Example 162 Configuring Outbound Authentication Proxy on the Perimeter Router

Router1#configure terminal

! - - - Enable authentication on the Cisco IOS firewall Router1(config)#aaa new-model

! - - - Define TACACS+ as the authentication method used for login Router1(config)#aaa authentication login default group tacacs+

! - - - The auth-proxy keyword is used to enable authentication proxy for TACACS+ Router1(config)#aaa authorization auth-proxy default group tacacs+

! - - - Activate authentication proxy accounting

Router1(config)#aaa accounting auth-proxy default start-stop group tacacs+

Router1(config)#tacacs-server host 10.10.11.142

! - - - Define the key for encryption between the AAA server and the Cisco IOS firew; Router1(config)#tacacs-server key abc123

! - - - Create an access list to allow traffic from the AAA server back to the router Router1(config)#access-list 103 permit tcp host 10.10.11.142 eq tacacs host 10.10.10,

! - - - Enable the HTTP server on the Cisco IOS firewall Router1(config)#ip http server ! - - - Set the authentication to AAA Router1(config)#ip http authentication aaa

! - - - Create a standard access list denying all traffic Router1(config)#access-list 22 deny any

! - - - Define standard access list 22 for the HTTP server Router1(config)#ip http access-class 22

- - - Define the global authentication timeout to 30 minutes Router1(config)#ip auth-proxy auth-cache-time 30 ! - - - Display the firewall name on the login page Router1(config)#ip auth-proxy auth-proxy-banner

! - - - Create the auth-proxy rules with the name allowed-outbound Router1(config)#ip auth-proxy name allowed-outbound http

! - - - Enter the interface configuration mode Router1(config)#interface e0

! - - - Configure the IP address of the interface Router1(config-if)#ip address 10.10.10.254 255.255.255.0

! - - - Apply the named auth-proxy rule to the interface Router1(config-if)#ip auth-proxy allowed-outbound

! - - - Exit the interface configuration mode

Router1(config)#CTL-Z

Router1(config)#

Notice from Example 16-2 that the major difference in the configuration is where the access list is applied to the Cisco IOS Firewall. The access list must be applied on the interface facing the source to facilitate the communication between the source and the Cisco IOS Firewall.

0 0

Post a comment