<div>
Hi,<br />
<br />
I advis to authenticate via http, and after use ftp
</div>


Hi,

I advis to authenticate via http, and after use ftp

<div>
Yes, the way it works is that ftp users should first initiate http session through ASA auth-proxy . And after that successful auth ACL (Inside_authentication) is applied to allow ftp connections<br />
<br />

</div>


Yes, the way it works is that ftp users should first initiate http session through ASA auth-proxy . And after that successful auth ACL (Inside_authentication) is applied to allow ftp connections



<div>
still researching on the same
</div>


<div>
<div class="content wysiwyg-content">
I am want to configure limited internet access only to a select group of Windows AD users. The Cisco ASA5510 is integrated with LDAP server. <br />
<br />
By referring to this link, configured the cut-through proxy on the ASA<br />
<a href="http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html" rel="ugc">http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html</a><br />
<br />
Access Rule<br />
access-list Inside_authentication extended permit tcp object-group Internal_Networks any eq ftp<br />
aaa authentication match Inside_authentication Inside LDAP_FTP<br />
<br />
<br />
The group name in the Windows AD is “FTP users”<br />
When user from FTP group logs into the system in the Internal Network and makes an outbound ftp connect.<br />
1) Will the user get prompt for username and password from ASA or since he already logged into the network will he have direct access to the ftp server meaning will not get prompt from ASA? <br />

</div>
</div>


I am want to configure limited internet access only to a select group of Windows AD users. The Cisco ASA5510 is integrated with LDAP server. 

By referring to this link, configured the cut-through proxy on the ASA
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html

Access Rule
access-list Inside_authentication extended permit tcp object-group Internal_Networks any eq ftp
aaa authentication match Inside_authentication Inside LDAP_FTP


The group name in the Windows AD is “FTP users”
When user from FTP group logs into the system in the Internal Network and makes an outbound ftp connect.
1) Will the user get prompt for username and password from ASA or since he already logged into the network will he have direct access to the ftp server meaning will not get prompt from ASA? 


Cut-through proxy configuration - ASA-5510

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Hardware Firewalls

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).