11 Oct 12 Cisco ASA – DMZ access via cut through Proxy Authentication

Allowing DMZ access based on user login in a corporate network

So I’m sure every one knows that there is a way we can utilize Cisco ASA to limit the internet traffic using Cut through proxy authentication. I needed something similar however I needed to limited the RDP access to a server in our DMZ based on a user profile. Now there are multiple ways to accomplish this. Previously I have accomplished this by using the networks or IP addresses however in that case the whole network was setup with a strict tier level and more strict IP addressing scheme to comply with the PCI requirements. In this case certain group of users who needed access to that web server in the DMZ were getting their IP’s from the DHCP server and there were no reservations. So I couldn’t allow the whole network access to the server in the DMZ. I decided to utilize the Cisco ASA’s cut through proxy authentication. Note: Cisco ASA supports direct authentication for http (80), telnet (23), ftp (21), https (443). But it does not for other protocols such as RDP (in my case).

So in order to utilize this feature for un supported protocols first I had to get the users to authenticate using the virtual IP address on the Cisco ASA and then gain RDP access to the server in the DMZ.

I took the following steps to accomplish this:

  • Setup authentication prompts
  • auth-prompt prompt Authentication for Access to Server
    auth-prompt accept Authentication successful, now you can RDP to
    auth-prompt reject Authentication Failed please try again

  • Setup a Virtual IP address on the Cisco ASA
  • virtual http

  • Setup an access list on the Cisco ASA
  • access-list RDPAuth remark “This ACL is for RDP access to the servers in the DMZ”
    access-list RDPAuth extended permit tcp any eq 3389 host gt 1023 (Server IP in DMZ)
    access-list RDPAuth extended permit tcp any gt 1023 host eq 3389 (Server IP in DMZ)
    access-list RDPAuth extended permit tcp any host eq www (Virtual IP for Cut Through Proxy Authentication)
    access-list RDPAuth extended permit tcp any host eq https (Virtual IP for Cut Through Proxy Authentication)

  • Setup AAA Authentication statements
  • aaa authentication match RDPAuth inside RADIUS (Note: RADIUS must be setup prior to this, see )
    aaa authentication secure-http-client

    Now it is time to setup the Microsoft NPS Server

  • From the examples before simply clone one of the policy, name it something like RDPAuth
  • On the next tab Conditions add the groups from active directory that can access this resource
  • Under Settings Tab first option will be “Standard”. Make sure “Service-Type = Login”
  • Now last and important step configuring Vendor Specific attributes. In this case it would be “Cisco-AV-Pair”. This is where I configured the access list, same that is defined on the firewall, every line needs to match.
  • ip:inacl#2=permit tcp any eq 3389 host gt 1023
    ip:inacl#3=permit tcp any gt 1023 host eq 3389
    ip:inacl4=permit tcp any host eq www
    ip:inacl5=permit tcp any host eq https

  • Now if a user wants to RDP to the DMZ Server they can gain that access by first going to, authenticating on that page against Microsoft Active Directory using Cisco ASA Cut through Proxy and then running their RDP command


  1. Limiting Internet Access Based on User Profile Using ASA and RADIUS
  2. I also recommend reading and understanding cut through proxy authentication vulnerability – CSCtx42746

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂

Tags: , ,

Reader's Comments

  1. |

    How can I configure CISCO ASA AAA for a DMZ service

    Outside user access to on port 9007 using specific URL:9007. This service is at the DMZ. Packet get translated in asa to

    How I can authenticate that traffic?


    I have configured a TACACS server at on INSIDE zone. Test from ASA for a user in TACACS server is successful.

    My ISP has got block assigned for my company. is in the ISP part. is my asa outside interface address. in my URL addresses DNS entry at ISP.

  2. |

    Well from what I can understand you are trying to accomplish the following:
    – Outside user accesses on port 9007 using a specific URL.
    – This server is in the DMZ and its IP is
    – You have a TACACS server on the Inside
    I do not know how exactly your network is layout so I am just going to guess and suggest what I have done in the past. Obviously you need to test this in the lab and backup everything before putting it in production. You are responsible for your own network and all the changes you make.

    Basically a setup like this will require opening up access to TACACS server from the DMZ server and setup NAT appropriately depending on the configuration
    Users from the outside will access the specific URL and will be asked to authenticate
    They will enter their credentials and the server in the DMZ will send the request to the TACACS server
    TACACS server with send the authentication response to the server in the DMZ about the authentication parameters outside user provided

    By reading this post you agree to the Terms and Conditions of this site:

Leave a Comment

WordPress SEO