We want to use SecureID (thru Tacacs+) login for all our administrators for logging in to the routers. But we also want to use CW2000 for using netconfig and archive configurations. CW2000 uses snmp and telnet access. Because of that snmp and user/password info must be configured in CW. Because there is no secureid software token available for cw2000 i have to find another way to give CW access to routers. On the other hand i want no unsecure (level 7) password on routers because of password recovery possibilities showing the password. The best i found was defing a account on the tacacs server which can be used to login to the routers and if the user is not in the tacacs server it will ask the ace server. That works fine but now i can login to ALL routers from all destinations and that is also not secure. I tried using aaa authorisation to make a acl active on the vty and debugging shows the acl is activated for the CW user but i can still connect to all routers from all destinations and the acl does not seem to work. Should this work? Another good way would be if it is possible to tell the tacacs server that it should only grant access if the CW user tried to connect from the CW machine but i dont think this option exists because it is not the end station asking for loging but the router. So to conclude: Is there a way to use SecureID with the changing passwords and also give ONLY CW2000 (ficed ip address) access with a static username/password.
use a fixed password for the CW user and in ACS, under the user profile Network Access Restrictions area, NAS (telnet, login, exec) Access Control, enter the IP address of CW as the only permitted source address for this user.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...