10-4
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 10 Controlling Network Access with Access Control Lists
Access Control List Overview
• To identify traffic for network access authentication using a TACACS+ or RADIUS server, perform
the following tasks:
a. Add the ACL using the “Adding an Extended Access Control List” section on page 10-13.
Permit entries in the ACL mark matching traffic for authentication, while deny entries exclude
matching traffic from authentication.
b. Apply the ACL using the aaa authentication match command in the “Configuring
Authentication for Network Access” section on page 12-20.
• To identify traffic for network access accounting using a TACACS+ or RADIUS server, perform the
following tasks:
a. Add the ACL using the “Adding an Extended Access Control List” section on page 10-13.
Permit entries in the ACL mark matching traffic for accounting, while deny entries exclude
matching traffic from accounting.
b. Apply the ACL using the aaa accounting match command in the “Configuring Accounting for
Network Access” section on page 12-27.
Controlling Network Access for IP Traffic for a Given User (Extended)
When you configure user authentication for network access, you can also choose to configure user
authorization that determines the specific access privileges for each user. If you use a RADIUS server,
you can configure the RADIUS server to download a dynamic ACL to be applied to the user, or the server
can send the name of an ACL that you already configured on the FWSM. See the following tasks for
each method.
• For dynamic ACLs, all ACL configuration takes place on the RADIUS server. Perform the following
tasks:
a. Refer to the “Adding an Extended Access Control List” section on page 10-13 for ACL syntax
and guidelines.
b. To create the ACL on the RADIUS server, see the “Configuring the RADIUS Server to
Download Per-User Access Control Lists” section on page 12-25.
• For a downloaded ACL name, perform the following tasks:
a. Configure an extended ACL according to the “Adding an Extended Access Control List”
section on page 10-13.
This extended ACL is not assigned to an interface, but is designed to be applied to one or more
users.
b. Use the ACL name according to the “Configuring the RADIUS Server to Download Per-User
Access Control List Names” section on page 12-27.
These per-user ACLs must be as restrictive or more restrictive than an extended ACL that is assigned to
the interface. For example, if the ACL assigned to the inside interface allows all users to have only HTTP
access to other networks, it would not make sense to configure an authorization ACL for that user to
access FTP.
Identifying Addresses for Policy NAT and NAT Exemption (Extended)
Policy NAT lets you identify local traffic for address translation by specifying the source and destination
addresses in an extended ACL. You can also optionally specify the source and destination ports. Regular
NAT can only consider the local addresses.
To Next Page
Loading...
Need help?
General