cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
422
Views
10
Helpful
2
Replies

AAA Authentication for Outside Router through PIX 515

ronbuchalski
Level 1
Level 1

I have been unsuccessfully in getting AAA authentication working to my outside router, through the PIX.

When I connect the router directly to the inside network (bypassing the PIX) AAA works fine, so I know that the AAA configuration works between the router and the ACS server.

Initially I had the PIX configured with a static map between a global outside address 192.x.x.12 and an inside local address 10.200.1.187 for the ACS server, but that did not work either. So, currently I am trying to use NAT exemption for the ACS server, but it does not work either.

If I enable packet debugging on the PIX, I see the ACS authentication request and response going back and forth between the router and the ACS when I attempt to login to the router, but it is not successful. After the three-way TCP handshake, the router repeats it's last ACK, and then the ACS requests a RST.

The attached diagram shows the simple connection I am attempting to create.

The configuration of the PIX is also attached. (message size too large):

Thanks in advance for your help. I've been searching CCO for two days now, and have not found any solutions that resemble this.

Ron Buchalski

1 Accepted Solution

Accepted Solutions

a.kiprawih
Level 7
Level 7

What do need to do is:

1. PIX:

- static map the ACS/TACACS to a public IP

static (inside,outside) x.x.x.10 10.1.1.25 netmask 255.255.255.255

- otherwise, if you do not have enough public IP,use port redirection to map ACS IP to PIX outside interface IP, i.e x.x.x.2, via a specific TCP 49:

static (inside,outside) tcp interface 49 10.1.1.25 49 netmask 255.255.255.255

*to allow ACS talking to outside router via public IP

- Create/add entry for ACL applied to the outside interface to allow TACACS+ protocol to pass through from outside router to ACS:

access-list outside permit tcp host x.x.x.1 host x.x.x.10 eq 49 (tacacs+ use tcp 49)

access-group outside in interface outside

*x.x.x.1 = outside router

2. ACS

- Add outside router interface IP (FastEthernet facing PIX outside interface) as AAA client

- Make sure secret key is identical in ACS and router

3. Outside router

- add ACS as tacacs-server using its public IP, as mapped in PIX which is x.x.x.10.

- verify the key and AAA statement is correct.

Test this without saving the config is outside router. Save it once confirmed ok.

I have similar setup before, and it was working fine.

Pls rate all useful post(s)

AK

View solution in original post

2 Replies 2

a.kiprawih
Level 7
Level 7

What do need to do is:

1. PIX:

- static map the ACS/TACACS to a public IP

static (inside,outside) x.x.x.10 10.1.1.25 netmask 255.255.255.255

- otherwise, if you do not have enough public IP,use port redirection to map ACS IP to PIX outside interface IP, i.e x.x.x.2, via a specific TCP 49:

static (inside,outside) tcp interface 49 10.1.1.25 49 netmask 255.255.255.255

*to allow ACS talking to outside router via public IP

- Create/add entry for ACL applied to the outside interface to allow TACACS+ protocol to pass through from outside router to ACS:

access-list outside permit tcp host x.x.x.1 host x.x.x.10 eq 49 (tacacs+ use tcp 49)

access-group outside in interface outside

*x.x.x.1 = outside router

2. ACS

- Add outside router interface IP (FastEthernet facing PIX outside interface) as AAA client

- Make sure secret key is identical in ACS and router

3. Outside router

- add ACS as tacacs-server using its public IP, as mapped in PIX which is x.x.x.10.

- verify the key and AAA statement is correct.

Test this without saving the config is outside router. Save it once confirmed ok.

I have similar setup before, and it was working fine.

Pls rate all useful post(s)

AK

AK,

Thank you for posting this response. I did not see it prior to fixing the problem (I selected the notify option when I posted, but never received notification that you responded).

You mentioned the item that was preventing AAA from authenticating. For the ACS, I did not have the IP address for the outside router interface in the ACS, so it would not respond to AAA requests from the router. Once the IP address was added to ACS, it worked perfectly.

Thanks again for posting your response.

Ron Buchalski

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: