We would like to enable ACS authentication to login to different  routers (Cisco 881s) we got that are interconnecting with our WAN via  VPN tunnels. We would like to avoid using public IP for the router to  communicate and relay user/password info with the ACS server and rely on  the server's private IP instead. The problem is that all the router's  outside interfaces connect to the Internet using public IPs and when the  router wants to communicate with the ACS server it will use its  public-facing interface IP and that'll fail. We can ping the server  obviously when we set the source to the internal LAN IP.

The question is is there a way to have the router communicate with ACS across the VPN tunnel using its private IP?

config being used and tested succesfully on local devices:

aaa new-model

tacacs-server host 10.x.x.x single-connection key xxxxxx

aaa authentication login tacacs-local group tacacs local

aaa authorization config-commands

aaa authorization commands x tacacs-local group tacacs+ if-authenticated

aaa authorization exec tacacs-local group tacacs+ if-authenticated

privilege exec level x show

line vty 0 4

login authentication tacacs-local

authorization exec tacacs-local

authorization commands x tacacs-local

- Pinging ACS from the router (connecting to WAN via VPN) when using the router's public IP as a source address:

RT881#ping 10.x.x.x

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.x.x.x, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

- Pinging ACS from the router (connecting to WAN via VPN) when using the LAN's private IP as a source address:

RT881#ping 10.x.x.x source 10.x.x.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.x.x.x, timeout is 2 seconds:

Packet sent with a source address of 10.x.x.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/72/76 ms

Looking forward for your answers and suggestions.

Thanks, M.