cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
1061
Views
1
Helpful
7
Replies

Changing ASA NAS-IP-Address

radek.salapa
Level 1
Level 1

Hi,

is there a way to change ASA NAS-IP address (RADIUS attribute 4) when ASA talks to ISE (in general to any RADIUS server). I know there is a way for routers or switches. I need this functionality on ASA as my ASA (actually few of them) are nated (PAT) when communicate with ISE and I need to know from which ASA request is originated.

 

Thanks

7 Replies 7

Greg Gibbs
Cisco Employee
Cisco Employee

This is more of a question about the ASA then it is about ISE, so it's probably a question better posted to the Network Security Community space.

In general, NATing between the network device and ISE PSN can cause lots of issues and (AFAIK) is not supported.

Hi Greg,

I believe ISE guys are more experienced with messing up with NAS-IP as potentially they are using this attribute in Rules.


@Greg Gibbs wrote:

This is more of a question about the ASA then it is about ISE, so it's probably a question better posted to the Network Security Community space.

In general, NATing between the network device and ISE PSN can cause lots of issues and (AFAIK) is not supported.


Could you provide the source, is it documented somewhere?

I know there are some issues which you need to address (CoA, NAD profiles, ambiquity, etc...) but right now I don't have any other option. Not all network staff is under my control.

 

Thanks

Radek

NAS-IP  is the IP of interface you use in aaa command 

ASA allow you to specify which interface will asa use to talk to AAA (ISE)

MHM

Hi MHM,

In general that is correct what you are saying and I thought about that but I'm not able to change SRC IP address of RADIUS packet. It needs to be exactly as is and I'm not allowed to change it (routing, NAT, VPN, and so on....).

I'm looking for something similiar to IOS functionality described in below document but for ASA:

https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/12_2sba/feature/guide/sbsiara.html

Thanks

Radek

ciscoasa(config)# aaa-server mygroup (inside) host 192.168.10.10 thekey timeout 20

 this Interface IP is use for both source and NAS-IP as I know.

it not use as source is you use mgmt interface and the server reachable via other source here the source will be interface reach server and NAS-IP will be mgmt 
MHM 


@MHM Cisco World wrote:
ciscoasa(config)# aaa-server mygroup (inside) host 192.168.10.10 thekey timeout 20

 this Interface IP is use for both source and NAS-IP as I know.


Yes, that is correct. Additionally you will need a route through "inside" interface to 192.168.10.10. It can be default route or any other specific route. Without the route you will get "Routing failed to locate next hop for udp from NP Identity Ifc:INSIDE_IP/20734 to inside:192.168.10.10/27910

If you want to use another interface as egress, you need the route through another interface and additional command "management-access inside".

In both cases, NAS-IP and SRC-IP are the same and set to INSIDE_IP

it not use as source is you use mgmt interface and the server reachable via other source here the source will be interface reach server and NAS-IP will be mgmt 
MHM 


Could explain what you mean by mgmt interface? Is it "management-access" or "management-only" interface?

"""Yes, that is correct. Additionally you will need a route through "inside" interface to 192.168.10.10. It can be default route or any other specific route. Without the route you will get "Routing failed to locate next hop for udp from NP Identity Ifc:INSIDE_IP/20734 to inside:192.168.10.10/27910

If you want to use another interface as egress, you need the route through another interface and additional command "management-access inside".

In both cases, NAS-IP and SRC-IP are the same and set to INSIDE_IP"""

All above is correct' so even if source is NATing the NAS-IP will not effect by NAT and that what you need' am I correct? you need to make sure that radius use NAS-IP not source IP when you add network device

"""Could explain what you mean by mgmt interface? Is it "management-access" or "management-only" interface?"""

Yes I make double check this idea we can not achieve it. And mgmt interface I mean interface with management-only.