AAA for internet routers

What we want to do is configure the firewall to allow the public router to authenticate administrators to the AAA server on the inside. We also want administrators to be able to SSH to the public router without being PAT’d. We don’t want every user in the private LAN to be able to access the device for administration. By configuring policy NAT we can prevent that.

192.168.1.17 is the AAA server
192.168.1.42 is the administrators PC
75.50.95.73 is the IP on the public router interface
75.50.95.75 is the public IP on the firewall

First we need to create the access lists in the firewall
access-list AAA extended permit ip host 192.168.1.17 host 75.50.95.73

Next we create the STATIC statement
static (inside,outside) 192.168.1.17 access-list AAA

This tells the firewall that when 192.168.1.17 tries to access 75.50.95.73, it should not NAT, but send it through with the original source address.

Next create the ACL to allow AAA through (in this case we’ll use RADIUS)
access-list outside_acl extended permit udp host 75.50.95.73 host 192.168.1.17 eq 1812

In the public router we need to create a route, so it knows how to get to the internal AAA server. We point the route to the firewall since that’s where the translation is
ip route 192.168.1.17 255.255.255.255 75.50.95.75

Creating the access for the administrator is nearly the same. First create an access list. It’s useful to name the ACL by the user ID of the administrator
access-list MMessier extended permit ip host 192.168.1.42 host 75.50.95.73

Create the STATIC NAT translation
static (inside,outside) 192.168.1.42 access-list MMessier

Create a rule for the administrator to SSH to the public router
access-list inside_acl extended permit tcp host 192.168.1.42 host 75.50.95.73 eq 22

Finally we add the route in the public router for the administrators PC
ip route 192.168.1.42 255.255.255.255 75.50.95.75

That’s it.

Leave a Reply

Your email address will not be published. Required fields are marked *