Cut-through proxy configuration - ASA-5510

MLtech
MLtech used Ask the Experts™
on
I am want to configure limited internet access only to a select group of Windows AD users. The Cisco ASA5510 is integrated with LDAP server.

By referring to this link, configured the cut-through proxy on the ASA
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html

Access Rule
access-list Inside_authentication extended permit tcp object-group Internal_Networks any eq ftp
aaa authentication match Inside_authentication Inside LDAP_FTP


The group name in the Windows AD is “FTP users”
When user from FTP group logs into the system in the Internal Network and makes an outbound ftp connect.
1) Will the user get prompt for username and password from ASA or since he already logged into the network will he have direct access to the ftp server meaning will not get prompt from ASA?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Hi,

I advis to authenticate via http, and after use ftp

Commented:
Yes, the way it works is that ftp users should first initiate http session through ASA auth-proxy . And after that successful auth ACL (Inside_authentication) is applied to allow ftp connections

Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
this is the only one way to use it...
Commented:
when you set up the ftp cut through proxy, a user will try to ftp through the asa. the ftp session will be pined on the asa while the credentials are verified through a user/pass auth challenge, assuming the auth passes they would then be connected to the ftp server that would do what ever it does.
the ASA does not have the ability to see the user credentials that the user logged into their machine with so it has to do a challenge response.
Auth proxy uses the http request to temp open access based on credentials. cut through proxy works as you intend.

hope this helps,

-t

Author

Commented:
still researching on the same

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial