Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

DMZ won't pass RADIUS traffic to inside

I just setup a Cisco 1121 Aironet WAP to work with WPA authenticating to a MS

IAS server,(RADIUS). It works fine, clients can authenticate, access internet,


I moved the access point to the DMZ on PIX 515E and added nat statments and ACL

for dmz to inside.

Now the clients cannot authenticate to the RADIUS server. I am getting an error


4|Jan 04 1993 13:23:11|106023: Deny udp src dmz: dst

inside: by access-group "DMZ_TO_INSIDE"

This does not make any since, because my ACL opens ports 1645 and 1646 to the

RADIUS server. See below:

access-list DMZ_TO_INSIDE remark Allow ping from DMZ to INSIDE

access-list DMZ_TO_INSIDE extended permit icmp

access-list DMZ_TO_INSIDE extended permit udp host host eq radius

access-list DMZ_TO_INSIDE extended permit udp host host eq radius-acct

access-group DMZ_TO_INSIDE in interface dmz

static (dmz,outside) netmask

static (inside,dmz) netmask

static (inside,dmz) netmask

I have been working on this for 4 hours with no progress. I tried opening all

traffic from to-from the dmz and rebuilt the WAP setup, rebuilt the IAS client

entry, etc.

Any help would be greatly appreciated.

Thanks in advance.

Lucky Mace


Re: DMZ won't pass RADIUS traffic to inside

It looks like your WAP is still trying to access the Radius server by its physical address, not the translated address in the DMZ. Look into that config, and change the Radius server to, it should work then.

CreatePlease to create content