06-15-2011 08:40 AM - edited 03-10-2019 06:10 PM
We would like to enable ACS authentication to login to different routers (Cisco 881s) we got that are interconnecting with our WAN via VPN tunnels. We would like to avoid using public IP for the router to communicate and relay user/password info with the ACS server and rely on the server's private IP instead. The problem is that all the router's outside interfaces connect to the Internet using public IPs and when the router wants to communicate with the ACS server it will use its public-facing interface IP and that'll fail. We can ping the server obviously when we set the source to the internal LAN IP.
The question is is there a way to have the router communicate with ACS across the VPN tunnel using its private IP?
config being used and tested succesfully on local devices:
aaa new-model
tacacs-server host 10.x.x.x single-connection key xxxxxx
aaa authentication login tacacs-local group tacacs local
aaa authorization commands x tacacs-local group tacacs+ if-authenticated
aaa authorization exec tacacs-local group tacacs+ if-authenticated
privilege exec level x show
line vty 0 4
login authentication tacacs-local
authorization commands x tacacs-local
- Pinging ACS from the router (connecting to WAN via VPN) when using the router's public IP as a source address:
RT881#ping 10.x.x.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.x.x.x, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
- Pinging ACS from the router (connecting to WAN via VPN) when using the LAN's private IP as a source address:
RT881#ping 10.x.x.x source 10.x.x.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.x.x.x, timeout is 2 seconds:
Packet sent with a source address of 10.x.x.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/72/76 ms
Looking forward for your answers and suggestions.
Thanks, M.
Solved! Go to Solution.
06-30-2011 02:47 PM
Hey Maher,
You can use the command "ip tacacs source-interface" or "ip radius source-interface" for your scenario.
Hope this helps!
Regards,
Prapanch
06-15-2011 09:52 PM
Hey,
A topology will be appreciated..
Regards,
Anisha
P.S.:please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
06-16-2011 07:41 AM
Here is the topology and no the query wasn't resolved.
06-16-2011 11:34 PM
Hey,
I am not able to view it.
Regards,
Anisha
06-17-2011 07:15 AM
it works fine here. i think it is an issue on your computer.
06-30-2011 02:47 PM
Hey Maher,
You can use the command "ip tacacs source-interface" or "ip radius source-interface" for your scenario.
Hope this helps!
Regards,
Prapanch
07-12-2011 07:08 AM
The command above worked great. Also used it for tftp
this is resolved.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide