Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
355
Views
0
Helpful
3
Replies

IP Address translation issue for ACS Appliance Ver 4.1

sahmedshahcsd
Level 1
Level 1

‎01-07-2008 09:41 PM - edited ‎03-10-2019 03:35 PM

Hi,

We have one issue of ACS appliance IP address has been translated to a different IP on different segment through the firewall ASA and PIX and associated AAA client Cat2960 (IOS 12.2) on the ACS with translated IP for TACACS+ server configured with same shared secret key.

Communication between AAA client and ACS appliance is verified using translated IP as both client and ACS can able to ping each other in either directions.

But no authentications either pass or failed reported on ACS, We also tried translating to the same real ip address of ACS allowing connectivity for AAA clients from outside interface to the inside interface on ASA 7.x and PIX(6.3) but didnt worked.

any ideas will be appreciated

Thanks

Regards,

Ahmed

Labels:
0 Helpful
3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

‎01-08-2008 06:27 AM

What does the PIX log say when you try and pass authentication? Does ACS ever see the auth attempt in its logs?

0 Helpful

cisco24x7
Level 6
Level 6
In response to Collin Clark

‎01-08-2008 07:55 AM

Try this:

access-list test permit icmp any any log

access-list test permit tcp any any eq 49 log

access-list test permit ip any any log

access-group test in interface outside

static (i,o) acs_ip acs_ip net /32

logging on

logging timestamp

logging host inside syslog_ip

It works fine on my system even as I proxy off

the connection from ACS to RSA SecurID:

[root@LinuxES root]# telnet 192.168.1.1

Trying 192.168.1.1...

Connected to 192.168.1.1 (192.168.1.1).

Escape character is '^]'.

C

*****************

User Access Verification

Username: test3

Password:

Enter your new PIN, containing 4 to 8 digits,

or

to cancel the New PIN procedure:

Please re-enter new PIN:

Wait for the code on your card to change, then log in with the new PIN

Enter PASSCODE:

C2960#

1- Make sure you allow port 49 through the

firewall,

2- make sure you have static NAT properly

defined,

3- make sure you have AAA client defined

in the ACS,

4- make sure the pre-share key matches on

both sides,

CCIE Security

0 Helpful

Jagdeep Gambhir
Level 10
Level 10

‎01-08-2008 08:45 AM

Please try this,

acs--->network configuration--->Proxy dis table---> Bring Deleverance1 in the fwd to box and your server name in the left box.

Incase you dont see proxy dis table , then you need to enable it

Interface configuration---> Advance option ---> Put a check in distribution table.

Regards,

~JG

0 Helpful
Customers Also Viewed These Support Documents