https://community.cisco.com/t5/network-access-control/tacacs-via-an-asa/m-p/1108732#M389260 <HTML><HEAD></HEAD><BODY><P>Sure it can (we do it). You just need to translate from outside to inside. Here is an example, assume ACS is 192.168.1.10.</P><P></P><P>static (inside,outside) 192.168.1.10 access-list TACACS tcp 65535 10000</P><P></P><P>Since the static uses an ACL, here is that part as well-</P><P></P><P>access-list TACACS extended permit ip host 192.168.1.10 host [public IP] </P><P></P><P>The public IP in our case is the internet router and it requires a static route for the private IP pointing to the firewall.</P><P></P><P>Hope that helps.</P><P></P></BODY></HTML> Tue, 30 Dec 2008 13:55:01 GMT Collin Clark 2008-12-30T13:55:01Z https://community.cisco.com/t5/network-access-control/tacacs-via-an-asa/m-p/1108731#M389190 <P>Is it possible for a Cisco device (router or switch) to authenticate to an ACS via an ASA utilizing a Network Address Translation. If so, what needs to be added to a config for this to take place.</P> Sun, 10 Mar 2019 23:15:18 GMT https://community.cisco.com/t5/network-access-control/tacacs-via-an-asa/m-p/1108731#M389190 dphills18 2019-03-10T23:15:18Z https://community.cisco.com/t5/network-access-control/tacacs-via-an-asa/m-p/1108732#M389260 <HTML><HEAD></HEAD><BODY><P>Sure it can (we do it). You just need to translate from outside to inside. Here is an example, assume ACS is 192.168.1.10.</P><P></P><P>static (inside,outside) 192.168.1.10 access-list TACACS tcp 65535 10000</P><P></P><P>Since the static uses an ACL, here is that part as well-</P><P></P><P>access-list TACACS extended permit ip host 192.168.1.10 host [public IP] </P><P></P><P>The public IP in our case is the internet router and it requires a static route for the private IP pointing to the firewall.</P><P></P><P>Hope that helps.</P><P></P></BODY></HTML> Tue, 30 Dec 2008 13:55:01 GMT https://community.cisco.com/t5/network-access-control/tacacs-via-an-asa/m-p/1108732#M389260 Collin Clark 2008-12-30T13:55:01Z