06-18-2012 07:40 AM - edited 03-11-2019 04:20 PM
Hello,
I'm trying to attach tacacs server (ACS Version 5.2) in server group on ASA 5520 (Version 8.4). When I test connection in ASDM (Version 6.4) between ASA and ACS it fails. The log message on ASA is:
%ASA-2-106016: Deny IP spoof from (10.8.27.126) to 10.8.48.10 on interface inside.
Packet-tracer from ASA is:
InternetASA# packet-tracer input inside tcp 10.8.27.126 4444 10.8.48.10 49
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.8.48.0 255.255.255.0 inside
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
What access-list or implicit rule may be the reason of denying these packets?
06-18-2012 04:59 PM
Hi,
for this setup the Interrface-ACLs are not relevant as they are only for through-traffic.
probably your tacacs-config is broken. Which is your TACACS-Server-address?
And provide some output:
- show run aaa-server
- show run route
- show interface ip brief
regards, Karsten
Sent from Cisco Technical Support iPad App
06-19-2012 01:29 AM
Hello Karsten,
1. TACACS-Server-address is 10.8.48.10
2. show run aaa-server:
aaa-server TACACS protocol tacacs+
aaa-server TACACS (inside) host 10.8.48.10
key *****
3. show run route
InternetASA# sh run route
route outside 0.0.0.0 0.0.0.0 83.220.35.113 1
InternetASA# sh route | i 10.8.48.
D 10.8.48.0 255.255.255.0 [90/3072] via 10.8.27.1, 521:52:24, inside
InternetASA#
4. show interface ip brief
InternetASA# sh int ip brie
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset up up
GigabitEthernet0/0.127 10.8.27.126 YES CONFIG up up
GigabitEthernet0/2 10.10.27.129 YES unset up up
GigabitEthernet0/3 83.220.35.125 YES CONFIG up up
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide