Cut-Through Proxy (aka CTP) – Part One

What is this thing CTP? If you ever needed to allow somebody through ASA to some resources based on their username/password combination – CTP is the right tool to use. Since the version of 8.3 or perhaps 8.4 there is this new cool feature called Identity Firewall. It allows you to permit/deny some traffic based on user database located on, let’s say, Microsoft Active Directory. It took them (Cisco) quite some time! Other competitors (say Palo Alto) have this feature long enough to ask ourselves why is Cisco so slow in some cases.

Let’s go back to CTP. It could be obsolete soon, but I need it for my CCIE Sec lab exam, and perhaps this article may be useful for some of you guys. So, basic idea is this: you want to allow someone to access corporate resources but he or she is for some reason switching offices often and so is receiving different IPs all the time. How do you solve this problem? Obviously you cannot allow all subnets to access these resources. Or do you want to respond to calls and hear from the other side: “Hi this is me again. Now I’m doing some stuff in the HR. I need access to my server. Let me check… It’s now 192.168.11.123. Thank you, you are so sweet. I’ll get back to you in a couple of days. I’ll be with those guys from Marketing. Bye!” I bet you have something else to do! 🙂

CTP solves this by allowing some access only after user has entered correct username and password. This way, you don’t care in which department he or she from the phone conversation is right now. They can move around as long as they know username and password and both ASA and ACS are set up correctly. You can use LOCAL database on ASA alone, but using ACS scale better.

As far as I can remember, ASA’s CTP can intercept: Telnet, FTP, HTTP and HTTPS traffic going through. This means that you don’t need to connect to ASA in some way, but rather you do one of these protocols to resource you want, which is a part of CTP config, and ASA will intercept this connection and ask for credentials. After you enter correct credentials, ASA will let you through to the server you originally requested access to. Now, this server may or may not ask for its own authentication, but this is not our business, because we don’t (at least in this story) deal with servers 🙂

For example, take a look at this topology. TestPC is this infamous laptop that is moving around keep getting different IP addresses. Let’s imagine this laptop needs Telnet and HTTP access to R1 and FTP and RDP access to ACS server. R1 does not require any authentication for Telnet, but requires level 15 credentials for HTTP. Also ACS server needs FTP credentials to log in and username and password for RDP. If we set up CTP like in our config, this is what could happen:

1. If user makes a telnet connection to 10.0.0.1, he is presented with username/password prompt, but from ASA, because R1 does not require them. After successfully authentication to ASA, we receive R1’s prompt
2. If user makes a HTTP session to 10.0.0.1, she needs to authenticate to ASA firts and then to R1 as well. This is done separately in two dialog boxes. I kinda heard of doing this in just one window, but can’t remember the syntax at this time 😦
3. He wants to connect to FTP server. FTP server admin provided him with spopf/passf pair for login. We provided him with spopa/passa combination for CTP process. Now he connects to 10.0.0.100 and at username prompt types spopa@spopf, and for password passa@passf. ASA will use text before @ sign for CTP credentials and text after @ for FTP credentials. Something like this could be possible with HTTP.
4. In all three cases, ASA can intercept connections, do CTP authentication and pass the traffic on. But RDP and other protocols not in the Telnet, FTP, HTTP, HTTPS list are more fun 🙂

Read on!

At this time we have basic ASA1 and R1 configurations which provide basic connectivity. We test that we can do Telnet/HTTP to R1 and FTP/RDP to ACS server. Now we are going to build ASA1 config to meet our requirements.

First wee need to define AAA server:

ASA1(config)#
ASA1(config)# aaa-server ACS_RAD protocol radius
ASA1(config-aaa-server-group)# exit
ASA1(config)# aaa-server ACS_TAC protocol tacacs+
ASA1(config-aaa-server-group)# exit
ASA1(config)#
ASA1(config)# aaa-server ACS_RAD (outside) host 10.0.0.100 spop123
ASA1(config-aaa-server-host)# exit
ASA1(config)# aaa-server ACS_TAC (outside) host 10.0.0.100 spop123
ASA1(config-aaa-server-host)# exit
ASA1(config)#
ASA1(config)# test aaa authentication ACS_RAD host 10.0.0.100 username spopr password spopr
INFO: Attempting Authentication test to IP address (timeout: 12 seconds)
INFO: Authentication Successful
ASA1(config)#
ASA1(config)# test aaa authentication ACS_TAC host 10.0.0.100 username spopr password spopr
INFO: Attempting Authentication test to IP address (timeout: 12 seconds)
INFO: Authentication Successful
ASA1(config)#

So now we defined our AAA server to use both RADIUS and TACACS+. We are only going to use RADIUS, but this could be a nice practice, because we may need one or both in the future. We also set up ACS to know ASA1 as a client. Finally, we tested the access.

Now we set up CTP for telnet to R1:

ASA1(config)#
ASA1(config)# access-l CTP permit tcp any host 10.0.0.1 eq telnet
ASA1(config)#
ASA1(config)# aaa authentication match CTP inside ACS_RAD
ASA1(config)#

If we try to telnet to R1 (which is set up not to require credentials) we must provide credentials defined on ACS. After successful login, we are at the R1 prompt. On the ASA1 we could verify successful authentication:

ASA1(config)#
ASA1(config)# show uauth
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 1
user 'spopr' at 1.1.1.2, authenticated (idle for 0:00:01)
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
ASA1(config)#

We can see that user “spopr” is authenticated and coming from 1.1.1.2.

THIS IS IMPORTANT: if access list CTP, which states what traffic must be authenticated by ASA, listed some other traffic, for example RDP, that traffic WILL be allowed from this IP address, because user “spopr” is authenticated.

This is how access list that meets our requirements looks like:

ASA1(config)#
ASA1(config)# show run access-list
access-list CTP extended permit tcp any host 10.0.0.1 eq telnet
access-list CTP extended permit tcp any host 10.0.0.100 eq 3389
access-list CTP extended permit tcp any host 10.0.0.100 eq ftp
access-list CTP extended permit tcp any host 10.0.0.1 eq www
ASA1(config)#

There is another way to do CTP. This way does not use ACLs. Let’s go back to config without CTP and set up our requirements the other way:

ASA1(config)#
ASA1(config)# show run aaa
aaa authentication include telnet inside 0.0.0.0 0.0.0.0 10.0.0.1 255.255.255.255 ACS_RAD
aaa authentication include tcp/3389 inside 0.0.0.0 0.0.0.0 10.0.0.100 255.255.255.255 ACS_RAD
aaa authentication include ftp inside 0.0.0.0 0.0.0.0 10.0.0.100 255.255.255.255 ACS_RAD
aaa authentication include http inside 0.0.0.0 0.0.0.0 10.0.0.1 255.255.255.255 ACS_RAD
ASA1(config)#

REMEMBER: if we do successfully authenticate by connecting to, for example FTP server, we don’t need to authenticate if we connect to other listed services from the same authenticated IP address, 1.1.1.2 in this case.

So now you have the idea how this CTP thing works. In the part two we will deal with protocols that cannot be inetrcepted by ASA1, such as RDP. We will talk about “virtual telnet” and “virtual http” and “downloadable ACLs”.

Finally, the ASA1’s config:

!
hostname ASA1
domain-name popravak.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.0.0.12 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name popravak.com
access-list CTP extended permit tcp any host 10.0.0.1 eq telnet
access-list CTP extended permit tcp any host 10.0.0.100 eq 3389
access-list CTP extended permit tcp any host 10.0.0.100 eq ftp
access-list CTP extended permit tcp any host 10.0.0.1 eq www

pager lines 24
no logging message 402128
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
!
aaa-server ACS_RAD protocol radius
aaa-server ACS_RAD (outside) host 10.0.0.100
key spop123
aaa-server ACS_TAC protocol tacacs+
aaa-server ACS_TAC (outside) host 10.0.0.100
key spop123
!
aaa authentication include telnet inside 0.0.0.0 0.0.0.0 10.0.0.1 255.255.255.255 ACS_RAD
aaa authentication include http inside 0.0.0.0 0.0.0.0 10.0.0.1 255.255.255.255 ACS_RAD
aaa authentication include ftp inside 0.0.0.0 0.0.0.0 10.0.0.100 255.255.255.255 ACS_RAD
aaa authentication include tcp/3389 inside 0.0.0.0 0.0.0.0 10.0.0.100 255.255.255.255 ACS_RAD
!

http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
end

See you next time!

Advertisements
This entry was posted in AAA, ACS/RADIUS/TACACS, ASA, Cisco and tagged , , , , , , . Bookmark the permalink.

One Response to Cut-Through Proxy (aka CTP) – Part One

  1. Pingback: Cut-Through Proxy (aka CTP) – Part Two | popravak

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s