ASA TACACS configuration of source interface

fileinster_ · ‎02-25-2019

I need to set the source interface for TACACS communications on an ASA to a different interface than where the TACACS server is located, but I have not been able to find it. I have the TACACS server behind the inside interface, but the TACACS server is expecting the IP address on the outside interface.

I found this discussion that suggested that the interface designation was source address only and did not specify the outgoing interface, as per the documentation. The OP in that post even confirmed that it worked.

My mileage is varying significantly. From what I can gather the interface designation DOES specify the outbound interface and it does not following the routing table. The routing table shows the TACACS server is found behind the inside interface and at no point did I alter this. Here's what I did to confirm my thoughts.

Configured the AAA server like so:

aaa-server TAC_GROUP (outside) host 10.49.49.49
key ****

Set up a packet capture like so:

cap tac int inside match tcp any host 10.49.49.49

And tested against the server with `test aaa-server authentication TAC_GROUP host 10.49.49.49`

The capture showed no packets.

asa# sh cap tac
0 packet captured
0 packet shown

I removed the capture and set it up for the outside:

no cap tac
cap tac int outside match tcp any host 10.49.49.49

It now displays the outgoing packets only when testing:

asa# sh cap tac

3 packets captured

1: 15:58:38.209431 <outside-IP>.9187 > 10.49.49.49.49: S 931695545:931695545(0) win 32768 <mss 1460,nop,nop,timestamp 660049043 0>
2: 15:58:41.239062 <outside-IP>.9187 > 10.49.49.49.49: S 931695545:931695545(0) win 32768 <mss 1460,nop,nop,timestamp 660052073 0>
3: 15:58:47.261537 <outside-IP>.9187 > 10.49.49.49.49: S 931695545:931695545(0) win 32768 <mss 1460,nop,nop,timestamp 660058097 0>

I then set up the TACACS server for the inside:

aaa-server TAC_GROUP (inside) host 10.49.49.49
key ****

I got special permission to set up tacacs server with the inside address as source for testing only. I set up a packet capture again like so:

no cap tac
cap tac int inside match tcp any host 10.49.49.49

The capture now displays two-way traffic:

USRELAYA02/pri/act# sh cap tac

532 packets captured

1: 16:27:16.623487 10.49.49.49.7800 > <inside-IP>.48097: P 1792099851:1792099954(103) ack 763864584 win 1432 <nop,nop,timestamp 3937394275 3317204846>
2: 16:27:16.639691 <inside-IP>.48097 > 10.49.49.49.7800: P 763864584:763864703(119) ack 1792099954 win 24697 <nop,nop,timestamp 3317207851 3937394275>
3: 16:27:16.640332 10.49.49.49.7800 > <inside-IP>.48097: . ack 763864703 win 1432 <nop,nop,timestamp 3937394292 3317207851>
4: 16:27:19.623701 10.49.49.49.7800 > <inside-IP>.48097: P 1792099954:1792100057(103) ack 763864703 win 1432 <nop,nop,timestamp 3937397275 3317207851>
5: 16:27:19.638104 <inside-IP>.48097 > 10.49.49.49.7800: P 763864703:763864822(119) ack 1792100057 win 24697 <nop,nop,timestamp 3317210849 3937397275>
6: 16:27:19.638501 10.49.49.49.7800 > <inside-IP>.48097: . ack 763864822 win 1432 <nop,nop,timestamp 3937397290 3317210849>
7: 16:27:22.623670 10.49.49.49.7800 > <inside-IP>.48097: P 1792100057:1792100160(103) ack 763864822 win 1432 <nop,nop,timestamp 3937400275 3317210849>
<snip>

I cannot find another command that sets the TACACS source interface.

I am currently running Cisco Adaptive Security Appliance Software Version 9.8(2)33

What I proved
The interface in the 'aaa-server host' command sets the source AND the outgoing interface independent of the routing table.

Question
How can I set the source address without affecting the outgoing interface?

andy!doesnt!like!uucp · ‎08-01-2021

it's quite aged out post & u've probably found A already. but just in case: management-access command may help here.