Cut-Through Proxy (aka CTP) – Part Three

Finally, this is the last article on CTP. This one will deal with the Downloadable Access Control Lists or DACLs. We continue to use CTP topology and have these requirements:

– users from inside network of 1.1.1.0/24 should be denied access to ACS server via RDP and VNC remote access protocols
– inside users should have unrestricted access to everything else
– after successful authentication to ACS server, users should gain access to banned protocols
– users may use telnet or http to authenticate to ASA

If you read last two articles, this should be easy. First, we create virtual addresses:

ASA1(config)#
ASA1(config)# virtual telnet 1.1.1.23
ASA1(config)#
ASA1(config)# virtual http 1.1.1.80
ASA1(config)#

Then, we create the ACL that will prevent specified remote access protocols and permit everything else:

access-list I_O extended deny tcp 1.1.1.0 255.255.255.0 host 10.0.0.100 eq 3389
access-list I_O extended deny tcp 1.1.1.0 255.255.255.0 host 10.0.0.100 eq 5900
access-list I_O extended permit ip any any

Now we should verify connectivity before going further. Upon successful verification we construct CTP ACL:

access-list CTP extended permit tcp any host 1.1.1.23 eq telnet
access-list CTP extended permit tcp any host 1.1.1.80 eq www
access-list CTP extended permit tcp any any eq 3389
access-list CTP extended permit tcp any any eq 5900

First two lines are necessary for virtual telnet and http to work, and last two lines are ment to trigger CTP process for requested protocols. No we should activate the CTP process:

ASA1(config)#
ASA1(config)# aaa authentication match CTP inside ACS_RAD
ASA1(config)#

Finally, we attach interface ACL to the appropriate interface, inside in this case:

ASA1(config)#
ASA1(config)# access-group I_O in interface inside per-user-override
ASA1(config)#

IMPORTANT: “per-user-override” is a must! It says that if there is conflict between interface ACL and DACL, DACL should win. Without this option, the whole thing does not work. Keep this in mind.

This was the ASA part. Now we need to create the DACL itself on the ACS server. Go to the “Shared Profile Components”, then “Downloadable IP ACLs” and create DACL like this:

As you can see, the first two lines are used for virtual telnet and http. Without them, DACL would still work, but user would see some authorization error.The other two lines are downloaded to the ASA and applied for user’s IP address. If you go back a bit, you will notice that interface ACL is preventing TCP/3389 and TCP/5900, but with the “per-user-override”, DACL wins over interface ACL.

We can now test the access by telnet-ing or http-ing to virtual addresses, authenticate and try RDP and VNC access…

We can also verify this by showing uauth:

ASA1(config)#
ASA1(config)# show uauth
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 1
user 'spopr' at 1.1.1.2, authenticated (idle for 0:00:04)
access-list #ACSACL#-IP-D_ACL1-4ed10321 (*)
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
ASA1(config)#

We can see that the DACL named #ACSACL#-IP-D_ACL1-4ed10321 is applied for this user. And this ACL is exactly what we specified on the RADIUS server:

ASA1(config)#
ASA1(config)# show access-l #ACSACL#-IP-D_ACL1-4ed10321
access-list #ACSACL#-IP-D_ACL1-4ed10321; 4 elements (dynamic)
access-list #ACSACL#-IP-D_ACL1-4ed10321 line 1 extended permit tcp any host 1.1.1.23 eq telnet (hitcnt=1)
access-list #ACSACL#-IP-D_ACL1-4ed10321 line 2 extended permit tcp any host 1.1.1.80 eq www (hitcnt=0)
access-list #ACSACL#-IP-D_ACL1-4ed10321 line 3 extended permit tcp any any eq 3389 (hitcnt=2)
access-list #ACSACL#-IP-D_ACL1-4ed10321 line 4 extended permit tcp any any eq 5900 (hitcnt=1)
ASA1(config)#

So folks, this concludes our CTP trip. Some thing I did not mention you should pay attention to:

– I did not find any examples of using virtual ssh or virtual https. Telnet and HTTP are poor choices for authentication!
– The only option for DACLs is RADIUS. We cannot use TACACS+!

I’m looking forward to my trip to Vienna next week and I’ll continue to blog after returning back.

Advertisements
This entry was posted in AAA, ACS/RADIUS/TACACS, ASA, Cisco and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s