How ASA Works
2
3
4
6 5
1
Overview of the Cisco Security Appliance 43
Cut-Through Proxy
The cut-through proxy feature on a Cisco Security Appliance provides significantly better
performance than application proxy firewalls because it completes user authentication at the
application layer, verifies authorization against the security policy, and then opens the
connection as authorized by the security policy. Subsequent traffic for this connection is no
longer handled at the application layer but is statefully inspected, providing significant
performance benefits over proxy-based firewalls.
Figure 3-2 depicts the mechanics of cut-through proxy and the four steps that take place
prior to the activation of the ASA. The following numbered list explains the steps indicated
in the figure:
Step 1 Initiates an FTP, HTTP, or Telnet connection to the internal web server.
Step 2 The Cisco Security Appliance replies with a user logon and the user completes
the logon.
Step 3 The Cisco Security Appliance uses TACACS+ or RADIUS to communicate the
user account information to the authentication, authorization, and accounting
(AAA) server, where it is authenticated.
Step 4 The connection to the web server is opened at the network layer, the session
information is written to the connections table, and the ASA process begins.