Enable SSH access
firewall1(config)#crypto key generate rsa modulus 2048
firewall1(config)#username user password userpass privilege 15
firewall1(config)#ssh 0.0.0.0 0.0.0.0 inside
firewall1(config)#aaa authentication ssh console LOCAL
Enable ASDM
asdm image disk0:/asdm-752-153.bin
http 10.0.1.0 255.255.255.0 inside
username cisco password cisco privilege 15
Add enable password
Application L5-7 inspection
Forbid DELE command in FTP traffic
class-map type inspect ftp match-all ftpclass
match request-command dele
firewall1(config)#crypto key generate rsa modulus 2048
firewall1(config)#username user password userpass privilege 15
firewall1(config)#ssh 0.0.0.0 0.0.0.0 inside
firewall1(config)#aaa authentication ssh console LOCAL
Enable ASDM
asdm image disk0:/asdm-752-153.bin
http 10.0.1.0 255.255.255.0 inside
username cisco password cisco privilege 15
Add enable password
firewall1(config)#enable password strongpass
Adding AAA access rules
Adding AAA access rules
Before cut-through authentication rule is applied, standard ACL should be configured. For example, if you want to turn on authentication for http traffic, you should first allow http traffic
Cut-through proxy, direct HTTPS authentication example
I would like to describe this configuration relying on example. For instance, we need to allow SSH connections from inside network to Internet server only for authenticated users. Let's jump in :)
Suppose we have already added a user
172.20.1.1 - address of Internet server
172.16.16.100 - address of ASA inside interface
5555 - port on which ASA will listen for authentication
Add access list to allow ssh in general from inside network
access-list inside_access_in extended permit tcp any any eq 22 log disable
access-group inside_access_in in interface inside
Add access list for particular server
access-list ssh permit tcp any host 172.20.1.1 eq 22
access-list ssh permit tcp any host 172.16.16.100 eq 5555
access-group ssh in interface inside
Add aaa rules
aaa authentication match ssh inside LOCAL
aaa authentication listener https inside port 5555
After this configuration is done, user from the inside network have to go to:
https://172.16.16.100:5555/netaccess/connstatus.html
Enter his name and password, next he will have access to ssh service.
Cut-through proxy, direct HTTPS authentication example
I would like to describe this configuration relying on example. For instance, we need to allow SSH connections from inside network to Internet server only for authenticated users. Let's jump in :)
Suppose we have already added a user
172.20.1.1 - address of Internet server
172.16.16.100 - address of ASA inside interface
5555 - port on which ASA will listen for authentication
Add access list to allow ssh in general from inside network
access-list inside_access_in extended permit tcp any any eq 22 log disable
access-group inside_access_in in interface inside
Add access list for particular server
access-list ssh permit tcp any host 172.20.1.1 eq 22
access-list ssh permit tcp any host 172.16.16.100 eq 5555
access-group ssh in interface inside
Add aaa rules
aaa authentication match ssh inside LOCAL
aaa authentication listener https inside port 5555
After this configuration is done, user from the inside network have to go to:
https://172.16.16.100:5555/netaccess/connstatus.html
Enter his name and password, next he will have access to ssh service.
Application L5-7 inspection
Forbid DELE command in FTP traffic
class-map type inspect ftp match-all ftpclass
match request-command dele
policy-map type inspect ftp ftppolicy
class ftpclass
reset log
policy-map global-policy
class global-class
inspect ftp strict ftppolicy
service-policy global-policy global
Clear running config
clear config all
Clear startup config
write erase
Clear running config
clear config all
Clear startup config
write erase
