Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Can't get TACACS working with ASA5510 over VPN tunnel

Hi, I have looked around on the web but cannot seem to find an answer to this one.

I have a remote ASA5510 firewall which I need to manage via TACACS. The ASA connects to my core network via a VPN tunnel which terminates on a cisco 2811 router. The VPN is up and working fine.

When debugging the TACACS requests what appears to be happening is that the traffic is not getting decrypted as it passes through the cisco 2811 on its way to the TACACS host despite the crypto ACLs being correct on both the ASA and the 2811 to captue the traffic flows between the ASA's outside interface and the TACACS host. All other relevant access-list rules and ssh commands are in place.

Are there any funnies i need of be aware off when trying to get TACACS working over the VPN to the ASA?

Will the ASA actually encrypt the TACACS request as part of the VPN given it is sourcing the flow itself on its outside interface which is also the endpoint address of the VPN tunnel?

Thanks for looking.

3 REPLIES

Re: Can't get TACACS working with ASA5510 over VPN tunnel

Hi,

If the TACACS+ packets from the ASA are being sourced from the ASA's outside interface, then you should include this IP in the ACL for interesting traffic.

The outside IP of the ASA should be part of the VPN traffic.

For example:

If the inside network behind the router is 10.1.1.0/24

If the inside network behind the ASA is 192.168.1.0/24

If the public IP of the ASA is 200.1.1.1

Then, besides having the crypto ACL flowing between 10.1.1.0/24 and 192.168.1.0/24, the traffic should be encrypted when flowing between the 10.1.1.0/24 and 200.1.1.1 as well.

Another option is to source the TACACS+ packets from the inside interface of the ASA (not sure if the ASA allows you to do this).

Federico.

Community Member

Re: Can't get TACACS working with ASA5510 over VPN tunnel

Thanks for the reply.

Yes, I have included the outside interface in the ACL's that specify the interesting traffic, for examle :

Where the outside interface of the ASA is 1.1.1.1

and

The TACACS host is 2.2.2.2

The on the ASA:

access-list encrypt-acl extended permit ip host 1.1.1.1 host 2.2.2.2

Then on the 2811 that terminates the tunnel:

access-list encrypt-acl extended permit ip host 2.2.2.2 host 1.1.1.1

These are basically additions to the existing and working crypto ACLs.

Re: Can't get TACACS working with ASA5510 over VPN tunnel

Then you should see a security association created for that traffic on phase two of the VPN tunnel.

If you do this command on the router:  sh cry ips sa peer x.x.x.x   --> x.x.x.x is the public IP of the ASA

And also the same command on the ASA.

It will show you a pair of SAs for each ACL (crypto ACL for that tunnel).

You should be able to see if traffic is being encrypted/decrypted between the ASA and the TACACS+

Federico.

1431
Views
0
Helpful
3
Replies
CreatePlease to create content