07-31-2006 12:46 AM - edited 03-10-2019 02:41 PM
Hello,
Please i would like to manage my internet routers using tacacs. However, this has not been possible cos a firewall blocks the traffic. Can anybody advice me on how to achieve this?
Iso
07-31-2006 06:44 AM
Hi,
First, you need to allow router and ACS to reach each other.
Configure your internet router with appropriate aaa configuration as desired. Refer below as an example:
Example:
Router FastEthernet: xx.xx.xx.5/24
Firewall Outside IP: xx.xx.xx.6/24
Firewall Inside IP: 172.16.1.1/24
Internal ACS: 172.16.1.50
Router:
aaa new-model
aaa authentication login TELNET group tacacs+ local
aaa authentication login CONSOLE local
aaa authentication enable default enable
aaa authorization exec default group tacacs+ local
aaa authorization network default group tacacs+ if-authenticated local
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
tacacs-server host xx.xx.xx.10 timeout 10 key secretkey
Firewall:
1. Map internal ACS to a public IP, or use port re-directio if you don't have enough public (outside) IP to be used.
static (inside,outside) xx.xx.xx.10 172.16.1.50 netmask 255.255.255.255
For security reason, you can limit session to tacacs+ from the router by adding any number like "10 5" after the netmask, e.g
static (inside,outside) xx.xx.xx.10 172.16.1.50 netmask 255.255.255.255 10 5
10 = half open session (embryonic level)
5 = max connection to ACS (thru tacacs+ port)
2. Create ACL on outside interface to allow Router's fastethernet interface IP to reach internal ACS via xx.xx.xx.10 IP via tacacs+ port. Bind the ACL to outside interface.
Also, for testing purposes, enable PING/ICMP from router to the ACS. This can be disable later on as desired.
access-list outside permit tcp host xx.xx.xx.5 host xx.xx.xx.10 eq tacacs
access-list outside permit icmp host xx.xx.xx.5 host xx.xx.xx.10 any any
access-group outside in interface outside
3. Add the Router's FastEthernet IP as AAA client to ACS. Refer to the following config guide:
Make sure you select tacacs+ as the authentication protocol, use the same key as configured in router.
Rgds,
AK
08-01-2006 03:10 AM
Thanks AK, Will try and get back to you.
Iso
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: