Solved: I think ASA is blocking TACACS+ traffic

Mohd Khairul Nizam · ‎05-26-2018

Mohd Khairul Nizam · ‎05-27-2018

i manage to got it cover and resolve it

create a rules allowing the tacacs server passing the ASA to the destination router.
Thanks a lot.

View solution in original post

Marvin Rhoads · ‎05-26-2018

Is your firewall also doing NAT?

the best check would be to run packet-tracer. tcp packet, source outside interface, your router IP, source port 1025, dest your AAA server, dest port 49.

Mohd Khairul Nizam · ‎05-27-2018

there is no NAT in place in the ASA

for packet tracer , why does source port is 1025 ?

here is the trace

Marvin Rhoads · ‎05-27-2018

@Mohd Khairul Nizam

We use 1025 as the source port because tcp communications by default use some ephemeral port number for source (i.e. >1024 and <64k).

Your trace indicates the traffic is coming FROM the .65 host (Voice Group) and TO the .70 host (Voice GW). Are they on the same subnet (the trace indicates they are)? If so, you must permit traffic on same-security level explicitly.

Mohd Khairul Nizam · ‎05-27-2018

Yes, both is in same subnet , /26

how should i permit it, mean need to add additional ACL ?

Marvin Rhoads · ‎05-27-2018

Try adding the command:

same-security-traffic permit intra-interface

...and then repeat the packet-tracer test.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html

Mohd Khairul Nizam · ‎05-27-2018

boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone MY 8
dns server-group DefaultDNS
domain-name aia.biz
same-security-traffic permit intra-interface

already key in the command, and then packet-tracer again but still not go through

Mohd Khairul Nizam · ‎05-27-2018

i manage to got it cover and resolve it

create a rules allowing the tacacs server passing the ASA to the destination router.
Thanks a lot.