Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

managing routers after a firewall using aaa

Hello,

Please i would like to manage my internet routers using tacacs. However, this has not been possible cos a firewall blocks the traffic. Can anybody advice me on how to achieve this?

Iso

2 REPLIES

Re: managing routers after a firewall using aaa

Hi,

First, you need to allow router and ACS to reach each other.

Configure your internet router with appropriate aaa configuration as desired. Refer below as an example:

Example:

Router FastEthernet: xx.xx.xx.5/24

Firewall Outside IP: xx.xx.xx.6/24

Firewall Inside IP: 172.16.1.1/24

Internal ACS: 172.16.1.50

Router:

aaa new-model

aaa authentication login TELNET group tacacs+ local

aaa authentication login CONSOLE local

aaa authentication enable default enable

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ if-authenticated local

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

tacacs-server host xx.xx.xx.10 timeout 10 key secretkey

Firewall:

1. Map internal ACS to a public IP, or use port re-directio if you don't have enough public (outside) IP to be used.

static (inside,outside) xx.xx.xx.10 172.16.1.50 netmask 255.255.255.255

For security reason, you can limit session to tacacs+ from the router by adding any number like "10 5" after the netmask, e.g

static (inside,outside) xx.xx.xx.10 172.16.1.50 netmask 255.255.255.255 10 5

10 = half open session (embryonic level)

5 = max connection to ACS (thru tacacs+ port)

2. Create ACL on outside interface to allow Router's fastethernet interface IP to reach internal ACS via xx.xx.xx.10 IP via tacacs+ port. Bind the ACL to outside interface.

Also, for testing purposes, enable PING/ICMP from router to the ACS. This can be disable later on as desired.

access-list outside permit tcp host xx.xx.xx.5 host xx.xx.xx.10 eq tacacs

access-list outside permit icmp host xx.xx.xx.5 host xx.xx.xx.10 any any

access-group outside in interface outside

3. Add the Router's FastEthernet IP as AAA client to ACS. Refer to the following config guide:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080233613.html#wp142571

Make sure you select tacacs+ as the authentication protocol, use the same key as configured in router.

Rgds,

AK

New Member

Re: managing routers after a firewall using aaa

Thanks AK, Will try and get back to you.

Iso

117
Views
0
Helpful
2
Replies