AAA Authentication for Outside Router through PIX 515
I have been unsuccessfully in getting AAA authentication working to my outside router, through the PIX.
When I connect the router directly to the inside network (bypassing the PIX) AAA works fine, so I know that the AAA configuration works between the router and the ACS server.
Initially I had the PIX configured with a static map between a global outside address 192.x.x.12 and an inside local address 10.200.1.187 for the ACS server, but that did not work either. So, currently I am trying to use NAT exemption for the ACS server, but it does not work either.
If I enable packet debugging on the PIX, I see the ACS authentication request and response going back and forth between the router and the ACS when I attempt to login to the router, but it is not successful. After the three-way TCP handshake, the router repeats it's last ACK, and then the ACS requests a RST.
The attached diagram shows the simple connection I am attempting to create.
The configuration of the PIX is also attached. (message size too large):
Thanks in advance for your help. I've been searching CCO for two days now, and have not found any solutions that resemble this.
Re: AAA Authentication for Outside Router through PIX 515
Thank you for posting this response. I did not see it prior to fixing the problem (I selected the notify option when I posted, but never received notification that you responded).
You mentioned the item that was preventing AAA from authenticating. For the ACS, I did not have the IP address for the outside router interface in the ACS, so it would not respond to AAA requests from the router. Once the IP address was added to ACS, it worked perfectly.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...