Configuring Allotment for
Traffic Through the Firewall
Once you acquire configured affidavit for cartage through the firewall using
the cut-through proxy, you can additionally configure allotment for cartage through the
firewall. Affidavit is a claim for authorization.To apparatus authorization
for cartage through the firewall, you aboriginal charge to configure the TACACS+
server for authorization.
NOTE
RADIUS and the bounded database on the PIX firewall are not accurate for
authorization of cartage through the PIX firewall.
For example, to configure Cisco Secure ACS for allotment of traffic
through the PIX firewall, you charge to ascertain a carapace command allotment set.
The area blue-blooded “Configuring Cisco Secure ACS to Abutment TACACS+
Command Authorization” describes how to ascertain a carapace command authorization
set for acceding user commands attempted on the firewall itself.The configuration
process for casework through the firewall is actual similar. However, the
commands that you admission should be the names of the casework that you appetite to
allow (for example, HTTP,Telnet, FTP). If you appetite to ascendancy the destinations
that the user can admission application the called service, artlessly admission the desired
keyword (permit or deny) and the IP abode in the altercation argument box. Figure 5.36
provides an archetype of defining a carapace command allotment set for services
through the firewall.
www.syngress.com
keyword is assumed. The cord can be up to 235 alphanumeric
characters in length. Spaces and punctuation are allowed, but special
characters should not be used. For example:
PIX1(config)# auth-prompt alert Please admission your login credentials
PIX1(config)# auth-prompt acquire Affidavit Successful
PIX1(config)# auth-prompt adios Affidavit Failed
To appearance the affidavit alert configuration, use the show
auth-prompt command. To abolish the configuration, use the no authprompt
command.
Authentication, Authorization, and Accounting • Chapter 5 271
NOTE
Remember that afore you can configure a carapace command authorization
set, you charge to configure Cisco Secure ACS to abutment TACACS+
command authorization.
After configuring the TACACS+ server for authorization, you charge to configure
AAA allotment on the PIX firewall application the afterward command:
aaa allotment {include | exclude}
outbound} [
The syntax for this command is actual agnate to that of the aaa authentication
command.All ambit are the aforementioned except for author_service. Possible ethics for
the author_service constant are any, ftp, http, telnet, or
values for agreement are 6 (TCP), 17 (UDP), 1 (ICMP), and so on.The anchorage value
can ambit from 1 to 65535 and is alone accurate for the TCP and UDP protocols.
Setting the anchorage amount to 0 indicates all ports.
www.syngress.com
Figure 5.36 Defining a Carapace Command Allotment Set for Services
Through the Firewall
272 Chapter 5 • Authentication, Authorization, and Accounting
For example, the afterward commands crave allotment for all hosts for
outbound Telnet, HTTP, and FTP account requests:
PIX1(config)# aaa allotment accommodate telnet outbound 0 0 0 0
AuthOutbound
PIX1(config)# aaa allotment accommodate http outbound 0 0 0 0
AuthOutbound
PIX1(config)# aaa allotment accommodate ftp outbound 0 0 0 0
AuthOutbound