Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1757
Views
0
Helpful
3
Replies

Can't get TACACS working with ASA5510 over VPN tunnel

CSCO10576352
Level 1
Level 1

‎03-14-2010 11:51 AM

Hi, I have looked around on the web but cannot seem to find an answer to this one.

I have a remote ASA5510 firewall which I need to manage via TACACS. The ASA connects to my core network via a VPN tunnel which terminates on a cisco 2811 router. The VPN is up and working fine.

When debugging the TACACS requests what appears to be happening is that the traffic is not getting decrypted as it passes through the cisco 2811 on its way to the TACACS host despite the crypto ACLs being correct on both the ASA and the 2811 to captue the traffic flows between the ASA's outside interface and the TACACS host. All other relevant access-list rules and ssh commands are in place.

Are there any funnies i need of be aware off when trying to get TACACS working over the VPN to the ASA?

Will the ASA actually encrypt the TACACS request as part of the VPN given it is sourcing the flow itself on its outside interface which is also the endpoint address of the VPN tunnel?

Thanks for looking.

Labels:
0 Helpful
3 Replies 3

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-14-2010 09:46 PM

Hi,

If the TACACS+ packets from the ASA are being sourced from the ASA's outside interface, then you should include this IP in the ACL for interesting traffic.

The outside IP of the ASA should be part of the VPN traffic.

For example:

If the inside network behind the router is 10.1.1.0/24

If the inside network behind the ASA is 192.168.1.0/24

If the public IP of the ASA is 200.1.1.1

Then, besides having the crypto ACL flowing between 10.1.1.0/24 and 192.168.1.0/24, the traffic should be encrypted when flowing between the 10.1.1.0/24 and 200.1.1.1 as well.

Another option is to source the TACACS+ packets from the inside interface of the ASA (not sure if the ASA allows you to do this).

Federico.

0 Helpful

CSCO10576352
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-15-2010 07:15 AM

Thanks for the reply.

Yes, I have included the outside interface in the ACL's that specify the interesting traffic, for examle :

Where the outside interface of the ASA is 1.1.1.1

and

The TACACS host is 2.2.2.2

The on the ASA:

access-list encrypt-acl extended permit ip host 1.1.1.1 host 2.2.2.2

Then on the 2811 that terminates the tunnel:

access-list encrypt-acl extended permit ip host 2.2.2.2 host 1.1.1.1

These are basically additions to the existing and working crypto ACLs.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to CSCO10576352

‎03-15-2010 09:22 AM

Then you should see a security association created for that traffic on phase two of the VPN tunnel.

If you do this command on the router:  sh cry ips sa peer x.x.x.x   --> x.x.x.x is the public IP of the ASA

And also the same command on the ASA.

It will show you a pair of SAs for each ACL (crypto ACL for that tunnel).

You should be able to see if traffic is being encrypted/decrypted between the ASA and the TACACS+

Federico.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents