Configuring Cut-Through Proxy
Cut-through proxy allows you to ascendancy casework accessible through the firewall by
user rather than by IP address, accouterment a bigger granularity of control. User connection
requests can be accurate or accustomed adjoin either a TACACS+ or
a RADIUS server. One of the best absorbing appearance of cut-through proxy is its
performance. In acceptable proxy-based firewalls, every abstracts packet in a session
needs to be candy at the appliance layer, consistent in amazing overhead
and low performance. Application cut-through proxy functionality, the PIX transparently
authenticates and authorizes the antecedent affiliation attack at the application
layer. Once affidavit and/or allotment accept been performed, the session
is confused and cartage flows anon amid the two hosts while accompaniment information
is maintained, accouterment a cogent achievement advantage over proxy firewalls.
www.syngress.com
Authentication, Authorization, and Accounting • Chapter 5 261
NOTE
You cannot use the bounded database for affidavit of cartage through
the PIX firewall.
To apparatus AAA affidavit to ascendancy user admission to casework through
the PIX firewall, you charge to complete the afterward high-level tasks:
1. Ascertain the PIX firewall appropriately as an AAA applicant to your AAA
server. See the area blue-blooded “Adding a NAS to Cisco Secure ACS” for a
description of how to achieve this assignment if you are application Cisco Secure
ACS as your AAA server. Make abiding that you ascertain the appropriate
authentication adjustment (for example,TACACS+ or RADIUS) back you
define the PIX as an AAA applicant on your Cisco Secure ACS server.
2. Ascertain the users appropriately aural the AAA server. See the section
entitled “Adding a User to Cisco Secure ACS” for a description of how
to achieve this assignment if you are application Cisco Secure ACS.
3. Ascertain the AAA server accumulation and AAA servers on the PIX firewall
using the aaa-server command, as discussed previously.
4. Enable and configure AAA affidavit on the PIX firewall application the
aaa affidavit command syntax to ascendancy user admission to services
through the PIX firewall.The syntax of this command is as follows:
aaa affidavit {include | exclude}
outbound |
Use the accommodate keyword to actualize a new aphorism and the exclude keyword to
create an barring to a antecedent rule.The authen_service constant needs to be
any, ftp, http, or telnet.The entering or outbound keywords specify entering or outbound
services, respectively.The interface constant specifies the interface from
which to accredit connections.The local_ip and local_mask ambit specify
the host or arrangement that you appetite authenticated.To specify all hosts, use 0 for
both.The foreign_ip and foreign_mask ambit specify the host or arrangement that
you appetite to admission local_ip. To specify all hosts, use 0 for both. Lastly, group_tag
specifies the AAA server accumulation to use for authentication.