Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
4
Replies

Devices Behind Firewall ACS 4.0 Local

Go to solution
mrashby
Level 1
Level 1

‎05-17-2006 07:26 AM - edited ‎03-10-2019 02:35 PM

All,

I just read a post labeled "ACS 4.0 Behind Firewall" and it talked about opening ports 2004 to 5000 to access the ACS server that is behind the firewall. My question is does this same port range apply if you are trying to access and authenticate to a device that is behind a firewall. When I try to access one of my devices that is behind the firewall I can't authenticate through the ACS box so I end up using the local username and password. Can anyone tell me what ports I have to open on the firewall to allow the authetication to go back to the ACS server. Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
a.kiprawih
Level 7
Level 7

‎05-17-2006 01:37 PM

Hi,

TACACS+ authentication service between Network devices and AAA Server is running on TCP 49. The 2004-5000 port range is only applicable if you need to access ACS Server (for management purposes) from outside/internet. In your case, if you need to access your devices behind firewall from external network, what you need is map your internal network devices with public IP, and open ddesired service port, e.g SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.

For your internal devices, you need to have appropriate AAA configuration that point to ACS (e.g TACACS+). In your ACS, set these devices as AAA Client, and configured appropriate IP, secret key and using TACACS+.

Before you test ssh access from internet/external network, test your SSH access locally. It must be successful to get AAA to authenticate your SSH connection request.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e996.html

Hope this helps.

Rgds,

AK

View solution in original post

0 Helpful
4 Replies 4

Go to solution
a.kiprawih
Level 7
Level 7

‎05-17-2006 01:37 PM

Hi,

TACACS+ authentication service between Network devices and AAA Server is running on TCP 49. The 2004-5000 port range is only applicable if you need to access ACS Server (for management purposes) from outside/internet. In your case, if you need to access your devices behind firewall from external network, what you need is map your internal network devices with public IP, and open ddesired service port, e.g SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.

For your internal devices, you need to have appropriate AAA configuration that point to ACS (e.g TACACS+). In your ACS, set these devices as AAA Client, and configured appropriate IP, secret key and using TACACS+.

Before you test ssh access from internet/external network, test your SSH access locally. It must be successful to get AAA to authenticate your SSH connection request.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e996.html

Hope this helps.

Rgds,

AK

0 Helpful

Go to solution
mrashby
Level 1
Level 1
In response to a.kiprawih

‎05-18-2006 04:39 AM

Okay, I can get to my devices fine that sit on the other side of the firewall it's just when I try to login using the TACACS+ I get authentication failed, but if I use the local login username and password I can get into the device. So if I understand you correctly I need to open port 49 and allow SSH to go through the firewall. Correct?

0 Helpful

Go to solution
mrashby
Level 1
Level 1
In response to a.kiprawih

‎05-18-2006 05:21 AM

Nevermind. You were right it is TCP port 49 I had someone in the security group sniff the session and it showed us that he was blocking TCP port 49. So thanks for the help.

0 Helpful

Go to solution
a.kiprawih
Level 7
Level 7

‎05-18-2006 08:42 AM

Glad to hear your problem is now solved.

Rgds,

AK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents