MLtech
asked on
Cut-through proxy configuration - ASA-5510
I am want to configure limited internet access only to a select group of Windows AD users. The Cisco ASA5510 is integrated with LDAP server.
By referring to this link, configured the cut-through proxy on the ASA
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html
Access Rule
access-list Inside_authentication extended permit tcp object-group Internal_Networks any eq ftp
aaa authentication match Inside_authentication Inside LDAP_FTP
The group name in the Windows AD is “FTP users”
When user from FTP group logs into the system in the Internal Network and makes an outbound ftp connect.
1) Will the user get prompt for username and password from ASA or since he already logged into the network will he have direct access to the ftp server meaning will not get prompt from ASA?
By referring to this link, configured the cut-through proxy on the ASA
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html
Access Rule
access-list Inside_authentication extended permit tcp object-group Internal_Networks any eq ftp
aaa authentication match Inside_authentication Inside LDAP_FTP
The group name in the Windows AD is “FTP users”
When user from FTP group logs into the system in the Internal Network and makes an outbound ftp connect.
1) Will the user get prompt for username and password from ASA or since he already logged into the network will he have direct access to the ftp server meaning will not get prompt from ASA?
Yes, the way it works is that ftp users should first initiate http session through ASA auth-proxy . And after that successful auth ACL (Inside_authentication) is applied to allow ftp connections
this is the only one way to use it...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
still researching on the same
I advis to authenticate via http, and after use ftp