msgbartop
msgbarbottom

11 Oct 12 Cisco ASA – DMZ access via cut through Proxy Authentication

Allowing DMZ access based on user login in a corporate network

So I’m sure every one knows that there is a way we can utilize Cisco ASA to limit the internet traffic using Cut through proxy authentication. I needed something similar however I needed to limited the RDP access to a server in our DMZ based on a user profile. Now there are multiple ways to accomplish this. Previously I have accomplished this by using the networks or IP addresses however in that case the whole network was setup with a strict tier level and more strict IP addressing scheme to comply with the PCI requirements. In this case certain group of users who needed access to that web server in the DMZ were getting their IP’s from the DHCP server and there were no reservations. So I couldn’t allow the whole network access to the server in the DMZ. I decided to utilize the Cisco ASA’s cut through proxy authentication. Note: Cisco ASA supports direct authentication for http (80), telnet (23), ftp (21), https (443). But it does not for other protocols such as RDP (in my case).

So in order to utilize this feature for un supported protocols first I had to get the users to authenticate using the virtual IP address on the Cisco ASA and then gain RDP access to the server in the DMZ.

I took the following steps to accomplish this:

  • Setup authentication prompts
  • auth-prompt prompt Authentication for Access to Server
    auth-prompt accept Authentication successful, now you can RDP to 192.168.1.10
    auth-prompt reject Authentication Failed please try again

  • Setup a Virtual IP address on the Cisco ASA
  • virtual http 10.1.1.10

  • Setup an access list on the Cisco ASA
  • access-list RDPAuth remark “This ACL is for RDP access to the servers in the DMZ”
    access-list RDPAuth extended permit tcp any eq 3389 host 192.168.1.10 gt 1023 (Server IP in DMZ)
    access-list RDPAuth extended permit tcp any gt 1023 host 192.168.1.10 eq 3389 (Server IP in DMZ)
    access-list RDPAuth extended permit tcp any host 10.1.1.10 eq www (Virtual IP for Cut Through Proxy Authentication)
    access-list RDPAuth extended permit tcp any host 10.1.1.10 eq https (Virtual IP for Cut Through Proxy Authentication)

  • Setup AAA Authentication statements
  • aaa authentication match RDPAuth inside RADIUS (Note: RADIUS must be setup prior to this, see )
    aaa authentication secure-http-client

    Now it is time to setup the Microsoft NPS Server

  • From the examples before simply clone one of the policy, name it something like RDPAuth
  • On the next tab Conditions add the groups from active directory that can access this resource
  • Under Settings Tab first option will be “Standard”. Make sure “Service-Type = Login”
  • Now last and important step configuring Vendor Specific attributes. In this case it would be “Cisco-AV-Pair”. This is where I configured the access list, same that is defined on the firewall, every line needs to match.
  • ip:inacl#2=permit tcp any eq 3389 host 192.168.1.10 gt 1023
    ip:inacl#3=permit tcp any gt 1023 host 192.168.1.10 eq 3389
    ip:inacl4=permit tcp any host 10.1.1.10 eq www
    ip:inacl5=permit tcp any host 10.1.1.10 eq https

  • Now if a user wants to RDP to the 192.168.1.10 DMZ Server they can gain that access by first going to https://10.1.1.10, authenticating on that page against Microsoft Active Directory using Cisco ASA Cut through Proxy and then running their RDP command

Resources:

  1. Limiting Internet Access Based on User Profile Using ASA and RADIUS
  2. I also recommend reading and understanding cut through proxy authentication vulnerability – CSCtx42746

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂

Tags: , ,

Reader's Comments

  1. |

    How can I configure CISCO ASA AAA for a DMZ service

    Outside user access to 150.1.7.60 on port 9007 using specific URL:9007. This service is at the DMZ. Packet get translated in asa to 172.16.15.8.

    How I can authenticate that traffic?

    ADDITIONAL INFORMATION:

    I have configured a TACACS server at 172.16.10.60 on INSIDE zone. Test from ASA for a user in TACACS server is successful.

    My ISP has got 1.1.1.216/248 block assigned for my company. 1.1.1.217 is in the ISP part. 1.1.1.218 is my asa outside interface address. 1.1.1.221 in my URL addresses DNS entry at ISP.

  2. |

    Well from what I can understand you are trying to accomplish the following:
    – Outside user accesses 150.1.7.60 on port 9007 using a specific URL.
    – This server is in the DMZ and its IP is 172.16.15.8.
    – You have a TACACS server on the Inside 172.16.10.60.
    I do not know how exactly your network is layout so I am just going to guess and suggest what I have done in the past. Obviously you need to test this in the lab and backup everything before putting it in production. You are responsible for your own network and all the changes you make.

    Basically a setup like this will require opening up access to TACACS server from the DMZ server and setup NAT appropriately depending on the configuration
    Users from the outside will access the specific URL and will be asked to authenticate
    They will enter their credentials and the server in the DMZ will send the request to the TACACS server
    TACACS server with send the authentication response to the server in the DMZ about the authentication parameters outside user provided

    By reading this post you agree to the Terms and Conditions of this site:
    http://news.mali77.com/index.php/terms-and-conditions-of-using-this-site/

Leave a Comment

WordPress SEO