Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
0
Helpful
2
Replies

managing routers after a firewall using aaa

isomemberr
Level 1
Level 1

‎07-31-2006 12:46 AM - edited ‎03-10-2019 02:41 PM

Hello,

Please i would like to manage my internet routers using tacacs. However, this has not been possible cos a firewall blocks the traffic. Can anybody advice me on how to achieve this?

Iso

Labels:
0 Helpful
2 Replies 2

a.kiprawih
Level 7
Level 7

‎07-31-2006 06:44 AM

Hi,

First, you need to allow router and ACS to reach each other.

Configure your internet router with appropriate aaa configuration as desired. Refer below as an example:

Example:

Router FastEthernet: xx.xx.xx.5/24

Firewall Outside IP: xx.xx.xx.6/24

Firewall Inside IP: 172.16.1.1/24

Internal ACS: 172.16.1.50

Router:

aaa new-model

aaa authentication login TELNET group tacacs+ local

aaa authentication login CONSOLE local

aaa authentication enable default enable

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ if-authenticated local

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

tacacs-server host xx.xx.xx.10 timeout 10 key secretkey

Firewall:

1. Map internal ACS to a public IP, or use port re-directio if you don't have enough public (outside) IP to be used.

static (inside,outside) xx.xx.xx.10 172.16.1.50 netmask 255.255.255.255

For security reason, you can limit session to tacacs+ from the router by adding any number like "10 5" after the netmask, e.g

static (inside,outside) xx.xx.xx.10 172.16.1.50 netmask 255.255.255.255 10 5

10 = half open session (embryonic level)

5 = max connection to ACS (thru tacacs+ port)

2. Create ACL on outside interface to allow Router's fastethernet interface IP to reach internal ACS via xx.xx.xx.10 IP via tacacs+ port. Bind the ACL to outside interface.

Also, for testing purposes, enable PING/ICMP from router to the ACS. This can be disable later on as desired.

access-list outside permit tcp host xx.xx.xx.5 host xx.xx.xx.10 eq tacacs

access-list outside permit icmp host xx.xx.xx.5 host xx.xx.xx.10 any any

access-group outside in interface outside

3. Add the Router's FastEthernet IP as AAA client to ACS. Refer to the following config guide:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080233613.html#wp142571

Make sure you select tacacs+ as the authentication protocol, use the same key as configured in router.

Rgds,

AK

0 Helpful

isomemberr
Level 1
Level 1
In response to a.kiprawih

‎08-01-2006 03:10 AM

Thanks AK, Will try and get back to you.

Iso

0 Helpful
Customers Also Viewed These Support Documents