source-address for TACACS+

Unanswered Question
May 18th, 2010

My customer has an asa and want to do aaa authentication tacacs+. The ACS server however is accessible through an ipsec vpn tunnel terminating on the outside interface of the ASA.

Whenever a user logs into the ASA the request will be send out via the outside interface with the source ip address of the outside interface of the ASA thus not meeting my encryption list. How can I do this? I can not add the outside interface ip address to the encryption list. What I need is a command like: tacacs source ip adress a.b.c.d.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dirks_2 Tue, 05/18/2010 - 06:35

Dear halijenn,

Thank you very much for your reaction but this did not help. Any other suggestions.

The problem is that the source ip address send from my ASA does not match the encryption list.

Jennifer Halim Tue, 05/18/2010 - 15:26

When you specify the "(inside)" on the aaa-server, the tacacs packet will be sourced from the inside interface.

Please also configure "management-access inside" command.

If you tried to generate a ping from the ASA: ping inside , you should have a reply and the ping packet will be sourced from the inside interface going towards the tacacs server.


This Discussion