Configuring AAA Authorization on the PIX Firewall
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
ip address outside 192.168.0.1 255.255.255.0
ip address inside 10.10.10.254 255.255.255.0
ip address dmz1 172.16.1.254 255.255.255.0
access-list from-inside-to-dmz permit tcp 10.10.10.0 255.255.255.0 host 172.16.1.3 eq 5631
access-list from-inside-to-dmz permit udp 10.10.10.0 255.255.255.0 host 172.16.1.3 eq 5632
access-list from-inside-to-dmz permit tcp 10.10.10.0 255.255.255.0 host 172.16.1.5 eq telnet
access-list from-inside-to-dmz deny ip any host 172.16.1.3
access-list 121 permit tcp any host 172.16.1.3
access-list 121 permit udp any host 172.16.1.3
access-list 121 permit tcp any host 172.16.1.5 eq telnet
access-list 101 permit ip 10.10.10.0 255.255.255.0 host 172.16.1.3
nat (inside) 0 access-list 101
static (inside,dmz1) 10.10.10.1 10.10.10.1 netmask 255.255.255.255 0 0
access-group from-inside-to-dmz in interface inside
aaa-server AuthOutbound protocol tacacs+
aaa-server AuthOutbound (inside) host 10.10.10.4 xxxxxxxx timeout 10
aaa authentication match 121 inside AuthOutbound
aaa authorization match 121 inside AuthOutbound
virtual telnet 172.16.1.5
A user on the 10.10.10.1 host would telnet to virtual telnet address at 172.16.1.5,
authenticate, and afterwards will run his PCAnywhere application with the target host as
172.16.1.3. The Cisco Secure ACS authorizes this user if in its database for this user the
Command Authorization configuration of the Cisco Secure ACS is similar to Figure 18-13.