IP Address translation issue for ACS Appliance Ver 4.1

Unanswered Question
Jan 7th, 2008


We have one issue of ACS appliance IP address has been translated to a different IP on different segment through the firewall ASA and PIX and associated AAA client Cat2960 (IOS 12.2) on the ACS with translated IP for TACACS+ server configured with same shared secret key.

Communication between AAA client and ACS appliance is verified using translated IP as both client and ACS can able to ping each other in either directions.

But no authentications either pass or failed reported on ACS, We also tried translating to the same real ip address of ACS allowing connectivity for AAA clients from outside interface to the inside interface on ASA 7.x and PIX(6.3) but didnt worked.

any ideas will be appreciated




I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Tue, 01/08/2008 - 06:27

What does the PIX log say when you try and pass authentication? Does ACS ever see the auth attempt in its logs?

cisco24x7 Tue, 01/08/2008 - 07:55

Try this:

access-list test permit icmp any any log

access-list test permit tcp any any eq 49 log

access-list test permit ip any any log

access-group test in interface outside

static (i,o) acs_ip acs_ip net /32

logging on

logging timestamp

logging host inside syslog_ip

It works fine on my system even as I proxy off

the connection from ACS to RSA SecurID:

[[email protected] root]# telnet


Connected to (

Escape character is '^]'.



User Access Verification

Username: test3


Enter your new PIN, containing 4 to 8 digits,


to cancel the New PIN procedure:

Please re-enter new PIN:

Wait for the code on your card to change, then log in with the new PIN



1- Make sure you allow port 49 through the


2- make sure you have static NAT properly


3- make sure you have AAA client defined

in the ACS,

4- make sure the pre-share key matches on

both sides,

CCIE Security

Jagdeep Gambhir Tue, 01/08/2008 - 08:45

Please try this,

acs--->network configuration--->Proxy dis table---> Bring Deleverance1 in the fwd to box and your server name in the left box.

Incase you dont see proxy dis table , then you need to enable it

Interface configuration---> Advance option ---> Put a check in distribution table.




This Discussion