03-19-2010 06:52 AM
I have a site-to-site ipsec tunnel connection set up between two sites using asa 5520s. At our main site, all outbound traffic is pat'ed to it's outside interface address, excluding site-to-site ipsec tunnel traffic. The secondary site tunnels all traffic through the main site via the ipsec tunnel, and allows no outbound or inbound traffic otherwise, so it's outside interface ip serves no real purpose outside of being a peer address for the tunnel.
The tacacs server is located on the main site's internal network. At the main site, tacacs is used to authenticate admin access to all local network devices. However, I have been unable to get tacacs to work when attempting to authenticate over the tunnel to the secondary site's asa. Due to the nature of the configuration (crypto map acl permits main site's internal networks to secondary site's internal networks without nat while all other traffic is nat'ed) I authenticate from the main site to the inside interface of the secondary site's asa, using local creds configured on the secondary asa. I would prefer to use tacacs in this scenario.
The problem is when I attempt to enable tacacs authenticationon on the secondary site's asa, it never works. I'm assuming that the problem is that the secondary asa attempts to send the authentication request through the outside interface, which is not not included in the crypto map acl, so it fails. Secondly, it may fail because interface acl doesn't allow anything out anyway, so it never goes anywhere. I'm wondering if there is a way to set authentication to originate from an interface other than the outside ip address (like the inside interface) so that the tacacs traffic can traverse the tunnel without a bunch of changes in configuration necessary. I don't want to attempt to add the outside interface to the crypto map configuration if I don't have to, it wouldn't work anyway.
Any ideas?
03-19-2010 07:58 AM
I'm not 100% sure on this, so lab it up first.
Since you're changing the management interface, it should source from this interface when contacting your AAA server..
03-19-2010 09:32 AM
Thanks. I'll give this a shot.
03-19-2010 03:50 PM
plus you should be able to source the tacacs traffic from your inside interface:
aaa-server
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide