ENTERPRISE

Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 4) - Combining Classic IP Inspection (CBAC) and Auth-Proxy

2/21/2015 8:24:08 PM

Scenario 3: Combining Classic IP Inspection (CBAC) and Auth-Proxy

As stated earlier, despite performing authorization, Auth-proxy is not inherently stateful. This behavior can be changed through interactions with technologies such as CBAC or ZFW. The current scenario dedicates some time to the study of CBAC and Auth-Proxy integration.

The purpose of ACL 199 is just to state clearly that no inbound connections are accepted. Dynamic openings for the return traffic are created as needed by the ip inspect rule called TCP1.

Example  10 details some important aspects of this particular environment:

  • Auth-Proxy happens first.

  • CBAC creates the temporary openings for return traffic. This happens for the protocols that are part of the authorization ACL provided by Auth-Proxy.

  • The user might need to Telnet again to the destination host after successful Auth-Proxy authentication and authorization. That is the motivation for configuring a customized ip admission auth-proxy-banner in this scenario.

Example 9. Adding CBAC to an Auth-Proxy Enabled Interface
! Defining an ACL for the OUTSIDE interface (f4.201) - no static permissions inbound
access-list 199 deny ip any any log
!
! Creating a CBAC Rule for TCP (this rule dynamically opens ACL 199 for return traffic)
ip inspect name TCP1 tcp audit-trail off
!
interface Vlan21
 description *** INSIDE interface ***
 ip address 172.21.21.1 255.255.255.0
 ip access-group 100 in
 ip admission ADMISSION1
 ip inspect TCP1 in
!
interface FastEthernet4.201
 description *** connection to ASA (DMZ) ***
 encapsulation dot1Q 201
 ip address 172.16.201.201 255.255.255.0
 ip access-group 199 in
!
! Defining a banner for Auth-Proxy

ip admission auth-proxy-banner telnet ^C
*************************************************************************
           INTERCEPTED BY IOS AUTH-PROXY FEATURE
   AFTER AUTHENTICATION YOU MAY NEED TO RECONNECT TO DESTINATION HOST
*************************************************************************
^C

Example 10. Visualizing Auth-Proxy and CBAC Interactions
! User telnets to 172.16.201.2 and Auth-Proxy intercepts the connection

AUTH-PROXY creates info:
         cliaddr - 172.21.21.101, cliport - 1092
         seraddr - 172.16.201.2, serport - 23
                 ip-srcaddr 172.21.21.101
                 pak-srcaddr 0.0.0.0
!
! User enters credentials in the Firewall prompt and CBAC entry is created.

FIREWALL OBJ_CREATE: Pak 83B379A8 sis 84332968 initiator_addr (172.21.21.101:1092)   responder_addr (172.16.201.2:23)
initiator_alt_addr (172.21.21.101:1092) responder_alt_addr (172.16.201.2:23)
FIREWALL OBJ-CREATE: sid 84862F6C acl 199 Prot: tcp
 Src 172.16.201.2 Port [23:23]
 Dst 172.21.21.101 Port [1092:1092]
FIREWALL OBJ_CREATE: create host entry 84652D64 addr 172.16.201.2 bucket 119 (vrf 0:0)
insp_cb 0x84C71B00
FIREWALL OBJ_DELETE: delete host entry 84652D64 addr 172.16.201.2
!

! User is authenticated and authorized as in previous examples

AUTH-PROXY: Allocate Unique_id C
[output suppressed]
RADIUS(0000000C): Send Access-Request to 172.21.21.250:1812 id 1645/10, len 104
RADIUS: Received from id 1645/10 172.21.21.250:1812, Access-Accept, len 124
!
! Displaying information about the authenticated user

DMZ# show ip auth-proxy cache
Authentication Proxy Cache
 Client Name user1, Client IP 172.21.21.101, Port 1092, timeout 60, Time Remaining 59, state ESTAB
!
DMZ# show epm session ip 172.21.21.101
Admission feature       : Authproxy
AAA Policies            :
ACS ACL                 : xACSACLx-IP-DACL1-4aac618d
!
DMZ# show access-list xACSACLx-IP-DACL1-4aac618d
Extended IP access list xACSACLx-IP-DACL1-4aac618d (per-user)
    10 permit tcp any any eq www
    20 permit icmp any any echo
!
! User was authenticated but no Telnet session to the end host has been created yet.
! User telnets again and traffic gets inspected by CBAC. No Auth-Proxy anymore.

FIREWALL* OBJ_CREATE: Pak 83D1D13C sis 843326A0 initiator_addr (172.21.21.101:1093) responder_addr (172.16.201.2:23)
initiator_alt_addr (172.21.21.101:1093) responder_alt_addr (172.16.201.2:23)
FIREWALL OBJ-CREATE: sid 84862F18 acl 199 Prot: tcp
 Src 172.16.201.2 Port [23:23]
 Dst 172.21.21.101 Port [1093:1093]
[output suppressed]
!
! Displaying the inspect sessions created by CBAC

DMZ# show ip inspect sessions
Established Sessions
Session 843326A0 (172.21.21.101:1093)=>(172.16.201.2:23) tcp SIS_OPEN
!
! The matches in ACL 199 are not directly visible. The following command is needed:
DMZ# show ip inspect sis detail
Established Sessions
Session 843326A0 (172.21.21.101:1093)=>(172.16.201.2:23) tcp SIS_OPEN
  Created 00:07:43, Last heard 00:03:26
  Bytes sent (initiator:responder) [129:8777]
   Initiator->Responder Window size 65201 Scale factor 0
   Responder->Initiator Window size 8192 Scale factor 0
  In  SID 172.16.201.2[23:23]=>172.21.21.101[1093:1093] on ACL 199  (274 matches)
Other  
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 6) - HTTP Listener
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 5) - Cut-Through Proxy with Downloadable ACLs
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 4) - Cut-Through Proxy with Locally Defined ACL
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 3) - Cut-Through Proxy with Downloadable ACEs
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 2) - Simple Cut-Through Proxy
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 1)
    •
  •  Identity on Cisco Firewalls : Selecting the Authentication Protocol
    •
  •  Commercial Backup Utilities : Ease of Recovery, Robustness, Automation, Volume Verification
    •
  •  Commercial Backup Utilities : Ease of Administration, Security
    •
  •  Commercial Backup Utilities : Support of a Standard or Custom Backup Format
    •
     
    Most View
    Microsoft SharePoint 2010 Web Applications : Presentation Layer Overview - Ribbon (part 1)
    The Cyber-athletic Revolution – E-sports’ Era (Part 1)
    Windows Server 2003 : Implementing Software Restriction Policies (part 4) - Implementing Software Restriction Policies - Creating a Path Rule, Designating File Types
    Sql Server 2012 : Hierarchical Data and the Relational Database - Populating the Hierarchy (part 1)
    Two Is Better Than One - WD My Cloud Mirror
    Programming ASP.NET 3.5 : Data Source-Based Data Binding (part 3) - List Controls
    Windows 8 : Configuring networking (part 5) - Managing network settings - Understanding the dual TCP/IP stack in Windows 8, Configuring name resolution
    Nikon Coolpix A – An Appealing Camera For Sharp Images (Part 2)
    Canon PowerShot SX240 HS - A Powerful Perfection
    LG Intuition Review - Skirts The Line Between Smartphone And Tablet (Part 2)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
    Top 10
    Review : Acer Aspire R13
    Review : Microsoft Lumia 535
    Review : Olympus OM-D E-M5 Mark II
    TomTom Runner + MultiSport Cardio
    Timex Ironman Run Trainer 2.0
    Suunto Ambit3 Peak Sapphire HR
    Polar M400
    Garmin Forerunner 920XT
    Sharepoint 2013 : Content Model and Managed Metadata - Publishing, Un-publishing, and Republishing
    Sharepoint 2013 : Content Model and Managed Metadata - Content Type Hubs