Controlling Network Access For Ip Traffic For A Given User (Extended); Identifying Addresses For Policy Nat And Nat Exemption (Extended) - Cisco Catalyst 6500 Series Configuration Manual

Access Control List Overview
•
•

Controlling Network Access for IP Traffic for a Given User (Extended)

When you configure user authentication for network access, you can also choose to configure user
authorization that determines the specific access privileges for each user. If you use a RADIUS server,
you can configure the RADIUS server to download a dynamic ACL to be applied to the user, or the server
can send the name of an ACL that you already configured on the FWSM. See the following tasks for
each method.
•
•
These per-user ACLs must be as restrictive or more restrictive than an extended ACL that is assigned to
the interface. For example, if the ACL assigned to the inside interface allows all users to have only HTTP
access to other networks, it would not make sense to configure an authorization ACL for that user to
access FTP.

Identifying Addresses for Policy NAT and NAT Exemption (Extended)

Policy NAT lets you identify local traffic for address translation by specifying the source and destination
addresses in an extended ACL. You can also optionally specify the source and destination ports. Regular
NAT can only consider the local addresses.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
10-4
To identify traffic for network access authentication using a TACACS+ or RADIUS server, perform
the following tasks:
Add the ACL using the
a.
Permit entries in the ACL mark matching traffic for authentication, while deny entries exclude
matching traffic from authentication.
Apply the ACL using the aaa authentication match command in the
b.
Authentication for Network Access" section on page
To identify traffic for network access accounting using a TACACS+ or RADIUS server, perform the
following tasks:
Add the ACL using the
a.
Permit entries in the ACL mark matching traffic for accounting, while deny entries exclude
matching traffic from accounting.
Apply the ACL using the aaa accounting match command in the
b.
Network Access" section on page
For dynamic ACLs, all ACL configuration takes place on the RADIUS server. Perform the following
tasks:
a. Refer to the "Adding an Extended Access Control List" section on page 10-13
and guidelines.
To create the ACL on the RADIUS server, see the
b.
Download Per-User Access Control Lists" section on page
For a downloaded ACL name, perform the following tasks:
a. Configure an extended ACL according to the
section on page 10-13.
This extended ACL is not assigned to an interface, but is designed to be applied to one or more
users.
Use the ACL name according to the
b.
Access Control List Names" section on page
Chapter 10
"Adding an Extended Access Control List" section on page
"Adding an Extended Access Control List" section on page
12-27.
"Adding an Extended Access Control List"
"Configuring the RADIUS Server to Download Per-User
12-27.
Controlling Network Access with Access Control Lists
"Configuring
12-20.
"Configuring Accounting for
"Configuring the RADIUS Server to
12-25.
10-13.
10-13.
for ACL syntax
OL-6392-01