ASA Cut Through Proxy Redirect Issue.

millworxmillworx Member Posts: 290
Im going crazy trying to figure out what I missed. User logs in with anyconnect to the SSL gateway, when they type in an address in their browser it should redirect them to a login page on the cut through proxy asking for credentials. But it's not redirecting. I have to first type in the address of the proxy, then it prompts me. From there everything is fine. No auto-redirect though :\

Here's a sanitized config. and a little network diagram for your enjoyment. Anyconnect user comes in form outside vlan, and cut through proxy authenticates them before letting them in on inside VLAN. Anyone spot an error, it's just this auto-redirect I'm having issues with? I think my ACLS are right.
: Saved
:
ASA Version 8.4(1)
!
hostname xxxyyy
domain-name xxxyyy.com
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.0.0.195 255.255.255.240 standby 10.0.0.196
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.0.0.161 255.255.255.224 standby 10.0.0.162
!
boot system disk0:/asa841-k8.bin
dns domain-lookup inside
dns server-group DefaultDNS
name-server 1.1.1.1
name-server 2.2.2.2
domain-name xxxyyy.com
same-security-traffic permit intra-interface
object network virtual-ip
host 10.0.0.167
object-group network SSL_VPN_Devices
description ssl vpn devices
network-object host 10.0.0.165
object-group network OTP_Servers
description RADIUS servers
network-object host 10.0.85.177
object-group network TACACS_SERVERS
description TACACS servers
network-object host 10.0.85.177
access-list OUTSIDE extended permit tcp any host 10.0.0.167 eq www
access-list OUTSIDE extended permit tcp any host 10.0.0.167 eq https
access-list OUTSIDE extended permit udp any host 1.1.1.1 eq domain
access-list OUTSIDE extended permit udp any host 2.2.2.2 eq domain
access-list OUTSIDE extended permit tcp any host 10.0.0.161 eq www
access-list OUTSIDE extended permit tcp any host 10.0.0.161 eq https
access-list OUTSIDE extended permit udp object-group SSL_VPN_Devices object-group OTP_Servers eq radius
access-list OUTSIDE extended permit icmp any any log
access-list OUTSIDE extended permit ip object-group SSL_VPN_Devices any
access-list EMPLOYEE extended permit ip any any
access-list AP extended permit tcp 10.0.0.224 255.255.255.248 any
access-list PARTNER extended permit tcp any host 17.7.18.1 eq www
access-list PARTNER extended permit tcp any host 10.0.0.167 eq www
access-list PARTNER extended permit tcp any host 10.0.0.167 eq https
access-list PARTNER extended permit tcp any host 10.0.0.161 eq www
access-list PARTNER extended permit tcp any host 10.0.0.161 eq https
access-list PARTNER extended permit udp any host 1.1.1.1 eq domain
access-list PARTNER extended permit udp any host 2.2.2.2 eq domain
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any time-exceeded outside
icmp permit any outside
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static virtual-ip virtual-ip
access-group OUTSIDE in interface outside per-user-override
!
route outside 10.0.0.224 255.255.255.248 10.0.0.165 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record PARTNER
description "PARTNER template gets limited resource access"
network-acl PARTNER
dynamic-access-policy-record DfltAccessPolicy
user-message "Unauthorized Access Not Allowed!!"
action terminate
dynamic-access-policy-record EMPLOYEE
description "Employee Template - Gets All Access"
network-acl EMPLOYEE
aaa-server OTP_SERVERS protocol radius
aaa-server OTP_SERVERS (inside) host 10.0.85.177
key *****
aaa authentication http console OTP_SERVERS
aaa authentication match AP outside OTP_SERVERS
aaa authentication secure-http-client
aaa authentication listener http outside port https redirect
aaa authentication listener https outside port https redirect
http server enable 444
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual http 10.0.0.167
auth-prompt prompt Login using your username and password.
auth-prompt accept Login Accepted!! You can close this Page. Remember to logout once you done with your work.
auth-prompt reject Login REJECTED!
service resetoutside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1 rc4-md5
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect tftp
inspect ip-options
inspect icmp
inspect http
inspect dns
!
NetDiag.jpg
Currently Reading:
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide

Comments

  • shednikshednik Member Posts: 2,005
    So I'm looking at the config...I'm assuming this is the config for the proxy?

    On the SSL gateway do you have this in place?
    group-policy GroupPolicy-SSL-VPN attributes
            msie-proxy server value 10.0.0.195
            msie-proxy local-bypass disable
    

    I'm assuming you want all browsing traffic to be authenticated through the proxy? I haven't setup the cut-through proxy in almost 2 years but if that part is setup I'd be looking at the anyconnect profile. Can you post the config for that?


    joe
  • millworxmillworx Member Posts: 290
    Thanks Joe,

    I think I got it all figured out on my own. Although thanks for sharing that MSIE proxy config. Not really what I need, as that just forces the browser to use an internet based proxy, but could come in useful in the future. =]
    Currently Reading:
    CCIE: Network Security Principals and Practices
    CCIE: Routing and Switching Exam Certification Guide
  • justcalljustcall Registered Users Posts: 1 ■□□□□□□□□□
    Hi, I'm encountering the same issue, could you please let me know what you did to fix it?

    Thanks alot!

    millworx wrote: »
    Thanks Joe,

    I think I got it all figured out on my own. Although thanks for sharing that MSIE proxy config. Not really what I need, as that just forces the browser to use an internet based proxy, but could come in useful in the future. =]
  • dtlokeedtlokee Member Posts: 2,381
    I'm not sure exactally what you are trying to do but if the goal is to force the packets inside through the transparent proxy you could use a tunnel default gateway to accomplish this.
    The only easy day was yesterday!
Sign In or Register to comment.