PIX Running config
pixfirewall# sh run
: Saved
:
PIX Version 8.0(2)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif inside
security-level 100
ip address 192.168.254.254 255.255.255.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging enable
logging buffered informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (outside,inside) 192.168.254.1 200.200.200.10 netmask 255.255.255.255
static (inside,outside) 200.200.200.10 192.168.254.1 netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server tacacs-linux protocol tacacs+
max-failed-attempts 4
aaa-server tacacs-linux host 192.168.254.1
key cisco
aaa authentication telnet console tacacs-linux
aaa accounting enable console tacacs-linux
aaa accounting command tacacs-linux
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.254.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:21ca8ebca2ec428118bb83aa6c57a4ba
: end
Config for Tacac_plus on my Mandriva Box /etc/tac_plus.conf
#/etc/tac_plus.conf
key = cisco
# Use /etc/shadow file to do authentication
default authentication = file /etc/passwd
#Access logs
#access log = /var/log/tac_plus/%Y/%m/%d.access
# Where is the accounting records to go
accounting file = /var/log/tac_acc.log
logging = local6
#accounting file = "|exec /usr/bin/logger"
#All services are alowed..
user = DEFAULT {
default service = permit
}
# Profiles for user accounts
user = ohbet {
default service = permit
login = file /etc/shadow
}
So all users on the /etc/passwd can login and after entering the enable passwd, it has a priv 15 capability.
Some log capture during some configuration changes.
tail -f /var/log/tac_acc.log
Tue Oct 7 14:35:32 2008 192.168.254.254 enable_15 0 0.0.0.0 stop task_id=1 cmd=aaa accounting command TACACS service=shell elapsed_time=0
Tue Oct 7 14:37:08 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=2 cmd=configure terminal service=shell elapsed_time=0
Tue Oct 7 14:37:36 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=3 cmd=access-list in_nameif_outside rem "ACL from outside" service=shell elapsed_time=0
Tue Oct 21 09:12:57 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=1 cmd=aaa accounting command tacacs-linux service=shell elapsed_time=0
Tue Oct 21 09:13:07 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=2 cmd=write memory service=shell elapsed_time=0
Tue Oct 21 09:14:08 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=3 cmd=configure terminal service=shell elapsed_time=0
Tue Oct 21 09:14:40 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=4 cmd=static (outside,inside) 192.168.254.1 200.200.200.10 netmask 255.255.255.255 service=shell elapsed_time=0
Tue Oct 21 09:15:07 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=5 cmd=static (inside,outside) 200.200.200.10 192.168.254.1 netmask 255.255.255.255 service=shell elapsed_time=0
Tue Oct 21 09:15:12 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=6 cmd=write memory service=shell elapsed_time=0
