I am using a Firewall IOS box 12.4 AdvancedIPServices. My design is as follows. I have 4 security zones in the firewall, and each zone has its own subnet. I want to create a policy/rule that allows port 3389 (RDP) to cross between a trust and untrust zone, and I want the user to have to authenticate to the tacacs+ or local database before it allows this connection to be made. I will have them go to a HTTP page to auth 1st. I am able to turn authentication on per interface, but I do not want all traffic leaving that zone to have to authenticate, just traffic I specify in my policy needs to authenticate. Is there a way to do this with Firewall IOS? If so can someone give me a config example?