01-07-2008 09:41 PM - edited 03-10-2019 03:35 PM
Hi,
We have one issue of ACS appliance IP address has been translated to a different IP on different segment through the firewall ASA and PIX and associated AAA client Cat2960 (IOS 12.2) on the ACS with translated IP for TACACS+ server configured with same shared secret key.
Communication between AAA client and ACS appliance is verified using translated IP as both client and ACS can able to ping each other in either directions.
But no authentications either pass or failed reported on ACS, We also tried translating to the same real ip address of ACS allowing connectivity for AAA clients from outside interface to the inside interface on ASA 7.x and PIX(6.3) but didnt worked.
any ideas will be appreciated
Thanks
Regards,
Ahmed
01-08-2008 06:27 AM
What does the PIX log say when you try and pass authentication? Does ACS ever see the auth attempt in its logs?
01-08-2008 07:55 AM
Try this:
access-list test permit icmp any any log
access-list test permit tcp any any eq 49 log
access-list test permit ip any any log
access-group test in interface outside
static (i,o) acs_ip acs_ip net /32
logging on
logging timestamp
logging host inside syslog_ip
It works fine on my system even as I proxy off
the connection from ACS to RSA SecurID:
[root@LinuxES root]# telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1 (192.168.1.1).
Escape character is '^]'.
C
*****************
User Access Verification
Username: test3
Password:
Enter your new PIN, containing 4 to 8 digits,
or
Please re-enter new PIN:
Wait for the code on your card to change, then log in with the new PIN
Enter PASSCODE:
C2960#
1- Make sure you allow port 49 through the
firewall,
2- make sure you have static NAT properly
defined,
3- make sure you have AAA client defined
in the ACS,
4- make sure the pre-share key matches on
both sides,
CCIE Security
01-08-2008 08:45 AM
Please try this,
acs--->network configuration--->Proxy dis table---> Bring Deleverance1 in the fwd to box and your server name in the left box.
Incase you dont see proxy dis table , then you need to enable it
Interface configuration---> Advance option ---> Put a check in distribution table.
Regards,
~JG
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide