- Jouni
12-07-2012 11:25 AM
Yes, its the same
12-07-2012 11:30 AM
What I posted earlier will only make it so that certain users couldnt access the Internet unless they authenticate with the ASA first.
I dont think the ASA alone can do what you are asking with regards to redirecting users to a certain site. It would on the other hand block their connection attempts unless they had username/password needed to pass the authentication
- Jouni
12-07-2012 12:52 PM
I understand that but thats not i want achieve
12-09-2012 12:35 AM
Hi,
Can anyone tell me what is needed to achieve above requirement? I mean if ASA alone cannot fulfill the requirement.
Regards,
12-09-2012 01:04 AM
You can redirect http traffic to certain IP address but not url if that solves your problem also?
1. create network object for those IPs that don't have access to internet:
object network banned-ips
subnet 1.2.3.0 255.255.255.0
2. create network object for all ip addresses:
object network internet
subnet 0.0.0.0 0.0.0.0
3. create network object for web server
object network web-server
host 11.22.33.44
4. create service object for http traffic
object service http-traffic
service tcp destination eq http
4. create nat rule to translate http traffic to web server
nat(inside,outside) 10 source static banned-ips interface destination static internet web-server service http-traffic http-traffic
Hope that solves your problem.
12-09-2012 04:53 AM
Well that command will not accept in current version
12-09-2012 07:54 AM
Hi Sirajhusen,
sorry, I overlooked you're still running pre 8.3 version you mentioned in your first post.
I would recommend you upgrade to post 8.2 version which offers you much more flexibility when configuring nat rules. And you could also benefit from new features like AD integration, scansafe connector...
Is this possible in your case?
12-09-2012 08:14 AM
Thanks Jernej,
You mean the pre 8.3 version will not solve the problem, right? This an urgent requirement pls suggest if any other way.
I already gone through the below link of pre 8.3 to 8.3 NAT config examples
https://supportforums.cisco.com/docs/DOC-9129
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide