Security: Cisco ASA Cut-through proxy

Introduction
Cisco ASA will authenticate the user attempting to access the asset that is protected by Cisco ASA, after user authenticated Cisco ASA will pass the credential to TACACS+ or RADIUS. The Cisco ASA is the authenticator and the user is supplicant, this is known as cut-through proxy.

Application
An example scenario that user can bypass the Web Application Firewall by using RDP to connect to the DMZ, you want to add an additional layer of authentication so that user that attempts to use RDP must be authenticated first.

Configuration
Create AAA server profile.

aaa-server RADIUS_SERVER protocol radius
aaa-server RADIUS_SERVER (DMZ) host 192.168.1.1
timeout 300
key test-key
authentication-port 1812
accounting-port 1813
end

RADIUS_SERVER is the profile name you can name anything you like. aaa-server RADIUS_SERVER (DMZ) host 192.168.1.1 The zone within the brackets is where the AAA server is located, the host IP address is the address of the AAA server.

Create the access-list to check the interesting traffic. TCP3389 is the default RDP service port number.

access-list remote_auth extended permit tcp any host 192.168.200.1 eq 3389

As long as there is RDP connection to 192.168.200.1 it will be grouped.

Create the aaa authentication.

aaa authentication match remote_auth outside RADIUS_SERVER

This line will authenticate user from outside zone that is attempting to use RDP.

Exemption
You can create an exemption list so that mac addresses in the list is not needed to authenticate if there is a match.

It may be a proxy that does not require authentication, because the user is the actual user that is accessing the asset and not the proxy, suppose the proxy server mac address is aaaa.bbbb.cccc.

mac-list EXEMPTION permit aaaa.bbbb.cccc ffff.ffff.ffff
aaa mac-exempt match EXEMPTION
Advertisements
This entry was posted in ASA/PIX, Security and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s