Firewall Wizards mailing list archives

RE: Automatic ACL update on Cisco boxes

From: "Ahmed, Balal" <balal.ahmed () cgey com>
Date: Thu, 12 Jun 2003 10:58:15 +0100

You can do this using downloadable access lists. This is a feature in Cisco
TACACS+ servers. The access lists are held on the tacacs+ server and are
downloaded to The access control point device when the user authenticates.

There is a 90 day evaluation version available from cisco



-----Original Message-----
From: Pierre-Yves Bonnetain [mailto:bonnetain () acm org]
Sent: 11 June 2003 13:42
To: firewall-wizards () icsalabs com
Subject: [fw-wiz] Automatic ACL update on Cisco boxes


Hello,

We are currently setting up some filtering router (CISCO, IOS 12) for a 
customer. We are looking for some tool (or pack of tools, or magical 
stuff, whatever) that will enable us to dynamically add or remove ACLs 
on the router, depending on some external events.

Our idea is the following : roaming user Alice connects to a VPN box, 
use as an entry point to our internal network. After authentication, she 
gets an IP address (say, 192.168.1.1) from the box.

We would then like to update another router's configuration (VPN zone to 
internal net) do add a few 'permit' ACLs for her temporary address, so 
that she will have access to the systems she needs to use (the list is 
hardcoded somewhere, _not_ on her laptop) and those ACLs will be removed 
as soon as she disconnect from the VPN. This way, we do not have 
permanent ACLs, when noone uses the VPN the router has _no_ permits at 
all (well, maybe a few for the Radius stuff and admin tasks -:).

Do you have any idea/product names doing this kind of stuff ?
Tia,

-- 
Pierre-Yves Bonnetain
B&A Consultants - Networks and Computers Security
Phone : +33 (0) 563 277 241 - Fax : +33 (0) 563 277 245

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


********************************************************************************************
" This message contains information that may be privileged or confidential and 
is the property of the Cap Gemini Ernst & Young Group. It is intended only for 
the person to whom it is addressed. If you are not the intended recipient, you 
are not authorized to read, print, retain, copy, disseminate, distribute, or use 
this message or any part thereof. If you receive this message in error, please 
notify the sender immediately and delete all copies of this message ".
********************************************************************************************

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Automatic ACL update on Cisco boxes Pierre-Yves Bonnetain (Jun 11)
- RE: Automatic ACL update on Cisco boxes Ben Nagy (Jun 13)
- <Possible follow-ups>
- RE: Automatic ACL update on Cisco boxes Ahmed, Balal (Jun 13)