https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389949#M956813 <P>i manage to got it cover and resolve it<BR /><BR />create a rules allowing the tacacs server passing the ASA to the destination router.<BR />Thanks a lot.</P> Mon, 28 May 2018 06:58:39 GMT Mohd Khairul Nizam 2018-05-28T06:58:39Z https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389674#M956753 Mon, 22 Jun 2020 11:42:18 GMT https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389674#M956753 Mohd Khairul Nizam 2020-06-22T11:42:18Z https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389715#M956756 <P>Is your firewall also doing NAT?</P> <P>&nbsp;</P> <P>the best check would be to run packet-tracer. tcp packet, source outside interface, your router IP, source port 1025, dest your AAA server, dest port 49.</P> Sun, 27 May 2018 03:51:18 GMT https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389715#M956756 Marvin Rhoads 2018-05-27T03:51:18Z https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389760#M956804 <P>there is no NAT in place in the ASA&nbsp;</P><P>for packet tracer , why does source port is 1025 ?</P><P>here is the trace</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 23 Jun 2020 06:59:57 GMT https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389760#M956804 Mohd Khairul Nizam 2020-06-23T06:59:57Z https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389806#M956805 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/320485">@Mohd Khairul Nizam</a></P> <P>&nbsp;</P> <P>We use 1025 as the source port because tcp communications by default use some ephemeral port number for source (i.e. &gt;1024 and &lt;64k).</P> <P>&nbsp;</P> <P>Your trace indicates the traffic is coming FROM the .65 host (Voice Group) and TO the .70 host (Voice GW). Are they on the same subnet (the trace indicates they are)? If so, you must permit traffic on same-security level explicitly.</P> Sun, 27 May 2018 15:01:37 GMT https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389806#M956805 Marvin Rhoads 2018-05-27T15:01:37Z https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389872#M956806 <P>Yes, both is in same subnet , /26</P> <P>how should i permit it, mean need to add additional ACL ?</P> Sun, 27 May 2018 23:41:25 GMT https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389872#M956806 Mohd Khairul Nizam 2018-05-27T23:41:25Z https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389890#M956807 <P>Try adding the command:</P> <PRE>same-security-traffic permit intra-interface </PRE> <P>...and then repeat the packet-tracer test.</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html</A></P> Mon, 28 May 2018 03:12:57 GMT https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389890#M956807 Marvin Rhoads 2018-05-28T03:12:57Z https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389904#M956810 <P>boot system disk0:/asa832-k8.bin<BR />ftp mode passive<BR />clock timezone MY 8<BR />dns server-group DefaultDNS<BR /> domain-name aia.biz<BR />same-security-traffic permit intra-interface</P> <P>&nbsp;</P> <P>already key in the command, and then packet-tracer again but still not go through</P> Mon, 28 May 2018 04:10:10 GMT https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389904#M956810 Mohd Khairul Nizam 2018-05-28T04:10:10Z https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389949#M956813 <P>i manage to got it cover and resolve it<BR /><BR />create a rules allowing the tacacs server passing the ASA to the destination router.<BR />Thanks a lot.</P> Mon, 28 May 2018 06:58:39 GMT https://community.cisco.com/t5/network-security/i-think-asa-is-blocking-tacacs-traffic/m-p/3389949#M956813 Mohd Khairul Nizam 2018-05-28T06:58:39Z