07-31-2006 12:46 AM - edited 03-10-2019 02:41 PM
Hello,
Please i would like to manage my internet routers using tacacs. However, this has not been possible cos a firewall blocks the traffic. Can anybody advice me on how to achieve this?
Iso
07-31-2006 06:44 AM
Hi,
First, you need to allow router and ACS to reach each other.
Configure your internet router with appropriate aaa configuration as desired. Refer below as an example:
Example:
Router FastEthernet: xx.xx.xx.5/24
Firewall Outside IP: xx.xx.xx.6/24
Firewall Inside IP: 172.16.1.1/24
Internal ACS: 172.16.1.50
Router:
aaa new-model
aaa authentication login TELNET group tacacs+ local
aaa authentication login CONSOLE local
aaa authentication enable default enable
aaa authorization exec default group tacacs+ local
aaa authorization network default group tacacs+ if-authenticated local
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
tacacs-server host xx.xx.xx.10 timeout 10 key secretkey
Firewall:
1. Map internal ACS to a public IP, or use port re-directio if you don't have enough public (outside) IP to be used.
static (inside,outside) xx.xx.xx.10 172.16.1.50 netmask 255.255.255.255
For security reason, you can limit session to tacacs+ from the router by adding any number like "10 5" after the netmask, e.g
static (inside,outside) xx.xx.xx.10 172.16.1.50 netmask 255.255.255.255 10 5
10 = half open session (embryonic level)
5 = max connection to ACS (thru tacacs+ port)
2. Create ACL on outside interface to allow Router's fastethernet interface IP to reach internal ACS via xx.xx.xx.10 IP via tacacs+ port. Bind the ACL to outside interface.
Also, for testing purposes, enable PING/ICMP from router to the ACS. This can be disable later on as desired.
access-list outside permit tcp host xx.xx.xx.5 host xx.xx.xx.10 eq tacacs
access-list outside permit icmp host xx.xx.xx.5 host xx.xx.xx.10 any any
access-group outside in interface outside
3. Add the Router's FastEthernet IP as AAA client to ACS. Refer to the following config guide:
Make sure you select tacacs+ as the authentication protocol, use the same key as configured in router.
Rgds,
AK
08-01-2006 03:10 AM
Thanks AK, Will try and get back to you.
Iso
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide