Can't get TACACS working with ASA5510 over VPN tunnel

Unanswered Question
Mar 14th, 2010

Hi, I have looked around on the web but cannot seem to find an answer to this one.

I have a remote ASA5510 firewall which I need to manage via TACACS. The ASA connects to my core network via a VPN tunnel which terminates on a cisco 2811 router. The VPN is up and working fine.

When debugging the TACACS requests what appears to be happening is that the traffic is not getting decrypted as it passes through the cisco 2811 on its way to the TACACS host despite the crypto ACLs being correct on both the ASA and the 2811 to captue the traffic flows between the ASA's outside interface and the TACACS host. All other relevant access-list rules and ssh commands are in place.

Are there any funnies i need of be aware off when trying to get TACACS working over the VPN to the ASA?

Will the ASA actually encrypt the TACACS request as part of the VPN given it is sourcing the flow itself on its outside interface which is also the endpoint address of the VPN tunnel?

Thanks for looking.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Sun, 03/14/2010 - 21:46


If the TACACS+ packets from the ASA are being sourced from the ASA's outside interface, then you should include this IP in the ACL for interesting traffic.

The outside IP of the ASA should be part of the VPN traffic.

For example:

If the inside network behind the router is

If the inside network behind the ASA is

If the public IP of the ASA is

Then, besides having the crypto ACL flowing between and, the traffic should be encrypted when flowing between the and as well.

Another option is to source the TACACS+ packets from the inside interface of the ASA (not sure if the ASA allows you to do this).


CSCO10576352 Mon, 03/15/2010 - 07:15

Thanks for the reply.

Yes, I have included the outside interface in the ACL's that specify the interesting traffic, for examle :

Where the outside interface of the ASA is


The TACACS host is

The on the ASA:

access-list encrypt-acl extended permit ip host host

Then on the 2811 that terminates the tunnel:

access-list encrypt-acl extended permit ip host host

These are basically additions to the existing and working crypto ACLs.

Federico Coto F... Mon, 03/15/2010 - 09:22

Then you should see a security association created for that traffic on phase two of the VPN tunnel.

If you do this command on the router:  sh cry ips sa peer x.x.x.x   --> x.x.x.x is the public IP of the ASA

And also the same command on the ASA.

It will show you a pair of SAs for each ACL (crypto ACL for that tunnel).

You should be able to see if traffic is being encrypted/decrypted between the ASA and the TACACS+



This Discussion