We have a switch in our DMZ at address 192.168.254.2. The DMZ interface of our ASA is 192.168.254.1. We use tacacs authentication on our network and the tacacs (CiscoSecureACS) server is located off of the Inside interface of the ASA at address 192.168.1.163. We need for the switch in the DMZ at 254.2 to authenticate using the tacacs server on the inside interface.
When I set up a capture on the DMZ interface of the ASA for the tacacs requests from the switch in the DMZ at 192.168.254.2, I see the requests from 254.2 bound for 192.168.1.163.
When I move the capture to the inside interface of the ASA, i never see the requests. Seems like the ASA is dropping them for some reason.
Their is a global PAT out of the DMZ. I also created a static (DMZ,inside) translation for the 192.168.254.2 address. So far none of this works.
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
You may also need to allow tacacs in an acl inbound on the dmz interface.