Section 7.0: AAA

7.1. AAA on the Router

  1. Configure R7 router management with TACACS+ using the AAA server, as shown in Figure 7-1.

  2. Configure PIX translation and ACL accordingly:

    pixfirewall(config)# show static
    static (inside,outside) 175.1.2.3 172.16.1.3 netmask 255.255.255.255 0 0
    
    pixfirewall(config)# show access-list
    access-list 101 permit tcp host 171.7.5.1 host 175.1.2.3 eq tacacs
      (hitcnt=81)
    
  3. Hidden issue: There is ingress ACL on the R5 ATM link. You need to allow TCP/49 from R7 to the AAA server:

    r5#show access-lists 101 Extended IP access list 101 permit udp host 171.7.5.1 eq ntp host 179.7.2.2 eq ntp (1 match) deny ip any 179.7.2.0 0.0.0.7 (18 matches) deny icmp any 175.1.2.0 0.0.0.255 echo-reply (10 matches) permit icmp any any (30 matches) ...

Get CCIE Security Practice Labs now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.