topic IP Address translation issue for ACS Appliance Ver 4.1 in Network Access Control

IP Address translation issue for ACS Appliance Ver 4.1

sahmedshahcsd — Sun, 10 Mar 2019 22:35:30 GMT

Hi,

We have one issue of ACS appliance IP address has been translated to a different IP on different segment through the firewall ASA and PIX and associated AAA client Cat2960 (IOS 12.2) on the ACS with translated IP for TACACS+ server configured with same shared secret key.

Communication between AAA client and ACS appliance is verified using translated IP as both client and ACS can able to ping each other in either directions.

But no authentications either pass or failed reported on ACS, We also tried translating to the same real ip address of ACS allowing connectivity for AAA clients from outside interface to the inside interface on ASA 7.x and PIX(6.3) but didnt worked.

any ideas will be appreciated

Thanks

Regards,

Ahmed

Re: IP Address translation issue for ACS Appliance Ver 4.1

Collin Clark — Tue, 08 Jan 2008 14:27:44 GMT

What does the PIX log say when you try and pass authentication? Does ACS ever see the auth attempt in its logs?

Re: IP Address translation issue for ACS Appliance Ver 4.1

cisco24x7 — Tue, 08 Jan 2008 15:55:55 GMT

Try this:

access-list test permit icmp any any log

access-list test permit tcp any any eq 49 log

access-list test permit ip any any log

access-group test in interface outside

static (i,o) acs_ip acs_ip net /32

logging on

logging timestamp

logging host inside syslog_ip

It works fine on my system even as I proxy off

the connection from ACS to RSA SecurID:

[root@LinuxES root]# telnet 192.168.1.1

Trying 192.168.1.1...

Connected to 192.168.1.1 (192.168.1.1).

Escape character is '^]'.

*****************

User Access Verification

Username: test3

Password:

Enter your new PIN, containing 4 to 8 digits,

to cancel the New PIN procedure:

Please re-enter new PIN:

Wait for the code on your card to change, then log in with the new PIN

Enter PASSCODE:

C2960#

1- Make sure you allow port 49 through the

firewall,

2- make sure you have static NAT properly

defined,

3- make sure you have AAA client defined

in the ACS,

4- make sure the pre-share key matches on

both sides,

CCIE Security

Re: IP Address translation issue for ACS Appliance Ver 4.1

Jagdeep Gambhir — Tue, 08 Jan 2008 16:45:05 GMT

Please try this,

acs--->network configuration--->Proxy dis table---> Bring Deleverance1 in the fwd to box and your server name in the left box.

Incase you dont see proxy dis table , then you need to enable it

Interface configuration---> Advance option ---> Put a check in distribution table.

Regards,

~JG