programming4us
programming4us
ENTERPRISE

Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 4) - Combining Classic IP Inspection (CBAC) and Auth-Proxy

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

Scenario 3: Combining Classic IP Inspection (CBAC) and Auth-Proxy

As stated earlier, despite performing authorization, Auth-proxy is not inherently stateful. This behavior can be changed through interactions with technologies such as CBAC or ZFW. The current scenario dedicates some time to the study of CBAC and Auth-Proxy integration.

The purpose of ACL 199 is just to state clearly that no inbound connections are accepted. Dynamic openings for the return traffic are created as needed by the ip inspect rule called TCP1.

Example  10 details some important aspects of this particular environment:

  • Auth-Proxy happens first.

  • CBAC creates the temporary openings for return traffic. This happens for the protocols that are part of the authorization ACL provided by Auth-Proxy.

  • The user might need to Telnet again to the destination host after successful Auth-Proxy authentication and authorization. That is the motivation for configuring a customized ip admission auth-proxy-banner in this scenario.

Example 9. Adding CBAC to an Auth-Proxy Enabled Interface
! Defining an ACL for the OUTSIDE interface (f4.201) - no static permissions inbound
access-list 199 deny ip any any log
!
! Creating a CBAC Rule for TCP (this rule dynamically opens ACL 199 for return traffic)
ip inspect name TCP1 tcp audit-trail off
!
interface Vlan21
 description *** INSIDE interface ***
 ip address 172.21.21.1 255.255.255.0
 ip access-group 100 in
 ip admission ADMISSION1
 ip inspect TCP1 in
!
interface FastEthernet4.201
 description *** connection to ASA (DMZ) ***
 encapsulation dot1Q 201
 ip address 172.16.201.201 255.255.255.0
 ip access-group 199 in
!
! Defining a banner for Auth-Proxy

ip admission auth-proxy-banner telnet ^C
*************************************************************************
           INTERCEPTED BY IOS AUTH-PROXY FEATURE
   AFTER AUTHENTICATION YOU MAY NEED TO RECONNECT TO DESTINATION HOST
*************************************************************************
^C

Example 10. Visualizing Auth-Proxy and CBAC Interactions
! User telnets to 172.16.201.2 and Auth-Proxy intercepts the connection

AUTH-PROXY creates info:
         cliaddr - 172.21.21.101, cliport - 1092
         seraddr - 172.16.201.2, serport - 23
                 ip-srcaddr 172.21.21.101
                 pak-srcaddr 0.0.0.0
!
! User enters credentials in the Firewall prompt and CBAC entry is created.

FIREWALL OBJ_CREATE: Pak 83B379A8 sis 84332968 initiator_addr (172.21.21.101:1092)   responder_addr (172.16.201.2:23)
initiator_alt_addr (172.21.21.101:1092) responder_alt_addr (172.16.201.2:23)
FIREWALL OBJ-CREATE: sid 84862F6C acl 199 Prot: tcp
 Src 172.16.201.2 Port [23:23]
 Dst 172.21.21.101 Port [1092:1092]
FIREWALL OBJ_CREATE: create host entry 84652D64 addr 172.16.201.2 bucket 119 (vrf 0:0)
insp_cb 0x84C71B00
FIREWALL OBJ_DELETE: delete host entry 84652D64 addr 172.16.201.2
!

! User is authenticated and authorized as in previous examples

AUTH-PROXY: Allocate Unique_id C
[output suppressed]
RADIUS(0000000C): Send Access-Request to 172.21.21.250:1812 id 1645/10, len 104
RADIUS: Received from id 1645/10 172.21.21.250:1812, Access-Accept, len 124
!
! Displaying information about the authenticated user

DMZ# show ip auth-proxy cache
Authentication Proxy Cache
 Client Name user1, Client IP 172.21.21.101, Port 1092, timeout 60, Time Remaining 59, state ESTAB
!
DMZ# show epm session ip 172.21.21.101
Admission feature       : Authproxy
AAA Policies            :
ACS ACL                 : xACSACLx-IP-DACL1-4aac618d
!
DMZ# show access-list xACSACLx-IP-DACL1-4aac618d
Extended IP access list xACSACLx-IP-DACL1-4aac618d (per-user)
    10 permit tcp any any eq www
    20 permit icmp any any echo
!
! User was authenticated but no Telnet session to the end host has been created yet.
! User telnets again and traffic gets inspected by CBAC. No Auth-Proxy anymore.

FIREWALL* OBJ_CREATE: Pak 83D1D13C sis 843326A0 initiator_addr (172.21.21.101:1093) responder_addr (172.16.201.2:23)
initiator_alt_addr (172.21.21.101:1093) responder_alt_addr (172.16.201.2:23)
FIREWALL OBJ-CREATE: sid 84862F18 acl 199 Prot: tcp
 Src 172.16.201.2 Port [23:23]
 Dst 172.21.21.101 Port [1093:1093]
[output suppressed]
!
! Displaying the inspect sessions created by CBAC

DMZ# show ip inspect sessions
Established Sessions
Session 843326A0 (172.21.21.101:1093)=>(172.16.201.2:23) tcp SIS_OPEN
!
! The matches in ACL 199 are not directly visible. The following command is needed:
DMZ# show ip inspect sis detail
Established Sessions
Session 843326A0 (172.21.21.101:1093)=>(172.16.201.2:23) tcp SIS_OPEN
  Created 00:07:43, Last heard 00:03:26
  Bytes sent (initiator:responder) [129:8777]
   Initiator->Responder Window size 65201 Scale factor 0
   Responder->Initiator Window size 8192 Scale factor 0
  In  SID 172.16.201.2[23:23]=>172.21.21.101[1093:1093] on ACL 199  (274 matches)
Other  
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 6) - HTTP Listener
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 5) - Cut-Through Proxy with Downloadable ACLs
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 4) - Cut-Through Proxy with Locally Defined ACL
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 3) - Cut-Through Proxy with Downloadable ACEs
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 2) - Simple Cut-Through Proxy
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 1)
    •
  •  Identity on Cisco Firewalls : Selecting the Authentication Protocol
    •
  •  Commercial Backup Utilities : Ease of Recovery, Robustness, Automation, Volume Verification
    •
  •  Commercial Backup Utilities : Ease of Administration, Security
    •
  •  Commercial Backup Utilities : Support of a Standard or Custom Backup Format
    •
     
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    - Messages forwarded by Outlook rule go nowhere
    - Create and Deploy Windows 7 Image
    - How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
    - Creating and using an unencrypted cookie in ASP.NET
    - Directories
    - Poor Performance on Sharepoint 2010 Server
    - SBS 2008 ~ The e-mail alias already exists...
    - Public to Private IP - DNS Changes
    - Send Email from Winform application
    - How to create a .mdb file from ms sql server database.......
    programming4us programming4us
    programming4us
     
    		 
    		programming4us