05-26-2018 12:13 PM - edited 06-22-2020 04:42 AM
05-27-2018 11:58 PM
i manage to got it cover and resolve it
create a rules allowing the tacacs server passing the ASA to the destination router.
Thanks a lot.
05-26-2018 08:51 PM
Is your firewall also doing NAT?
the best check would be to run packet-tracer. tcp packet, source outside interface, your router IP, source port 1025, dest your AAA server, dest port 49.
05-27-2018 03:55 AM - edited 06-22-2020 11:59 PM
there is no NAT in place in the ASA
for packet tracer , why does source port is 1025 ?
here is the trace
05-27-2018 07:58 AM - edited 05-27-2018 08:01 AM
We use 1025 as the source port because tcp communications by default use some ephemeral port number for source (i.e. >1024 and <64k).
Your trace indicates the traffic is coming FROM the .65 host (Voice Group) and TO the .70 host (Voice GW). Are they on the same subnet (the trace indicates they are)? If so, you must permit traffic on same-security level explicitly.
05-27-2018 04:41 PM
Yes, both is in same subnet , /26
how should i permit it, mean need to add additional ACL ?
05-27-2018 08:12 PM
Try adding the command:
same-security-traffic permit intra-interface
...and then repeat the packet-tracer test.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html
05-27-2018 09:10 PM
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone MY 8
dns server-group DefaultDNS
domain-name aia.biz
same-security-traffic permit intra-interface
already key in the command, and then packet-tracer again but still not go through
05-27-2018 11:58 PM
i manage to got it cover and resolve it
create a rules allowing the tacacs server passing the ASA to the destination router.
Thanks a lot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide