TACACS over site-to-site tunnel

Unanswered Question
Mar 19th, 2010
User Badges:
  • Silver, 250 points or more

I have a site-to-site ipsec tunnel connection set up between two sites using asa 5520s.  At our main site, all outbound traffic is pat'ed to it's outside interface address, excluding site-to-site ipsec tunnel traffic.  The secondary site tunnels all traffic through the main site via the ipsec tunnel, and allows no outbound or inbound traffic otherwise, so it's outside interface ip serves no real purpose outside of being a peer address for the tunnel.

The tacacs server is located on the main site's internal network.  At the main site, tacacs is used to authenticate admin access to all local network devices.  However, I have been unable to get tacacs to work when attempting to authenticate over the tunnel to the secondary site's asa.  Due to the nature of the configuration (crypto map acl permits main site's internal networks to secondary site's internal networks without nat while all other traffic is nat'ed) I authenticate from the main site to the inside interface of the secondary site's asa, using local creds configured on the secondary asa.  I would prefer to use tacacs in this scenario.

The problem is when I attempt to enable tacacs authenticationon on the secondary site's asa, it never works.  I'm assuming that the problem is that the secondary asa attempts to send the authentication request through the outside interface, which is not not included in the crypto map acl, so it fails.  Secondly, it may fail because interface acl doesn't allow anything out anyway, so it never goes anywhere.  I'm wondering if there is a way to set authentication to originate from an interface other than the outside ip address (like the inside interface) so that the tacacs traffic can traverse the tunnel without a bunch of changes in configuration necessary.  I don't want to attempt to add the outside interface to the crypto map configuration if I don't have to, it wouldn't work anyway.

Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Antonio Knox Fri, 03/19/2010 - 09:32
User Badges:
  • Silver, 250 points or more

Thanks.  I'll give this a shot.

Jennifer Halim Fri, 03/19/2010 - 15:50
User Badges:
  • Cisco Employee,

plus you should be able to source the tacacs traffic from your inside interface:

aaa-server (inside) host x.x.x.x


This Discussion

Related Content