TACACS via an ASA

Unanswered Question
Dec 29th, 2008

Is it possible for a Cisco device (router or switch) to authenticate to an ACS via an ASA utilizing a Network Address Translation. If so, what needs to be added to a config for this to take place.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 12/30/2008 - 05:55

Sure it can (we do it). You just need to translate from outside to inside. Here is an example, assume ACS is 192.168.1.10.

static (inside,outside) 192.168.1.10 access-list TACACS tcp 65535 10000

Since the static uses an ACL, here is that part as well-

access-list TACACS extended permit ip host 192.168.1.10 host [public IP]

The public IP in our case is the internet router and it requires a static route for the private IP pointing to the firewall.

Hope that helps.

Actions

This Discussion