https://community.cisco.com/t5/network-access-control/managing-routers-after-a-firewall-using-aaa/m-p/528918#M432467 <HTML><HEAD></HEAD><BODY><P>Thanks AK, Will try and get back to you.</P><P></P><P>Iso</P></BODY></HTML> Tue, 01 Aug 2006 10:10:41 GMT isomemberr 2006-08-01T10:10:41Z https://community.cisco.com/t5/network-access-control/managing-routers-after-a-firewall-using-aaa/m-p/528916#M432464 <P>Hello,</P><P></P><P>Please i would like to manage my internet routers using tacacs. However, this has not been possible cos a firewall blocks the traffic. Can anybody advice me on how to achieve this?</P><P></P><P>Iso</P> Sun, 10 Mar 2019 21:41:11 GMT https://community.cisco.com/t5/network-access-control/managing-routers-after-a-firewall-using-aaa/m-p/528916#M432464 isomemberr 2019-03-10T21:41:11Z https://community.cisco.com/t5/network-access-control/managing-routers-after-a-firewall-using-aaa/m-p/528917#M432466 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>First, you need to allow router and ACS to reach each other.</P><P></P><P>Configure your internet router with appropriate aaa configuration as desired. Refer below as an example:</P><P></P><P>Example:</P><P>Router FastEthernet: xx.xx.xx.5/24 </P><P>Firewall Outside IP: xx.xx.xx.6/24</P><P>Firewall Inside IP: 172.16.1.1/24</P><P>Internal ACS: 172.16.1.50</P><P></P><P>Router:</P><P>aaa new-model</P><P>aaa authentication login TELNET group tacacs+ local</P><P>aaa authentication login CONSOLE local</P><P>aaa authentication enable default enable</P><P>aaa authorization exec default group tacacs+ local </P><P>aaa authorization network default group tacacs+ if-authenticated local </P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting network default start-stop group tacacs+</P><P></P><P>tacacs-server host xx.xx.xx.10 timeout 10 key secretkey</P><P></P><P></P><P>Firewall:</P><P></P><P>1. Map internal ACS to a public IP, or use port re-directio if you don't have enough public (outside) IP to be used.</P><P></P><P>static (inside,outside) xx.xx.xx.10 172.16.1.50 netmask 255.255.255.255</P><P></P><P>For security reason, you can limit session to tacacs+ from the router by adding any number like "10 5" after the netmask, e.g</P><P></P><P>static (inside,outside) xx.xx.xx.10 172.16.1.50 netmask 255.255.255.255 10 5</P><P></P><P>10 = half open session (embryonic level)</P><P>5 = max connection to ACS (thru tacacs+ port)</P><P></P><P></P><P>2. Create ACL on outside interface to allow Router's fastethernet interface IP to reach internal ACS via xx.xx.xx.10 IP via tacacs+ port. Bind the ACL to outside interface.</P><P>Also, for testing purposes, enable PING/ICMP from router to the ACS. This can be disable later on as desired.</P><P></P><P>access-list outside permit tcp host xx.xx.xx.5 host xx.xx.xx.10 eq tacacs</P><P>access-list outside permit icmp host xx.xx.xx.5 host xx.xx.xx.10 any any</P><P>access-group outside in interface outside</P><P></P><P></P><P>3. Add the Router's FastEthernet IP as AAA client to ACS. Refer to the following config guide:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080233613.html#wp142571" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080233613.html#wp142571</A></P><P></P><P>Make sure you select tacacs+ as the authentication protocol, use the same key as configured in router.</P><P></P><P></P><P>Rgds,</P><P>AK</P><P></P></BODY></HTML> Mon, 31 Jul 2006 13:44:41 GMT https://community.cisco.com/t5/network-access-control/managing-routers-after-a-firewall-using-aaa/m-p/528917#M432466 a.kiprawih 2006-07-31T13:44:41Z https://community.cisco.com/t5/network-access-control/managing-routers-after-a-firewall-using-aaa/m-p/528918#M432467 <HTML><HEAD></HEAD><BODY><P>Thanks AK, Will try and get back to you.</P><P></P><P>Iso</P></BODY></HTML> Tue, 01 Aug 2006 10:10:41 GMT https://community.cisco.com/t5/network-access-control/managing-routers-after-a-firewall-using-aaa/m-p/528918#M432467 isomemberr 2006-08-01T10:10:41Z