We have a switch that's outside the PIX. All internal switches are configured for tacacs+ using ACS 2.6 for NT. I need to lock down this switch although I'm unsure as to what would be the best method. Do I configure tacacs+ on the switch to authenticate through the PIX? Should I configure local AAA? Both?
What about telneting into the box, or http access for that matter? Wouldn't the logon credentials be sent over in clear text? I suppose I could set up a box to SSH into and then telnet from there...
Wouldn't it make good sense for the outside switch to be managed with an ip address in your management subnet? This will eliminate some of your concerns. SSH Server may or may not be available for your switch, but if it isn't, then that would give you much better security than TACACS.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...