Remote Administration of ACS Server behind a PIX Firewall

seba · ‎12-31-2002

Hello

I have an ACS acting as a Radius Server for the remote users than want to connect to our AS5300. That ACS server is directly in Internet and I want to move it to a internal netwotk behind a PIX (performing NAT). I've done it but have problems with remote access. When I try to connect to it with IE (http://public_address:2002) the connection is refused as I cannot get to the internal address (192.168.x.y). In fact, the internal address is shown. How can I avoid this? Is there any way to tell the ACS server that NAT is being performed

Thank you in advance

tepatel · ‎12-31-2002

ACS will not really care about NAT.. You just need to configure PIX firewall to perform NAT from public to privet ip address and also with port re-direction.

The firewall must allow HTTP traffic across the range of ports that Cisco Secure ACS is configured to use. You can control the HTTP port range using the HTTP port allocation feature.

Here is the link which will help you for that.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/o.htm#xtocid1043731

Also for static NAT and port redirection, visit

http://www.cisco.com/warp/public/707/28.html

gfullage · ‎01-05-2003

The GUI in ACS versions 3.0(2) and higher will work thru a NAT device properly.

As the previous person said, make sure you set it up to only use certain ports after you login (Admin Control - Access Policy), then just allow those specific ports thru the firewall.

seba · ‎01-29-2003

Ok

Thank you