Sep 17,2009 by alperen
Typically, it’s necessary to create an ACL entry to allow the AAA server TACACS+ or RADIUS return traffic to get to the firewall. If CBAC has already been configured, an input ACL should already be implemented on an interface. Because two ACLs can’t be on the same interface monitoring traffic that’s traveling in one direction, it’s necessary to add the appropriate entries to that ACL.
If there’s no existing ACL, consider the following
The source address is the IP address of the AAA server.
The destination is the IP address of the router interface nearest to the AAA server.
Do you want to permit ICMP traffic?
Block all other traffic.
Apply the ACL inbound on the interface connected to the AAA server.
The syntax of the specify entry required for the return traffic looks like the following:
Rtr1(config)#access-list acl# permit tcp host source eq tacacs host dest
In the following example, ACL 105 blocks all inbound traffic on interface Ethernet0/0, except for traffic from the AAA server, assuming that traffic from the AAA server would come in through Ethernet0/0. The permit ip any any statement allows any ICMP traffic through.
interface Ethernet0/0 ip address 192.168.1.1 255.255.255.0 ip access-group 105 in !access-list 105 permit tcp host 192.168.1.20 eq tacacs host 192.168.1.1access-list 105 deny tcp any anyaccess-list 105 deny udp any anyaccess-list 105 permit ip any any cp8config
Sections
Syndication
