Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 501 and ACS

We have a stub network that we want to install behind a pix 501. We would like to make any inbound traffic coming from that subnet to be authenticated against our Cisco ACS server. Is this possible? How do I do it?

Stub-a --- Stub RTR --- Pix501 -- RTR -- Intranet

traffic going from stub must authenticate against ACS.

  • AAA Identity and NAC
New Member

Re: PIX 501 and ACS

What you want is called Cut-Through-Proxy:

pix(config)#aaa-server ACSSERVER protocol tacacs+

pix(config)#aaa-server ACSSERVER (inside) host

pix(config)#aaa authentication include any inside 0 0 0 0 ACSSERVER

This will force all connections leaving the pix to be authenticated against the ACS server. Instead of "any" you can put http, ftp, etc...

You can also use aaa authorization on the pix.

You'll still need to configure the ACS server...

New Member

Re: PIX 501 and ACS

This looks good, but what if I want any traffic coming from the outside to inside to be authenticated against the ACS server?

This widget could not be displayed.