Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Urgent help needed with NATing and TACACS authentication

Hi everyone,

Really need some network advice here. Due to the complexity of how my network structure is like, I have decided to insert a network diagram to depict my problem, so PLEASE check the diagram out before you read further.

I'm having difficulties in allowing ROUTER BETA to be authenticated via my TACACS server via the private NAT address. I have entered the following command on my FIREWALL ALPHA router to NAT ROUTER BETA:

Static (outside,inside) netmask

From my TACACS server end, I'm able to ping and once the configuration above is applied on FIREWALL ALPHA. However I'm unable to telnet to from my TACACS server. I'm able to telnet to ROUTER BETA using the ip address however the router is not able to authenticate with my TACACS server.

PLEASE NOTE THAT THE ACLS on my INTERNAL FIREWALL, FIREWALL ALPHA and ROUTER ALPHA are all set to permit ip any any (in other words nothing is blocked).

When I remove the static command above, everything returns to normal ; I'm able to telnet the202.178.105.126 IP address from my TACACS server and the router is able to authenticate with my TACACS server.

In my diagram I've also put another network called BETA Network. BETA Network works very similar to Alpha Network, however when I apply the following NAT config on the FIREWALL BETA device to NAT my ROUTER BETA:

Static (outside,inside) netmask

It works perfectly fine. I'm able to ping both the private and public addresses and telnet both the IP addresses and using both IP addresses, my ROUTER BETA device is able to authenticate with my TACACS server without any issue.

Again like in ALPHA network, the ACLs for FIREWALL BETA and ROUTER BETA are all set to permit ip any any (nothing is blocked).

I'm just perplexed as to why this problem is only occurring on ROUTER ALPHA and the ALPHA network.

Appreciate any help on this.


Edit: aplogies, added the wrong diagram


Re: Urgent help needed with NATing and TACACS authentication

You may be getting this problem because the router alpha is getting advertized routes that have a good metric compared to the route which is through the firewall alpha. In other words the traffic coming from TACACS server to router alpha is passing through firewall alpha but the traffic (or reply traffic) from router alpha to TACACS server goes through the other route (where it gets blocked). You may try by running some routing protocol and see if it solves your problem.

CreatePlease to create content