Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
0
Helpful
1
Replies

TACACS problem on a remote ASA

yves.haemmerli
Level 1
Level 1

‎03-24-2009 02:08 PM - edited ‎03-11-2019 08:09 AM

Hi,

I have the following setup :

TACACS --- LAN --- ASA1 ==== IPSec === ASA2 --- SW1

In my configuration, I can manage the remote ASA (ASA2) on its inside interface, through the IPSec tunnel with SSH. For that, I entered the command "management-access inside". Everything works properly, the remote LAN stations can communicate with the central site through the VPN tunnel.

The problem I have is that when I use TACACS to authenticate an incoming SSH console access through the IPSec tunnel, the ASA2 device generates an authentication request for the tacacs server, but don't find the next-hop towards the TACACS server in the central site (a message is logged).

The strange thing is that when accessing the switch SW1 via SSH, TACACS authentication works well. So, the TACACS packets go through ASA2 and then through the IPSec tunnel. Only ASA2 self-generated TACACS packets don't !

Thank you for any tips

Yves

Labels:
0 Helpful
1 Reply 1

YOUNG-SOO BASLER
Level 1
Level 1

‎04-02-2009 05:49 AM

1. define on asa2 the tacacs server on interface(inside)

2. edit the vpn encryption domain with the inside or local_lan interface to tacacs server as destination host.

* the crypto domain on asa1 need a aligment

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card