Cut-Through Proxy (aka CTP) – Part Two

In the previous article, I talked about authorizing user who moves around from one IP to another by means of CTP. We saw that user’s traffic can be directly intercepted by ASA as long as user’s protocol is Telnet, FTP, or HTTP. But what if ASA is requiring authorization of protocols not listed above?

One way is already described in chapter one: “if access list CTP, which states what traffic must be authenticated by ASA, listed some other traffic, for example RDP, that traffic WILL be allowed from this IP address, because user “spopr” is authenticated.”

Perhaps you should read chapter one again to make sure the sentence from above is understood. It says that if we authenticated by ASA for supported protocol listed in CTP ACL (let’s say we successfully telneted to R1) then we can use all other required protocols from the IP we are currently using. So RDP is not supported directly, but we have this little trick. We telnet to R1, authenticate and can freely access RDP listed in CTP ACL but for the IP we used for telnet access.

What’s the other way? The other way is in fact the regular one, not the trick from above. ASA provide us with the way of “assigning” it vitual telnet or virtual http address, and using one or both addresses for authentication purposes. We will build our config upon the config from previous article. First, we establish virtual telnet address:

ASA1(config)#
ASA1(config)# virtual telnet 1.1.1.23
ASA1(config)#

IMPORTANT: CTP access list MUST include telnet access to this virtual address! This means that our present CTP ACL:

access-list CTP extended permit tcp any host 10.0.0.1 eq telnet
access-list CTP extended permit tcp any host 10.0.0.100 eq 3389
access-list CTP extended permit tcp any host 10.0.0.100 eq ftp
access-list CTP extended permit tcp any host 10.0.0.1 eq www

must become:

access-list CTP extended permit tcp any host 10.0.0.1 eq telnet
access-list CTP extended permit tcp any host 10.0.0.100 eq 3389
access-list CTP extended permit tcp any host 10.0.0.100 eq ftp
access-list CTP extended permit tcp any host 10.0.0.1 eq www
access-list CTP extended permit tcp any host 1.1.1.23 eq telnet

Only now you can telnet to this virtual telnet address and get authenticated, after which you may gain access to RDP server.

If we are using the old school method, then we have to have this line:

aaa authentication include telnet inside 0.0.0.0 0.0.0.0 1.1.1.23 255.255.255.255 ACS_RAD

Please note that you cannot ping this address or use it for anything else. Also, you don’t need to allow access to it via
“telnet 1.1.1.0 255.255.255.0 inside” command.

Instead of using virtual telnet, you may use virtual http:

ASA1(config)#
ASA1(config)# virtual http 1.1.1.80
ASA1(config)#

Now you access this address via web browser, authenticate and make RDP connection to ACS server. All said for virtual telnet access applies to virtual http.

Now you have it 🙂

Although I planned to talk abou downloadable access control lists or DACLs in this chapter, I kinda realized it would be better suited for the separate article. So stay with me!

Advertisements
This entry was posted in AAA, ACS/RADIUS/TACACS, ASA, Cisco and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s