Configuring Authentication Proxy on the Cisco IOS Firewall

Authentication proxy enables users to connect through the firewall to a resource only after a AAA server has verified their credentials. After the authentication is complete, the Cisco IOS Firewall receives authorization information from the AAA server in the form of a dynamic access list. It is always a good idea to ensure that all traffic is properly flowing through the Cisco IOS Firewall prior to implementing authentication proxy. Access lists applied to the Cisco IOS Firewall determine the level of security (for example, what traffic requires authentication proxy). It is possible to require authentication proxy for all traffic or to limit the requirement only to specific sources or destinations. There are many different ways to configure authentication proxy, and each one is slightly different depending on the Cisco IOS Firewall services used and the direction the traffic is traveling in relation to the Cisco IOS Firewall. Cisco publishes specific configuration guides with examples for each type of configuration at

http://www.cisco.com/en/US/products/sw/secursw/ps1018/prod_configuration_examples_list.html . The authentication proxy configurations published by Cisco include the following:

Authentication

proxy

inbound (no CBAC or NAT)

Authentication

proxy

outbound (no CBAC or NAT)

Authentication

proxy

inbound (with CBAC, but no NAT)

Authentication

proxy

outbound (with CBAC, but no NAT)

Authentication

proxy

inbound (with CBAC and NAT)

Authentication

proxy

outbound (with CBAC and NAT)

Authentication

proxy

inbound with IPsec and VPN client (no CBAC or NAT)

Authentication

proxy

outbound with IPsec and VPN client (no CBAC or NAT)

• Authentication proxy inbound with IPsec and VPN client (with CBAC and NAT)

• Authentication proxy outbound with IPsec and VPN client (with CBAC and NAT)

This chapter focuses on configuring the Cisco IOS Firewall for inbound and outbound traffic without using CBAC, NAT, IPsec, or the VPN client.

0 0

Post a comment