11-09-2006 01:54 PM - edited 02-21-2020 10:17 AM
I have been unsuccessfully in getting AAA authentication working to my outside router, through the PIX.
When I connect the router directly to the inside network (bypassing the PIX) AAA works fine, so I know that the AAA configuration works between the router and the ACS server.
Initially I had the PIX configured with a static map between a global outside address 192.x.x.12 and an inside local address 10.200.1.187 for the ACS server, but that did not work either. So, currently I am trying to use NAT exemption for the ACS server, but it does not work either.
If I enable packet debugging on the PIX, I see the ACS authentication request and response going back and forth between the router and the ACS when I attempt to login to the router, but it is not successful. After the three-way TCP handshake, the router repeats it's last ACK, and then the ACS requests a RST.
The attached diagram shows the simple connection I am attempting to create.
The configuration of the PIX is also attached. (message size too large):
Thanks in advance for your help. I've been searching CCO for two days now, and have not found any solutions that resemble this.
Ron Buchalski
Solved! Go to Solution.
11-15-2006 07:13 AM
What do need to do is:
1. PIX:
- static map the ACS/TACACS to a public IP
static (inside,outside) x.x.x.10 10.1.1.25 netmask 255.255.255.255
- otherwise, if you do not have enough public IP,use port redirection to map ACS IP to PIX outside interface IP, i.e x.x.x.2, via a specific TCP 49:
static (inside,outside) tcp interface 49 10.1.1.25 49 netmask 255.255.255.255
*to allow ACS talking to outside router via public IP
- Create/add entry for ACL applied to the outside interface to allow TACACS+ protocol to pass through from outside router to ACS:
access-list outside permit tcp host x.x.x.1 host x.x.x.10 eq 49 (tacacs+ use tcp 49)
access-group outside in interface outside
*x.x.x.1 = outside router
2. ACS
- Add outside router interface IP (FastEthernet facing PIX outside interface) as AAA client
- Make sure secret key is identical in ACS and router
3. Outside router
- add ACS as tacacs-server using its public IP, as mapped in PIX which is x.x.x.10.
- verify the key and AAA statement is correct.
Test this without saving the config is outside router. Save it once confirmed ok.
I have similar setup before, and it was working fine.
Pls rate all useful post(s)
AK
11-15-2006 07:13 AM
What do need to do is:
1. PIX:
- static map the ACS/TACACS to a public IP
static (inside,outside) x.x.x.10 10.1.1.25 netmask 255.255.255.255
- otherwise, if you do not have enough public IP,use port redirection to map ACS IP to PIX outside interface IP, i.e x.x.x.2, via a specific TCP 49:
static (inside,outside) tcp interface 49 10.1.1.25 49 netmask 255.255.255.255
*to allow ACS talking to outside router via public IP
- Create/add entry for ACL applied to the outside interface to allow TACACS+ protocol to pass through from outside router to ACS:
access-list outside permit tcp host x.x.x.1 host x.x.x.10 eq 49 (tacacs+ use tcp 49)
access-group outside in interface outside
*x.x.x.1 = outside router
2. ACS
- Add outside router interface IP (FastEthernet facing PIX outside interface) as AAA client
- Make sure secret key is identical in ACS and router
3. Outside router
- add ACS as tacacs-server using its public IP, as mapped in PIX which is x.x.x.10.
- verify the key and AAA statement is correct.
Test this without saving the config is outside router. Save it once confirmed ok.
I have similar setup before, and it was working fine.
Pls rate all useful post(s)
AK
01-08-2007 01:32 PM
AK,
Thank you for posting this response. I did not see it prior to fixing the problem (I selected the notify option when I posted, but never received notification that you responded).
You mentioned the item that was preventing AAA from authenticating. For the ACS, I did not have the IP address for the outside router interface in the ACS, so it would not respond to AAA requests from the router. Once the IP address was added to ACS, it worked perfectly.
Thanks again for posting your response.
Ron Buchalski
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide