Configuring Per User Command Authorization
This excerpt of a PIX Firewall configuration corresponds the Figure 18-11:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
ip address inside 192.168.1.231 255.255.255.0
ip address dmz1 10.10.1.1 255.255.255.0
access-list from-inside-to-dmz permit tcp 192.168.1.0 255.255.255.0 host 10.10.1.3 eq
5631
access-list from-inside-to-dmz permit udp 192.168.1.0 255.255.255.0 host 10.10.1.3 eq
5632
access-list from-inside-to-dmz permit tcp 192.168.1.0 255.255.255.0 host 10.10.1.5 eq
telnet
access-list from-inside-to-dmz deny ip any host 10.10.1.3
access-list 121 permit tcp any host 10.10.1.3
aaa-server AuthOutbound protocol tacacs+
aaa-server AuthOutbound (inside) host 192.168.1.4 xxxxxxxx timeout 10
aaa authentication match 121 inside AuthOutbound
aaa authorization match 121 inside AuthOutbound
virtual telnet 10.10.1.5
This Security Appliance will not allow any connections from its inside hosts (192.168.1.0)
to host 10.10.1.3 on DMZ1 except PCAnywhere (TCP/5631 and UDP/5632) application.
But to allow this connection, it asks authentication as well as authorization using a Cisco
Secure ACS. A user on the 192.168.1.1 host would telnet to virtual telnet address at
10.10.1.5, authenticate, and afterwards will run his PCAnywhere application with the target
host as 10.10.1.3. The Cisco Secure ACS will authorize this user if in its database for this
user has the following, shown in Figure 18-12.
access-list 121 permit udp any host 10.10.1.3
access-list 121 permit tcp any host 10.10.1.5 eq telnet
access-list 101 permit ip 192.168.1.0 255.255.255.0 host 10.10.1.3
nat (inside) 0 access-list 101
static (inside,dmz1) 192.168.1.1 192.168.1.1 netmask 255.255.255.255 0 0
access-group from-inside-to-dmz in interface inside