Changing ASA NAS-IP-Address
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2024 02:41 PM
Hi,
is there a way to change ASA NAS-IP address (RADIUS attribute 4) when ASA talks to ISE (in general to any RADIUS server). I know there is a way for routers or switches. I need this functionality on ASA as my ASA (actually few of them) are nated (PAT) when communicate with ISE and I need to know from which ASA request is originated.
Thanks
- Labels:
-
Identity Services Engine (ISE)
-
VPN

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2024 07:42 PM
This is more of a question about the ASA then it is about ISE, so it's probably a question better posted to the Network Security Community space.
In general, NATing between the network device and ISE PSN can cause lots of issues and (AFAIK) is not supported.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-16-2024 12:09 AM
Hi Greg,
I believe ISE guys are more experienced with messing up with NAS-IP as potentially they are using this attribute in Rules.
@Greg Gibbs wrote:
This is more of a question about the ASA then it is about ISE, so it's probably a question better posted to the Network Security Community space.
In general, NATing between the network device and ISE PSN can cause lots of issues and (AFAIK) is not supported.
Could you provide the source, is it documented somewhere?
I know there are some issues which you need to address (CoA, NAD profiles, ambiquity, etc...) but right now I don't have any other option. Not all network staff is under my control.
Thanks
Radek
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2024 09:20 PM
NAS-IP is the IP of interface you use in aaa command
ASA allow you to specify which interface will asa use to talk to AAA (ISE)
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2024 11:55 PM
Hi MHM,
In general that is correct what you are saying and I thought about that but I'm not able to change SRC IP address of RADIUS packet. It needs to be exactly as is and I'm not allowed to change it (routing, NAT, VPN, and so on....).
I'm looking for something similiar to IOS functionality described in below document but for ASA:
https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/12_2sba/feature/guide/sbsiara.html
Thanks
Radek
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-16-2024 02:00 AM - edited 02-18-2024 03:00 AM
ciscoasa(config)# aaa-server mygroup (inside) host 192.168.10.10 thekey timeout 20
this Interface IP is use for both source and NAS-IP as I know.
it not use as source is you use mgmt interface and the server reachable via other source here the source will be interface reach server and NAS-IP will be mgmt
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2024 07:35 AM
@MHM Cisco World wrote:
ciscoasa(config)# aaa-server mygroup (inside) host 192.168.10.10 thekey timeout 20
this Interface IP is use for both source and NAS-IP as I know.
Yes, that is correct. Additionally you will need a route through "inside" interface to 192.168.10.10. It can be default route or any other specific route. Without the route you will get "Routing failed to locate next hop for udp from NP Identity Ifc:INSIDE_IP/20734 to inside:192.168.10.10/27910
If you want to use another interface as egress, you need the route through another interface and additional command "management-access inside".
In both cases, NAS-IP and SRC-IP are the same and set to INSIDE_IP
it not use as source is you use mgmt interface and the server reachable via other source here the source will be interface reach server and NAS-IP will be mgmt
MHM
Could explain what you mean by mgmt interface? Is it "management-access" or "management-only" interface?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2024 02:57 AM - edited 02-18-2024 03:01 AM
"""Yes, that is correct. Additionally you will need a route through "inside" interface to 192.168.10.10. It can be default route or any other specific route. Without the route you will get "Routing failed to locate next hop for udp from NP Identity Ifc:INSIDE_IP/20734 to inside:192.168.10.10/27910
If you want to use another interface as egress, you need the route through another interface and additional command "management-access inside".
In both cases, NAS-IP and SRC-IP are the same and set to INSIDE_IP"""
All above is correct' so even if source is NATing the NAS-IP will not effect by NAT and that what you need' am I correct? you need to make sure that radius use NAS-IP not source IP when you add network device
"""Could explain what you mean by mgmt interface? Is it "management-access" or "management-only" interface?"""
Yes I make double check this idea we can not achieve it. And mgmt interface I mean interface with management-only.
