Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to Use PIX Access Lists instead of 'aaa authentication...'

In my last message about "PIX intermittently stops AAA with CiscoSecure ACS/NT", I was asked if I was using the older 'aaa authentication include...' command to invoke CiscoSecure ACS / TACACS services on my PIX 520 with OS 6.1(1). That raised a big question I have...

I *am* using the older 'aaa authentication include...', but I would certainly love to switch to access lists. Is there a document detailing how to use access lists on the PIX? The ones I've seen are pretty short, and not very descript. I've wanted to migrate from conduits and static NAT mappings (I am using PAT for normal traffic, static NATs for smtp gateway & other special services) to access lists instead, but I haven't been able to spend enough time to figure it out on my own.

So, hopefully someone can help me...

I am using some standard STATIC and CONDUIT statements to give access to an SMTP gateway, for example:

<<<< Begin Snippet >>>>

static (inside,outside) 32.32.32.32 10.10.10.12 netmask 255.255.255.255 0 0

conduit permit tcp host 32.32.32.32 eq smtp any

<<<< End Snippet >>>>

Here's a snippet of the types of AAA commands I am using. I am using 6 AAA commands to turn on Authorization and Accounting on a subnet. I couldn't use "AAA AUTHENTICATION ANY", because I had problems going to HTTPS sites. Also, since we have alot of subnets that aren't contiguous, I have a *ton* of these dog-gone commands. I'd love to consolidate all of this....

<<<< Begin Snippet >>>>

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server outgoing protocol tacacs+

aaa-server outgoing (inside) host 10.10.10.11 <STRING> timeout 10

aaa-server outgoing (inside) host 10.9.9.11 <STRING> timeout 15

aaa authentication http console outgoing

!---This is for 10.1.0.x thru 10.1.15.x---

aaa authentication http outbound 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authentication ftp outbound 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authentication telnet outbound 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authorization http outbound 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authorization ftp outbound 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authorization telnet outbound 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

!---10.1.16.x thru 10.1.95.x are not administered with AAA---

!---This is for 10.1.96.x thru 10.1.111.x---

aaa authentication http outbound 10.1.96.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authentication ftp outbound 10.1.96.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authentication telnet outbound 10.1.96.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authorization http outbound 10.1.96.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authorization ftp outbound 10.1.96.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authorization telnet outbound 10.1.96.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

<<<< End Snippet >>>>

If you guys know how to do the same thing with access lists, I'd ***LOVE*** to hear from you. It would be most handy if Cisco had a really detailed document on that. Perhaps they do and I don't know it!

3 REPLIES
New Member

Re: How to Use PIX Access Lists instead of 'aaa authentication..

Cisco's document isn't terribly detailed, but http://www.cisco.com/warp/public/110/atp52.html#pix_auth is where it's located. Basically, you write an access list defining what traffic should be authorized, and then reference that ACL with the 'aaa authorization match [acl#] inside [server_name]' command. I believe this command structure works for authentication and accounting as well.

As far as traffic filtering goes, using an access list to permit inbound traffic gives you granular control in the sense that you can apply the ACL to a particular interface, but I still prefer conduits because you can modify one line at a time.

New Member

Re: How to Use PIX Access Lists instead of 'aaa authentication..

That's the one I found before. I was really hoping someone out there may be able to provide a sample of what they've done, and perhaps give some new ideas on how they go about using the ACLs.

I would like it alot if Cisco could write up a detailed chapter in the PIX Configuration Guide. Seems the subject alone can be gone into in great depth. Cisco told us to leave Conduits, but they didn't spend too much time documenting how to get away from them...

Jim

New Member

Re: How to Use PIX Access Lists instead of 'aaa authentication..

this is how i'd get rid of conduit. something like that.

access-list outside_access_in permit tcp host 32.32.32.32 eq smtp host 10.10.10.12

static (inside,outside) 32.32.32.32 10.10.10.12 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

I don't know if this is what u r looking for in terms of ACL for AAA... hey take a look...can't hurt too much. i hope not.

access-list inside_authentication_RADIUS permit http 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0

access-list inside_authentication_RADIUS permit ftp 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0

access-list inside_authentication_RADIUS permit telnet 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0

.

.

.

etc

aaa-server RADIUS (inside) host x.x.x.x 0 "password" timeout 5

aaa authentication match inside_authentication_RADIUS inside RADIUS

aaa authorization match inside_authentication_RADIUS inside RADIUS

hope this helps,

Tim

232
Views
0
Helpful
3
Replies