Re: source-address for TACACS+

dirks_2 · ‎05-18-2010

My customer has an asa and want to do aaa authentication tacacs+. The ACS server however is accessible through an ipsec vpn tunnel terminating on the outside interface of the ASA.

Whenever a user logs into the ASA the request will be send out via the outside interface with the source ip address of the outside interface of the ASA thus not meeting my encryption list. How can I do this? I can not add the outside interface ip address to the encryption list. What I need is a command like: tacacs source ip adress a.b.c.d.

Jennifer Halim · ‎05-18-2010

You can add the inside interface in the aaa-server configuration.

Example as follows:

aaa-server myaaa (inside) host

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1538618

Hope that helps.

dirks_2 · ‎05-18-2010

Dear halijenn,

Thank you very much for your reaction but this did not help. Any other suggestions.

The problem is that the source ip address send from my ASA does not match the encryption list.

Jennifer Halim · ‎05-18-2010

When you specify the "(inside)" on the aaa-server, the tacacs packet will be sourced from the inside interface.

Please also configure "management-access inside" command.

If you tried to generate a ping from the ASA: ping inside , you should have a reply and the ping packet will be sourced from the inside interface going towards the tacacs server.