AAA for internet routers

What we want to do is configure the firewall to allow the public router to authenticate administrators to the AAA server on the inside. We also want administrators to be able to SSH to the public router without being PAT’d. We don’t want every user in the private LAN to be able to access the device for administration. By configuring policy NAT we can prevent that. is the AAA server is the administrators PC is the IP on the public router interface is the public IP on the firewall

First we need to create the access lists in the firewall
access-list AAA extended permit ip host host

Next we create the STATIC statement
static (inside,outside) access-list AAA

This tells the firewall that when tries to access, it should not NAT, but send it through with the original source address.

Next create the ACL to allow AAA through (in this case we’ll use RADIUS)
access-list outside_acl extended permit udp host host eq 1812

In the public router we need to create a route, so it knows how to get to the internal AAA server. We point the route to the firewall since that’s where the translation is
ip route

Creating the access for the administrator is nearly the same. First create an access list. It’s useful to name the ACL by the user ID of the administrator
access-list MMessier extended permit ip host host

Create the STATIC NAT translation
static (inside,outside) access-list MMessier

Create a rule for the administrator to SSH to the public router
access-list inside_acl extended permit tcp host host eq 22

Finally we add the route in the public router for the administrators PC
ip route

That’s it.

Leave a Reply