09-22-2005 05:42 AM - edited 03-09-2019 12:29 PM
I tried to implement AAA on a swtich, which is sitting behind a firewall. Below is the config added to the firewall allowing communication between CiscoSecure ACS server and the switch.
name 192.168.202.4 ciscosecure-elynx-out
name 192.168.202.5 alex-2950
object-group network network-devices
network-object host alex-2950
object-group service to-ciscosecure-tcp tcp
port-object eq tacacs
access-list in-from-elynx permit tcp host alex-2950 gt 1023 host ciscosecure-elynx-out object-group to-ciscosecure-tcp
static (inside,elynx) alex-2950 alex-2950 netmask 255.255.255.255 0 128
static (inside,elynx) ciscosecure-elynx-out cisco-secure netmask 255.255.255.255 0 128
With the above firewall configuration statemnets, I keep getting arp requests but no reply.
PYTHON#
05:29:31.422844 arp who-has ciscosecure-ely tell alex-2950
05:29:33.422982 arp who-has ciscosecure-ely tell alex-2950
05:29:36.435997 arp who-has ciscosecure-ely tell alex-2950
05:29:38.438774 arp who-has ciscosecure-ely tell alex-2950
05:29:44.512363 arp who-has ciscosecure-ely tell alex-2950
05:29:46.510441 arp who-has ciscosecure-ely tell alex-2950
05:29:48.990351 arp who-has ciscosecure-ely tell alex-2950
05:29:51.513096 arp who-has ciscosecure-ely tell alex-2950
05:29:53.510212 arp who-has ciscosecure-ely tell alex-2950
As a result, I am unable to login to the switch with TACACS credentials but local credentials.
I would like to know what I am missing here. Your advice would be greatly appreciated. Thank you in advance.
Best regards,
Santi
09-23-2005 01:37 AM
Hi,
It's not a pix config issue. It seems the switch port connecting to the pix is not in the admin vlan. Since it's a 2950 switch its Layer 3 capability is limited to the admin vlan only. So it will not answer to arp requests on any access ports in different vlan. If you want to implement in this way and there should be only one vlan for all internal host, you should put all host to the same vlan, which is the admin vlan. But I don't recomment that...
Instead create separete management vlan on the switch(es), and route the user and management vlans on the inside. This router or layer 3 switch has at least two interfaces: one for the internal host's ip rage, and one for the management vlan ip address range. And put a route on the PIX for the switch management ip address range pointing to this L3 interface IP address.
A_a
09-23-2005 06:48 AM
Hi Attila,
Below is the config on the switch.
interface FastEthernet0/9
description Python elynx interface 192.168.202.1
switchport access vlan 5
switchport mode access
no ip address
duplex full
speed 100
no cdp enable
spanning-tree portfast
interface Vlan1
description
ip address 192.168.202.9 255.255.255.248
no ip redirects
no ip unreachables
no ip route-cache
shutdown
!
interface Vlan5
description alex-2950
ip address 192.168.202.5 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
ip default-gateway 192.168.202.1
no ip http server
ip tacacs source-interface Vlan5
Switch port connecting to the PIX is in the admin vlan. The default admin vlan1 changed to admin down automatically when I created vlan5 as a management vlan.
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
2 VLAN0002 active Fa0/1, Fa0/2, Fa0/5, Fa0/11
3 VLAN0003 active Fa0/3, Fa0/4
4 VLAN0004 active Fa0/6, Fa0/7
5 XXXXX active Fa0/9, Fa0/10, Fa0/12
12 XXXXX active Fa0/22, Fa0/23, Fa0/24
13 XXXXX active Fa0/8, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21
VTP Operation Mode: Server
Please kindly advise. Thank you.
Regards,
Santi
09-26-2005 12:20 AM
Hi,
try:
interface Vlan5
ip proxy-arp
Attila Suba
09-26-2005 03:18 AM
Hi Attila:
It doesn't work still.
interface Vlan5
description alex-2950
ip address 192.168.202.5 255.255.255.248
no ip redirects
no ip unreachables
no ip route-cache
alex-2950#login
User Access Verification
Password:
Best regards,
Santi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide