Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote ASA cannot use TACACS authentication

Hi,

I have the following setup :

TACACS --- LAN --- ASA1 ==== IPSec === ASA2 --- SW1

In my configuration, I can manage the remote ASA (ASA2) on its inside interface, through the IPSec tunnel with SSH. For that, I entered the command "management-access inside". Everything works properly, the remote LAN stations can communicate with the central site through the VPN tunnel.

The problem I have is that when I use TACACS to authenticate an incoming SSH console access through the IPSec tunnel, the ASA2 device generates an authentication request for the tacacs server, but don't find the next-hop towards the TACACS server in the central site (a message is logged).

The strange thing is that when accessing the switch SW1 via SSH, TACACS authentication works well. So, the TACACS packets go through ASA2 and then through the IPSec tunnel. Only ASA2 self-generated TACACS packets don't !

Thank you for any tips

Yves

1 REPLY
Silver

Re: Remote ASA cannot use TACACS authentication

Follow the URL for the TACACS+ Authentication Configuration guide for ASA. It may help you

https://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

209
Views
0
Helpful
1
Replies
CreatePlease login to create content