DMZ won't pass RADIUS traffic to inside

Unanswered Question
Nov 29th, 2005
User Badges:

I just setup a Cisco 1121 Aironet WAP to work with WPA authenticating to a MS

IAS server,(RADIUS). It works fine, clients can authenticate, access internet,

etc.


I moved the access point to the DMZ on PIX 515E and added nat statments and ACL

for dmz to inside.


Now the clients cannot authenticate to the RADIUS server. I am getting an error

message:


4|Jan 04 1993 13:23:11|106023: Deny udp src dmz:192.168.200.2/1645 dst

inside:10.0.4.20/1645 by access-group "DMZ_TO_INSIDE"


This does not make any since, because my ACL opens ports 1645 and 1646 to the

RADIUS server. See below:


access-list DMZ_TO_INSIDE remark Allow ping from DMZ to INSIDE

access-list DMZ_TO_INSIDE extended permit icmp 192.168.200.0 255.255.255.0

192.168.200.0 255.255.255.0

access-list DMZ_TO_INSIDE extended permit udp host 192.168.200.2 host

192.168.200.3 eq radius

access-list DMZ_TO_INSIDE extended permit udp host 192.168.200.2 host

192.168.200.3 eq radius-acct


access-group DMZ_TO_INSIDE in interface dmz



static (dmz,outside) 65.223.51.72 192.168.200.2 netmask 255.255.255.255

static (inside,dmz) 192.168.200.3 10.0.4.20 netmask 255.255.255.255

static (inside,dmz) 192.168.200.4 10.0.4.21 netmask 255.255.255.255


I have been working on this for 4 hours with no progress. I tried opening all

traffic from to-from the dmz and rebuilt the WAP setup, rebuilt the IAS client

entry, etc.


Any help would be greatly appreciated.


Thanks in advance.

Lucky Mace


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion