Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

source-address for TACACS+

My customer has an asa and want to do aaa authentication tacacs+. The ACS server however is accessible through an ipsec vpn tunnel terminating on the outside interface of the ASA.

Whenever a user logs into the ASA the request will be send out via the outside interface with the source ip address of the outside interface of the ASA thus not meeting my encryption list. How can I do this? I can not add the outside interface ip address to the encryption list. What I need is a command like: tacacs source ip adress a.b.c.d.

3 REPLIES
Cisco Employee

Re: source-address for TACACS+

You can add the inside interface in the aaa-server configuration.

Example as follows:

aaa-server myaaa (inside) host

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1538618

Hope that helps.

Community Member

Re: source-address for TACACS+

Dear halijenn,

Thank you very much for your reaction but this did not help. Any other suggestions.

The problem is that the source ip address send from my ASA does not match the encryption list.

Cisco Employee

Re: source-address for TACACS+

When you specify the "(inside)" on the aaa-server, the tacacs packet will be sourced from the inside interface.

Please also configure "management-access inside" command.

If you tried to generate a ping from the ASA: ping inside , you should have a reply and the ping packet will be sourced from the inside interface going towards the tacacs server.

294
Views
0
Helpful
3
Replies
CreatePlease to create content