Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2023
Views
0
Helpful
3
Replies

How to Use PIX Access Lists instead of 'aaa authentication...'

jwitherell
Level 1
Level 1

‎03-23-2002 10:27 AM - edited ‎02-21-2020 09:59 AM

In my last message about "PIX intermittently stops AAA with CiscoSecure ACS/NT", I was asked if I was using the older 'aaa authentication include...' command to invoke CiscoSecure ACS / TACACS services on my PIX 520 with OS 6.1(1). That raised a big question I have...

I *am* using the older 'aaa authentication include...', but I would certainly love to switch to access lists. Is there a document detailing how to use access lists on the PIX? The ones I've seen are pretty short, and not very descript. I've wanted to migrate from conduits and static NAT mappings (I am using PAT for normal traffic, static NATs for smtp gateway & other special services) to access lists instead, but I haven't been able to spend enough time to figure it out on my own.

So, hopefully someone can help me...

I am using some standard STATIC and CONDUIT statements to give access to an SMTP gateway, for example:

<<<< Begin Snippet >>>>

static (inside,outside) 32.32.32.32 10.10.10.12 netmask 255.255.255.255 0 0

conduit permit tcp host 32.32.32.32 eq smtp any

<<<< End Snippet >>>>

Here's a snippet of the types of AAA commands I am using. I am using 6 AAA commands to turn on Authorization and Accounting on a subnet. I couldn't use "AAA AUTHENTICATION ANY", because I had problems going to HTTPS sites. Also, since we have alot of subnets that aren't contiguous, I have a *ton* of these dog-gone commands. I'd love to consolidate all of this....

<<<< Begin Snippet >>>>

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server outgoing protocol tacacs+

aaa-server outgoing (inside) host 10.10.10.11 <STRING> timeout 10

aaa-server outgoing (inside) host 10.9.9.11 <STRING> timeout 15

aaa authentication http console outgoing

!---This is for 10.1.0.x thru 10.1.15.x---

aaa authentication http outbound 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authentication ftp outbound 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authentication telnet outbound 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authorization http outbound 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authorization ftp outbound 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authorization telnet outbound 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

!---10.1.16.x thru 10.1.95.x are not administered with AAA---

!---This is for 10.1.96.x thru 10.1.111.x---

aaa authentication http outbound 10.1.96.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authentication ftp outbound 10.1.96.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authentication telnet outbound 10.1.96.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authorization http outbound 10.1.96.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authorization ftp outbound 10.1.96.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

aaa authorization telnet outbound 10.1.96.0 255.255.240.0 0.0.0.0 0.0.0.0 outgoing

<<<< End Snippet >>>>

If you guys know how to do the same thing with access lists, I'd ***LOVE*** to hear from you. It would be most handy if Cisco had a really detailed document on that. Perhaps they do and I don't know it!

Labels:
0 Helpful
3 Replies 3

ross.filipek
Level 1
Level 1

‎03-25-2002 05:43 AM

Cisco's document isn't terribly detailed, but http://www.cisco.com/warp/public/110/atp52.html#pix_auth is where it's located. Basically, you write an access list defining what traffic should be authorized, and then reference that ACL with the 'aaa authorization match [acl#] inside [server_name]' command. I believe this command structure works for authentication and accounting as well.

As far as traffic filtering goes, using an access list to permit inbound traffic gives you granular control in the sense that you can apply the ACL to a particular interface, but I still prefer conduits because you can modify one line at a time.

0 Helpful

jwitherell
Level 1
Level 1
In response to ross.filipek

‎03-25-2002 07:57 AM

That's the one I found before. I was really hoping someone out there may be able to provide a sample of what they've done, and perhaps give some new ideas on how they go about using the ACLs.

I would like it alot if Cisco could write up a detailed chapter in the PIX Configuration Guide. Seems the subject alone can be gone into in great depth. Cisco told us to leave Conduits, but they didn't spend too much time documenting how to get away from them...

Jim

0 Helpful

ttliang
Level 1
Level 1

‎03-26-2002 12:03 PM

this is how i'd get rid of conduit. something like that.

access-list outside_access_in permit tcp host 32.32.32.32 eq smtp host 10.10.10.12

static (inside,outside) 32.32.32.32 10.10.10.12 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

I don't know if this is what u r looking for in terms of ACL for AAA... hey take a look...can't hurt too much. i hope not.

access-list inside_authentication_RADIUS permit http 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0

access-list inside_authentication_RADIUS permit ftp 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0

access-list inside_authentication_RADIUS permit telnet 10.1.0.0 255.255.240.0 0.0.0.0 0.0.0.0

.

.

.

etc

aaa-server RADIUS (inside) host x.x.x.x 0 "password" timeout 5

aaa authentication match inside_authentication_RADIUS inside RADIUS

aaa authorization match inside_authentication_RADIUS inside RADIUS

hope this helps,

Tim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents