11 Oct 12 Cisco ASA – DMZ access via cut through Proxy Authentication
Allowing DMZ access based on user login in a corporate network
So I’m sure every one knows that there is a way we can utilize Cisco ASA to limit the internet traffic using Cut through proxy authentication. I needed something similar however I needed to limited the RDP access to a server in our DMZ based on a user profile. Now there are multiple ways to accomplish this. Previously I have accomplished this by using the networks or IP addresses however in that case the whole network was setup with a strict tier level and more strict IP addressing scheme to comply with the PCI requirements. In this case certain group of users who needed access to that web server in the DMZ were getting their IP’s from the DHCP server and there were no reservations. So I couldn’t allow the whole network access to the server in the DMZ. I decided to utilize the Cisco ASA’s cut through proxy authentication. Note: Cisco ASA supports direct authentication for http (80), telnet (23), ftp (21), https (443). But it does not for other protocols such as RDP (in my case).
So in order to utilize this feature for un supported protocols first I had to get the users to authenticate using the virtual IP address on the Cisco ASA and then gain RDP access to the server in the DMZ.
I took the following steps to accomplish this:
- Setup authentication prompts
- Setup a Virtual IP address on the Cisco ASA
- Setup an access list on the Cisco ASA
- Setup AAA Authentication statements
- From the examples before simply clone one of the policy, name it something like RDPAuth
- On the next tab Conditions add the groups from active directory that can access this resource
- Under Settings Tab first option will be “Standard”. Make sure “Service-Type = Login”
- Now last and important step configuring Vendor Specific attributes. In this case it would be “Cisco-AV-Pair”. This is where I configured the access list, same that is defined on the firewall, every line needs to match.
- Now if a user wants to RDP to the 192.168.1.10 DMZ Server they can gain that access by first going to https://10.1.1.10, authenticating on that page against Microsoft Active Directory using Cisco ASA Cut through Proxy and then running their RDP command
auth-prompt prompt Authentication for Access to Server
auth-prompt accept Authentication successful, now you can RDP to 192.168.1.10
auth-prompt reject Authentication Failed please try again
virtual http 10.1.1.10
access-list RDPAuth remark “This ACL is for RDP access to the servers in the DMZ”
access-list RDPAuth extended permit tcp any eq 3389 host 192.168.1.10 gt 1023 (Server IP in DMZ)
access-list RDPAuth extended permit tcp any gt 1023 host 192.168.1.10 eq 3389 (Server IP in DMZ)
access-list RDPAuth extended permit tcp any host 10.1.1.10 eq www (Virtual IP for Cut Through Proxy Authentication)
access-list RDPAuth extended permit tcp any host 10.1.1.10 eq https (Virtual IP for Cut Through Proxy Authentication)
aaa authentication match RDPAuth inside RADIUS (Note: RADIUS must be setup prior to this, see )
aaa authentication secure-http-client
Now it is time to setup the Microsoft NPS Server
ip:inacl#2=permit tcp any eq 3389 host 192.168.1.10 gt 1023
ip:inacl#3=permit tcp any gt 1023 host 192.168.1.10 eq 3389
ip:inacl4=permit tcp any host 10.1.1.10 eq www
ip:inacl5=permit tcp any host 10.1.1.10 eq https
Resources:
- Limiting Internet Access Based on User Profile Using ASA and RADIUS
- I also recommend reading and understanding cut through proxy authentication vulnerability – CSCtx42746
Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂
Tags: cisco asa cut through proxy with Microsoft RADIUS (NPS) server, Cisco ASA Cuth Through Proxy, control DMZ access via cisco asa cut through proxy
