Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Uncommon Firewall Requirement

I have a customer who wants a stateful packet inspection firewall that will be responsible for controlling outbound traffic for internal users. They have a separate firewall that will deal with blocking inbound traffic. The want the ability to make allow/deny decisions based on user name and/or group membership. The allow/deny decisions will be strictly port/protocol based and they want the ability to specifically allow or deny all TCP and UDP ports and ICMP traffic on a user by user basis. The firewall needs to integrate with eDirectory (first choice) and/or Active Directory and they want, in effect, single sign on functionality so that users log in to the domain and the firewall then uses those domain credentials. They have looked at single sign on options but don?t want to install additional desktop clients.

Please advise.

Thanks for your time

New Member

Re: Uncommon Firewall Requirement

Sounds like your customer is working hard, and not smart. :o)

The simple solution would be to add an Access Control Server and point the firewall to it. Setup the groups and assign the users accordingly. If you need to permit/deny based on time, you could configure "Time-Based" ACLs.

note: you can also configure the ACS to talk to AD.


Re: Uncommon Firewall Requirement


think auth-proxy!!!