Solved: yes was looking at this

dino55088 · ‎06-20-2016

hi,

is there a way we can get the ASA to prompt site-to-site VPN users to authenticate to ASA/RADIUS before they can access head end resources behind ASA such as Sharepoint etc that are allowed in via respective VPN ACLs?

Philip D'Ath · ‎06-20-2016

I've never done it, but you should be able to use "Cut Through" authentication.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113363-asa-cut-through-config-00.html

Basically the user has little or no access, and the ASA intercepts a request, such as via HTTP, and then authenticates the session. After that the user can access whatever you allow them to.

View solution in original post

Philip D'Ath · ‎06-20-2016

I've never done it, but you should be able to use "Cut Through" authentication.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113363-asa-cut-through-config-00.html

Basically the user has little or no access, and the ASA intercepts a request, such as via HTTP, and then authenticates the session. After that the user can access whatever you allow them to.

dino55088 · ‎06-21-2016

yes was looking at this thanks. I have not tried either but was wondering how it would handle multiple clients being NATed behind one source on the way in from remote site

Philip D'Ath · ‎06-21-2016

I don't think it would work with NAT. Can you remove the NAT over the VPN?

dino55088 · ‎06-21-2016

some B-to-B partnerswant single IP presented to s so not sure.

Thanks for the tip anyhow.

ASA 5510 Auth for site-to-site VPN users