Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

TACACS over site-to-site tunnel

I have a site-to-site ipsec tunnel connection set up between two sites using asa 5520s.  At our main site, all outbound traffic is pat'ed to it's outside interface address, excluding site-to-site ipsec tunnel traffic.  The secondary site tunnels all traffic through the main site via the ipsec tunnel, and allows no outbound or inbound traffic otherwise, so it's outside interface ip serves no real purpose outside of being a peer address for the tunnel.

The tacacs server is located on the main site's internal network.  At the main site, tacacs is used to authenticate admin access to all local network devices.  However, I have been unable to get tacacs to work when attempting to authenticate over the tunnel to the secondary site's asa.  Due to the nature of the configuration (crypto map acl permits main site's internal networks to secondary site's internal networks without nat while all other traffic is nat'ed) I authenticate from the main site to the inside interface of the secondary site's asa, using local creds configured on the secondary asa.  I would prefer to use tacacs in this scenario.

The problem is when I attempt to enable tacacs authenticationon on the secondary site's asa, it never works.  I'm assuming that the problem is that the secondary asa attempts to send the authentication request through the outside interface, which is not not included in the crypto map acl, so it fails.  Secondly, it may fail because interface acl doesn't allow anything out anyway, so it never goes anywhere.  I'm wondering if there is a way to set authentication to originate from an interface other than the outside ip address (like the inside interface) so that the tacacs traffic can traverse the tunnel without a bunch of changes in configuration necessary.  I don't want to attempt to add the outside interface to the crypto map configuration if I don't have to, it wouldn't work anyway.

Any ideas?

Everyone's tags (3)

Re: TACACS over site-to-site tunnel

I'm not 100% sure on this, so lab it up first.

Since you're changing the management interface, it should source from this interface when contacting your AAA server..

Re: TACACS over site-to-site tunnel

Thanks.  I'll give this a shot.

Cisco Employee

Re: TACACS over site-to-site tunnel

plus you should be able to source the tacacs traffic from your inside interface:

aaa-server (inside) host x.x.x.x

CreatePlease login to create content