Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1041
Views
0
Helpful
4
Replies

Ras Again

kalberts
Level 1
Level 1

‎11-30-2004 10:06 PM

Apologies.. I posted this message in the routing /switching board by mistake..

Just need to get some info/advise. We curently have two RAS environments in different Cities. Now each RAS server (3600) has pri and Mica modems installed. They connect to their respective firewalls in their regions before coming into the internal network.

From a design point of view - it makes things difficult because the IP address assigned to the client by ACS is the same for area A and area B. Problem is that the address range assigned to the client is only routed towards side A from our internal networks perspective. Is there a better way of designing this, or should I (I don't want to go this route) assign another username/password to each user and link that to a differnet pool of IP's

One more Q: If a local pool of ip's is set up for users on the NAS and an IP address pool is set up for the same users on ACS, which ip address will be given? NAS or ACS?

Thanks....

Labels:
0 Helpful
4 Replies 4

tepatel
Cisco Employee
Cisco Employee

‎12-01-2004 08:42 AM

Not sure i understood your question properly but if only one ACS used to assign ip address to dialin clients who dials in to side A and B then ACS will not allocate the same ip address to two different clients. So i am not sure why there is a conflict of ip address here which makes only clients in side A route the traffic properly.

Now if you have two ACS, one in each side, then you need to assign different non-overlaping ip address pool in each ACS to avoid duplicate ip address allocation.

To answer your 2nd Q, depending on the "aaa authorization" command, ip address allocation will take precedence. So if authorization is set from aaa, the ip address allocated via ACS will take precedence over ip from local pool. (and vice-a-versa)

0 Helpful

kalberts
Level 1
Level 1
In response to tepatel

‎12-02-2004 09:35 PM

Thanks for question 2. aaa auth is specified.

Back to question 1 however: There is not a duplicate IP on the network at any time, that is not what I meant.

let's say that ACS pool "remote support" assigns IP's to user "X" out of pool 172.16.20.0/24. Now, regardless of which RAS environment the user dials into (A or B) the user wil get an Ip out of the same range/pool of addresses. Problem: From our internal network we only route 172.16.20.0 back towards side A. So if user dials into RAS B, reverse routing doesn't work.

We do actually have two ACS's, but they are replica's/ in-sync with each other - so I can't create different pools on them.

RAS server A points to ACS A and RAS server B to ACS B respectively.

0 Helpful

dbellaze
Level 4
Level 4
In response to kalberts

‎12-05-2004 11:42 PM

Because of the way you are routing the pool, it sounds like you would need a unique address pool for each RAS.

If the RAS's were connected to the same segment then proxy arp would take care of it.

Daniel

0 Helpful

kalberts
Level 1
Level 1
In response to dbellaze

‎12-06-2004 03:44 AM

Thanks. This means 2 different pools, 2 different usernames per user because my ACS's are in sync.. here's a thought. Maybe I should disable the sync issue...

0 Helpful
Customers Also Viewed These Support Documents