Urgent help needed with NATing and TACACS authentication
Really need some network advice here. Due to the complexity of how my network structure is like, I have decided to insert a network diagram to depict my problem, so PLEASE check the diagram out before you read further.
I'm having difficulties in allowing ROUTER BETA to be authenticated via my TACACS server via the private NAT address. I have entered the following command on my FIREWALL ALPHA router to NAT ROUTER BETA:
From my TACACS server end, I'm able to ping 172.22.120.22 and 18.104.22.168 once the configuration above is applied on FIREWALL ALPHA. However I'm unable to telnet to 22.214.171.124 from my TACACS server. I'm able to telnet to ROUTER BETA using the 172.22.120.22 ip address however the router is not able to authenticate with my TACACS server.
PLEASE NOTE THAT THE ACLS on my INTERNAL FIREWALL, FIREWALL ALPHA and ROUTER ALPHA are all set to permit ip any any (in other words nothing is blocked).
When I remove the static command above, everything returns to normal ; I'm able to telnet the126.96.36.199 IP address from my TACACS server and the router is able to authenticate with my TACACS server.
In my diagram I've also put another network called BETA Network. BETA Network works very similar to Alpha Network, however when I apply the following NAT config on the FIREWALL BETA device to NAT my ROUTER BETA:
It works perfectly fine. I'm able to ping both the private and public addresses and telnet both the IP addresses and using both IP addresses, my ROUTER BETA device is able to authenticate with my TACACS server without any issue.
Again like in ALPHA network, the ACLs for FIREWALL BETA and ROUTER BETA are all set to permit ip any any (nothing is blocked).
I'm just perplexed as to why this problem is only occurring on ROUTER ALPHA and the ALPHA network.
Re: Urgent help needed with NATing and TACACS authentication
You may be getting this problem because the router alpha is getting advertized routes that have a good metric compared to the route which is through the firewall alpha. In other words the traffic coming from TACACS server to router alpha is passing through firewall alpha but the traffic (or reply traffic) from router alpha to TACACS server goes through the other route (where it gets blocked). You may try by running some routing protocol and see if it solves your problem.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :