Example 161 Configuring Inbound Authentication Proxy on the Cisco IOS Firewall

Router1#configure terminal

! - - - Enable authentication on the Cisco IOS firewall Router1(config)#aaa new-model

! - - - Define TACACS+ as the authentication method used for login Router1(config)#aaa authentication login default group tacacs+

! - - - The auth-proxy keyword is used to enable authentication proxy for TACACS+ Router1(config)#aaa authorization auth-proxy default group tacacs+

! - - - Activate authentication proxy accounting

Router1(config)#aaa accounting auth-proxy default start-stop group tacacs+

Router1(config)#tacacs-server host 10.10.11.142

! - - - Define the key for encryption between the AAA server and the Cisco IOS firewa Router1(config)#tacacs-server key abc123

! - - - Create an access list to allow traffic from the AAA server back to the router Router1(config)#access-list 103 permit tcp host 10.10.11.142 eq tacacs host 10.10.10,

! - - - Enable the HTTP server on the Cisco IOS firewall Router1(config)#ip http server ! - - - Set the authentication to AAA Router1(config)#ip http authentication aaa

! - - - Create a standard access list denying all traffic Router1(config)#access-list 22 deny any

! - - - Define standard access list 22 for the HTTP server Router1(config)#ip http access-class 22

! - - - Define the global authentication timeout to 30 minutes Router1(config)#ip auth-proxy auth-cache-time 30 ! - - - Display the firewall name on the login page Router1(config)#ip auth-proxy auth-proxy-banner

! - - - Create the auth-proxy rules with the name allowed-inbound Router1(config)#ip auth-proxy name allowed-inbound http

! - - - Enter the interface configuration mode Router1(config)#interface s0

! - - - Configure the IP address of the interface Router1(config-if)#ip address 192.168.0.1 255.255.255.0

! - - - Apply the named auth-proxy rule to the interface Router1(config-if)#ip auth-proxy allowed-inbound

! - - - Exit the interface configuration mode

Router1(config)#CTL-Z

Router1(config)#

Next, you configure the Cisco IOS Firewall for an internal source and an external destination. Figure 16-6 depicts the network with an internal source and external destination.

0 0

Post a comment