1

We recently upgraded from a Watchguard X5500e Peak firewall appliance to a Cisco 5500 ASA with the CSC module. The ASA is running the 8.2 software and the CSC is on the 6.3.1172 software. We've finally gotten everything stabilized after a few weeks of pulling hairs and gnashing of teeth and now its down to trying to setup a few items that were lower on the priority list.

With the watchguard we were able to go with the browser to an internal webpage and authenticate against the firewall to allow us to bypass the filters. Useful when a classroom here needs access to streaming media or an executive needs us to download a video. I'm trying to setup something similar but I'm fairly inexperienced with the Cisco devices like this ASA so I'm not sure if its treated as a VPN connection or some kind of ACL. Ideally we would want to setup more than one to limit exposure rather than one thats wide open when used.

I did a search and couldn't find anything related to thing in the other questions asked here and I have had no luck googgling it either.

Shial
  • 1,017
  • 1
  • 9
  • 14

1 Answers1

1

What you are looking for is AAA(Authentication,Authorizationand and Accounting), from the cisco support site:

"AAA enables the security appliance to determine who the user is (authentication), what the user can do (authorization), and what the user did (accounting). AAA provides an extra level of protection and control for user access than using ACLs alone. For example, you can create an ACL allowing all outside users to access Telnet on a server on the DMZ network. If you want only some users to access the server and you might not always know IP addresses of these users, you can enable AAA to allow only authenticated and/or authorized users to make it through the security appliance. (The Telnet server enforces authentication, too; the security appliance prevents unauthorized users from attempting to access the server.) You can use authentication alone or with authorization and accounting. Authorization always requires a user to be authenticated first. You can use accounting alone, or with authentication and authorization. This section includes the following topics:

•About Authentication
•About Authorization
•About Accounting

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/aaa.html

But as far as i know you will need to set up a "Cisco Secure Access Control Server". I think you would be better if you use a web filtering solution(websense and the like). you could also set up a squid server, integrated whit ldap and setting ACL based on the authenticated user.

Hugo Garcia
  • 478
  • 1
  • 3
  • 18
  • Very interesting, Going to dig around through the information and see if it fits what we need and how to make it work. – Shial Nov 12 '10 at 19:32