Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Devices Behind Firewall ACS 4.0 Local

All,

I just read a post labeled "ACS 4.0 Behind Firewall" and it talked about opening ports 2004 to 5000 to access the ACS server that is behind the firewall. My question is does this same port range apply if you are trying to access and authenticate to a device that is behind a firewall. When I try to access one of my devices that is behind the firewall I can't authenticate through the ACS box so I end up using the local username and password. Can anyone tell me what ports I have to open on the firewall to allow the authetication to go back to the ACS server. Thanks

  • AAA Identity and NAC
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Devices Behind Firewall ACS 4.0 Local

Hi,

TACACS+ authentication service between Network devices and AAA Server is running on TCP 49. The 2004-5000 port range is only applicable if you need to access ACS Server (for management purposes) from outside/internet. In your case, if you need to access your devices behind firewall from external network, what you need is map your internal network devices with public IP, and open ddesired service port, e.g SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.

For your internal devices, you need to have appropriate AAA configuration that point to ACS (e.g TACACS+). In your ACS, set these devices as AAA Client, and configured appropriate IP, secret key and using TACACS+.

Before you test ssh access from internet/external network, test your SSH access locally. It must be successful to get AAA to authenticate your SSH connection request.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e996.html

Hope this helps.

Rgds,

AK

4 REPLIES

Re: Devices Behind Firewall ACS 4.0 Local

Hi,

TACACS+ authentication service between Network devices and AAA Server is running on TCP 49. The 2004-5000 port range is only applicable if you need to access ACS Server (for management purposes) from outside/internet. In your case, if you need to access your devices behind firewall from external network, what you need is map your internal network devices with public IP, and open ddesired service port, e.g SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.

For your internal devices, you need to have appropriate AAA configuration that point to ACS (e.g TACACS+). In your ACS, set these devices as AAA Client, and configured appropriate IP, secret key and using TACACS+.

Before you test ssh access from internet/external network, test your SSH access locally. It must be successful to get AAA to authenticate your SSH connection request.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e996.html

Hope this helps.

Rgds,

AK

New Member

Re: Devices Behind Firewall ACS 4.0 Local

Okay, I can get to my devices fine that sit on the other side of the firewall it's just when I try to login using the TACACS+ I get authentication failed, but if I use the local login username and password I can get into the device. So if I understand you correctly I need to open port 49 and allow SSH to go through the firewall. Correct?

New Member

Re: Devices Behind Firewall ACS 4.0 Local

Nevermind. You were right it is TCP port 49 I had someone in the security group sniff the session and it showed us that he was blocking TCP port 49. So thanks for the help.

Re: Devices Behind Firewall ACS 4.0 Local

Glad to hear your problem is now solved.

Rgds,

AK

135
Views
0
Helpful
4
Replies
This widget could not be displayed.