So I’m sure every one knows that there is a way we can utilize Cisco ASA to limit the internet traffic using Cut through proxy authentication. I needed something similar however I needed to limited the RDP access to a server in our DMZ based on a user profile. Now there are multiple ways to accomplish this. Previously I have accomplished this by using the networks or IP addresses however in that case the whole network was setup with a strict tier level and more strict IP addressing scheme to comply with the PCI requirements. In this case certain group of users who needed access to that web server in the DMZ were getting their IP’s from the DHCP server and there were no reservations. So I couldn’t allow the whole network access to the server in the DMZ. I decided to utilize the Cisco ASA’s cut through proxy authentication. Note: Cisco ASA supports direct authentication for http (80), telnet (23), ftp (21), https (443). But it does not for other protocols such as RDP (in my case).
So in order to utilize this feature for un supported protocols first I had to get the users to authenticate using the virtual IP address on the Cisco ASA and then gain RDP access to the server in the DMZ.
I took the following steps to accomplish this:
auth-prompt prompt Authentication for Access to Server
auth-prompt accept Authentication successful, now you can RDP to 192.168.1.10
auth-prompt reject Authentication Failed please try again
virtual http 10.1.1.10
access-list RDPAuth remark “This ACL is for RDP access to the servers in the DMZ”
access-list RDPAuth extended permit tcp any eq 3389 host 192.168.1.10 gt 1023 (Server IP in DMZ)
access-list RDPAuth extended permit tcp any gt 1023 host 192.168.1.10 eq 3389 (Server IP in DMZ)
access-list RDPAuth extended permit tcp any host 10.1.1.10 eq www (Virtual IP for Cut Through Proxy Authentication)
access-list RDPAuth extended permit tcp any host 10.1.1.10 eq https (Virtual IP for Cut Through Proxy Authentication)
aaa authentication match RDPAuth inside RADIUS (Note: RADIUS must be setup prior to this, see )
aaa authentication secure-http-client
Now it is time to setup the Microsoft NPS Server
ip:inacl#2=permit tcp any eq 3389 host 192.168.1.10 gt 1023
ip:inacl#3=permit tcp any gt 1023 host 192.168.1.10 eq 3389
ip:inacl4=permit tcp any host 10.1.1.10 eq www
ip:inacl5=permit tcp any host 10.1.1.10 eq https
Resources:
Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂
Tags: cisco asa cut through proxy with Microsoft RADIUS (NPS) server, Cisco ASA Cuth Through Proxy, control DMZ access via cisco asa cut through proxy