Security: Cisco ASA Cut-through proxy

Cisco ASA will authenticate the user attempting to access the asset that is protected by Cisco ASA, after user authenticated Cisco ASA will pass the credential to TACACS+ or RADIUS. The Cisco ASA is the authenticator and the user is supplicant, this is known as cut-through proxy.

An example scenario that user can bypass the Web Application Firewall by using RDP to connect to the DMZ, you want to add an additional layer of authentication so that user that attempts to use RDP must be authenticated first.

Create AAA server profile.

aaa-server RADIUS_SERVER protocol radius
aaa-server RADIUS_SERVER (DMZ) host
timeout 300
key test-key
authentication-port 1812
accounting-port 1813

RADIUS_SERVER is the profile name you can name anything you like. aaa-server RADIUS_SERVER (DMZ) host The zone within the brackets is where the AAA server is located, the host IP address is the address of the AAA server.

Create the access-list to check the interesting traffic. TCP3389 is the default RDP service port number.

access-list remote_auth extended permit tcp any host eq 3389

As long as there is RDP connection to it will be grouped.

Create the aaa authentication.

aaa authentication match remote_auth outside RADIUS_SERVER

This line will authenticate user from outside zone that is attempting to use RDP.

You can create an exemption list so that mac addresses in the list is not needed to authenticate if there is a match.

It may be a proxy that does not require authentication, because the user is the actual user that is accessing the asset and not the proxy, suppose the proxy server mac address is aaaa.bbbb.cccc.

mac-list EXEMPTION permit aaaa.bbbb.cccc ffff.ffff.ffff
aaa mac-exempt match EXEMPTION

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s