ASA 5510 cut-through proxy feature

[mdc1973]

hi

Just wondering if anyone has configured cut-through proxy on the ASA?

Got a couple of questions on it- first, if I use http for the auth, will the end user browse to the firewall first, authenticate, and then have access through? second, will I need to nat their IPs (ie do I have to create a nat pool for them) or can they keep their real IPs?

And finally, is it pretty easy to setup? it looks it, from what i can see from the book, but would be nice to hear it from someone who's done it.

Thanks.

 

[garnetbobcat]

The cut-through proxy on the ASA is pretty simple to configure, especially if you're just after authentication. Authorization with and ACS server is a bit more complicated, but it works fine. I blogged about the cut-through proxy a while back:

http://www.wr-mem.com/?p=35

To answer your question about HTTP, you can do it both ways. If your users are web browsing and you have cut-through configured to authenticate HTTP traffic then they should just encounter the login page on the ASA when they try to browse to cnn.com or wherever.

If your users are using another application that uses some other port, like TCP 159, and you want to authorize that traffic you can use a Virtual HTTP Server. In this case, the users connect to a virtual address on the ASA with HTTP, login and then send their TCP 159 traffic.

Note: Virtual Telnet is also available.

---

There is no need for a nat pool or any addressing scheme changes beyond what you have to do normally to pass traffic. Because it's a "cut-through" proxy, the addressing is not affected.

Matt
CCIE Security

http://www.wr-mem.com