Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
712
Views
0
Helpful
4
Replies

IPSec tunnel Cisco ASA itself

Roger Base
Level 1
Level 1

‎06-22-2017 06:06 AM - edited ‎02-21-2020 09:20 PM

hi, I want to get TACACS traffic which is coming from ASA1 itself going through the IPSEC tunnel to the ISE. But how do I put the traffic coming from ASA1 itself to the IPSEC tunnel?

Labels:
0 Helpful
4 Replies 4

Rahul Govindan
VIP Alumni
VIP Alumni

‎06-22-2017 06:37 AM

Tacacs traffic is going to be initiated from the outside interface of the ASA1. This is because the ISE server is relatively located on the outside with regards to the ASA1. You would have to add the ASA1's outside ip address to the crypto ACL on both sides.

So on ASA1

access-list <existing-crypto-acl> permit ip host <ASA1 outside ip address> host <ise ip address>

on ASA2

access-list <existing-crypto-acl> permit ip host <ise ip address> host <ASA1 outside ip address>

0 Helpful

Roger Base
Level 1
Level 1
In response to Rahul Govindan

‎06-22-2017 07:59 AM

Yes i see that. But what if I only wants tacacs traffic through the ipsec and not all traffic coming from asa1 outside interface ?

Thx 

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Roger Base

‎06-22-2017 08:04 AM

In that case, change your crypto ACL to have only the TACAC's port.  As long as the ACL's are mirrored on both sides, this should work.

Alternatively you can leave the crypto ACL as above and use a VPN filter in the ASA group-policy to restrict what traffic you need to go over. An example below:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc7

0 Helpful

Roger Base
Level 1
Level 1
In response to Rahul Govindan

‎06-23-2017 02:19 AM

Thanks for quick reply. ASA1 Outside interface is external IP address. Will it be possible to NAT to RFC1918 address and put that into the tunnel?

Lets says. If ASA1 wants to communicate with ISE. It should source from: 100.100.100.100 and not from its own Outside interface IP address. 

Will this be possible?

nat (outside,outside) source static ASA_OUTSIDE NAT_ADDRESS destination static ISE ISE no-proxy-arp

ASA_OUTSIDE = ASA Outside IP address

NAT_ADDRESS = 100.100.100.100

ISE = ISE IP

(100.100.100.100 is just random IP address)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents