Solved: Re: Remote Access VPN NAD IP

Srinivasan Nagarajan · ‎02-02-2021

Hi Experts,

We've RA VPN configured on ASA and forwarding the Authentication request to Radius server-ISE (DMZ). Instead of showing the IP address of ASA as the NAS device, it's showing me with the default gateway of the interface on ASA where are the ISE servers are residing behind.

Also, this IP is being added as the NAD device under Device groups. Any idea, why the default interface configured on ASA for DMZ zone is showing as the NAS device IPV4 address? Is this expected behavior?

Thanks in advance.

hslai · ‎02-04-2021

Take pcap captures of RADIUS exchanges among ISE, DMZ interface gateway IP and ASA. If the RADIUS packets show the gateway IP, then ASA is NAT by the gateway and correct it in the gateway as needed.

View solution in original post

Mike.Cifelli · ‎02-02-2021

Have you attempted to add/test interface-specific aaa server group configuration within the respective tunnel-group under authentication? AFAIK this will use/change your sourced NAS/IP. See below:

I suggest testing via a test tunnel-group.

Srinivasan Nagarajan · ‎02-02-2021

Hi Mike

Under the tunnel-group, authentication and accounting server group is configured as the PSN IP. But in the live logs, I see the NAS device IP as the interface IP and not of the ASA.

hslai · ‎02-03-2021

The gateway might be doing NAT?!

Srinivasan Nagarajan · ‎02-03-2021

Hi @hslai

I've verified there is no NAT/PAT translating to the DMZ interface gateway IP.

As mentioned earlier, its being added as the NAD device as well.

hslai · ‎02-04-2021

Take pcap captures of RADIUS exchanges among ISE, DMZ interface gateway IP and ASA. If the RADIUS packets show the gateway IP, then ASA is NAT by the gateway and correct it in the gateway as needed.

Srinivasan Nagarajan · ‎02-04-2021

Hi @hslai

I've generated Pcaps and noticed ASA uses default gateway IP of the interface when reaching the ISE for Radius Authorization and Accounting. Final one, Is it default behavior of the ASA to change its address while passing radius Authentication /Accounting info to ISE?

hslai · ‎02-04-2021

If your capture was done between ISE and the ASA's default gateway, then please also do it between ASA and the gateway. I still think it's the gateway somehow NAT the ASA RADIUS requests, but not ASA sourcing its RADIUS traffic using someone's IP address.

Srinivasan Nagarajan · ‎02-05-2021

@hslai

Thanks for your assistance. I'm not able to see any Radius (UDP/1812 and 1813) between the ASA and the DG of the DMZ IP. But I do see the traffic traversing between the DG of DMZ and the ISE PSN (DMZ) which is Intrazone traffic and no NAT is also seen.

As you said, ASA doesn't source the IP address, let me take a look at the config. Thanks for the support mate.

Mike.Cifelli · ‎02-04-2021

AFAIK this is normal behavior. The NAS device IP will depict the ASA sourced interface IP that is configured in screenshot I shared earlier.

Srinivasan Nagarajan · ‎02-04-2021

@Mike.Cifelli

The aaa servers (ISE) are residing behind the DMZ interfaces and I don't see any interface is being specified in Tunnel-group under the 'Authentication' tab (as shared by you) and I didn't try changing it as it's a Prod network. I'm wondering how ISE sees the NAS device IP as the DG of that interface rather marking the ASA IP.