Chapter10.Configuring Shared Profile Components

Chapter 10. Configuring Shared Profile Components

In this chapter, you learn the following topics:

• Downloadable ACLs

• Network Access Restrictions

• Configuring Network Access Restrictions

• Command authorization sets

• Troubleshooting extended configurations

• Common issues of network access restrictions

• The importance of documentation

In Access Control Server (ACS), Shared Profile components can consist of downloadable IP access control lists (ACLs), Network Access Restrictions (NARs), and command authorization sets for both shell commands and PIX shell commands. These configurations can sometimes prove to be more difficult to configure and maintain because of their complexity. This chapter provides a more extended look into the configuration and management of these components than the examples seen in other chapters.

To begin this chapter, we look at downloadable IP ACLs. Specifically, you look at the configuration of downloadable IP ACLs and how to apply them to a PIX Firewall. After configuring downloadable ACLs, you then take a look into the workings of NAR, which help you to configure policy based on the entry point of a network, and finally command authorization sets are discussed to assist you in better understanding and controlling administrative access to the command-line interface (CLI) of PIX Firewalls and Cisco IOS routers in your network.

Figure 10-1 illustrates the common topology used for all examples in this chapter. As you can see, the topology used here is the same as the topology used in previous chapters, with a few devices added the network. Two perimeter routers sit at the forefront of this sample network. These routers are named "Perimeter Router 1," and "Perimeter Router 2." Inside the perimeter routers sit two PIX Firewalls, "Pixfirewall 1" and "Pixfirewall 2," and inside the PIX Firewalls sits a private network with multiple users and ACS.

Figure 10-1. Common Topology

The examples in this chapter using this topology have been configured according to the policy that states that users that access the Internet through Pixfirewall 1 and Pixfirewall 2 are to be authenticated and have an ACL applied with their restrictions. Users accessing the routers for administrative purposes are restricted access to certain devices based on whether they access from Pixfirewall 1 or Pixfirewall 2. Finally, command authorization is configured on both PIX Firewalls and the perimeter routers to control administrative access.