Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
1
Replies

Urgent help needed with NATing and TACACS authentication

markmartin81
Level 1
Level 1

‎10-19-2007 04:07 AM - edited ‎02-21-2020 10:19 AM

Hi everyone,

Really need some network advice here. Due to the complexity of how my network structure is like, I have decided to insert a network diagram to depict my problem, so PLEASE check the diagram out before you read further.

I'm having difficulties in allowing ROUTER BETA to be authenticated via my TACACS server via the private NAT address. I have entered the following command on my FIREWALL ALPHA router to NAT ROUTER BETA:

Static (outside,inside) 172.22.120.22 202.178.105.126 netmask 255.255.255.255

From my TACACS server end, I'm able to ping 172.22.120.22 and 202.178.105.126 once the configuration above is applied on FIREWALL ALPHA. However I'm unable to telnet to 202.178.105.126 from my TACACS server. I'm able to telnet to ROUTER BETA using the 172.22.120.22 ip address however the router is not able to authenticate with my TACACS server.

PLEASE NOTE THAT THE ACLS on my INTERNAL FIREWALL, FIREWALL ALPHA and ROUTER ALPHA are all set to permit ip any any (in other words nothing is blocked).

When I remove the static command above, everything returns to normal ; I'm able to telnet the202.178.105.126 IP address from my TACACS server and the router is able to authenticate with my TACACS server.

In my diagram I've also put another network called BETA Network. BETA Network works very similar to Alpha Network, however when I apply the following NAT config on the FIREWALL BETA device to NAT my ROUTER BETA:

Static (outside,inside) 192.168.68.22 202.146.95.241 netmask 255.255.255.255

It works perfectly fine. I'm able to ping both the private and public addresses and telnet both the IP addresses and using both IP addresses, my ROUTER BETA device is able to authenticate with my TACACS server without any issue.

Again like in ALPHA network, the ACLs for FIREWALL BETA and ROUTER BETA are all set to permit ip any any (nothing is blocked).

I'm just perplexed as to why this problem is only occurring on ROUTER ALPHA and the ALPHA network.

Appreciate any help on this.

Thanks

Edit: aplogies, added the wrong diagram

Labels:
Preview file
63 KB
0 Helpful
1 Reply 1

didyap
Level 6
Level 6

‎10-25-2007 07:10 AM

You may be getting this problem because the router alpha is getting advertized routes that have a good metric compared to the route which is through the firewall alpha. In other words the traffic coming from TACACS server to router alpha is passing through firewall alpha but the traffic (or reply traffic) from router alpha to TACACS server goes through the other route (where it gets blocked). You may try by running some routing protocol and see if it solves your problem.

0 Helpful
Customers Also Viewed These Support Documents