Configuring Authentication
Incoming FTP connections to HQ-PIX are authenticated using the Terminal Access
Controller Access Control System Plus (TACACS+) server located on the internal network.
To use a TACACS+ server for authentication, you must first identify the IP address of the
TACACS+ server and then indicate which connections will use the TACACS+ server. This
configuration requires the following two steps:
Step 1 Configure the TACACS+ server:
aaa-server TACACS+ (inside) host 10.10.10.7 tacpass
Step 2 Configure authentication, authorization, and accounting (AAA)
authentication for FTP access:
aaa authentication include ftp inside 0.0.0.0 0.0.0.0 TACACS+
Example 20-5 shows the TACACS+ configuration.
Task 4: Configuring Logging
To help protect your network configuration, it is important to log events that are happening
on the network. This log information provides valuable insight into what is happening on
the network, especially when the network is being attacked or proved. The following steps
outline the commands necessary to enable logging at the three locations:
Step 1 Enable logging on HQ-PIX to the logging server:
logging on
logging trap informational
logging host DMZ 172.16.31.7
Step 2 Enable logging on HOU-PIX:
logging on
logging trap informational
logging host outside 172.16.31.7
Example 20-4 Access List on the HQ PIX
access-list acl-out permit tcp any host 192.168.1.4 eq smtp
access-list acl-out permit tcp any host 192.168.1.5 eq www
access-list acl-out permit tcp any host 192.168.1.6 eq ftp
access-list acl-out permit udp any host 192.168.1.8 eq 514
access-group acl-out in interface outside
Example 20-5 TACACS+ Configuration
aaa-server TACACS+ (inside) host 10.10.10.7 tacpass
aaa authentication include ftp inside 0.0.0.0 0.0.0.0 TACACS+