Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
0
Helpful
2
Replies

TACACS through L2L VPN Tunnel

Go to solution
Joe R.
Level 1
Level 1

‎07-14-2017 11:10 AM

I have a VPN Tunnel setup from my remote sites, to my corporate office. The tunnel is up and functioning, however from the router at the remote site I cannot ping the ACS server in my corporate office with a normal ping command. If I do a "ping x.x.x.x source y.y.y.y" I am able successfully ping from the LAN interface IP on the router.

x.x.x.x= ACS Server

y.y.y.y= LAN IP of Remote Router.

z.z.z.z= Remote Site Outside Private IP

w.w.w.w= Remote Site ISP Public IP

The Outside interface of the remote router is a private IP Address, which I am NAT Overloading to. Then the ISP NAT's me to a public IP. I pushed the ISP to just give me the Public IP on the outside interface of my router. But alas this is the way it ended up, and was not my decision to proceed with them. The site is in a rural area, and options are limited. I guess i'm not sure what I need to add to the interesting traffic to give the router access to the ACS server. Any help is much appreciated.

Access-list 150 is the Crypto Map ACL

Access-list 155 is the NAT Overload ACL. The Deny Statement allows for Nat exemption for Nat-T.

access-list 150 permit ip 192.168.239.0 0.0.0.63 192.168.100.0 0.0.0.255
access-list 150 permit ip 192.168.239.0 0.0.0.63 10.153.0.0 0.0.0.255
access-list 150 permit ip 192.168.239.0 0.0.0.63 10.153.1.0 0.0.0.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 192.168.100.0 0.0.0.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 10.153.0.0 0.0.0.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 10.153.1.0 0.0.0.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.16.10.0 0.0.0.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 204.55.0.0 0.0.31.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.26.5.0 0.0.0.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.28.2.128 0.0.0.63
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.28.2.64 0.0.0.63
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.1.128 0.0.0.127
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.26.2.0 0.0.0.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.0.128 0.0.0.127
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.28.1.192 0.0.0.63
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.28.1.128 0.0.0.63
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.28.1.64 0.0.0.63
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.28.1.0 0.0.0.63
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.28.3.0 0.0.0.63
access-list 150 permit ip 192.168.240.0 0.0.0.63 10.2.3.0 0.0.0.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 10.2.33.0 0.0.0.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.28.5.0 0.0.0.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.12.0 0.0.0.127
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.14.0 0.0.0.127
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.11.0 0.0.0.127
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.10.0 0.0.0.127
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.2.128 0.0.0.127
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.5.128 0.0.0.127
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.2.0 0.0.0.127
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.1.0 0.0.0.127
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.28.2.0 0.0.0.63
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.16.128 0.0.0.127
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.16.0 0.0.0.127
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.6.0 0.0.0.127
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.4.0 0.0.0.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.26.8.0 0.0.0.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.10.128 0.0.0.127
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.5.0 0.0.0.127
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.27.13.0 0.0.0.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 172.26.10.0 0.0.0.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 10.64.169.0 0.0.0.255
access-list 150 permit ip 192.168.239.0 0.0.0.63 10.64.169.0 0.0.0.255
access-list 150 permit ip host z.z.z.z 10.153.0.0 0.0.0.255
access-list 150 permit ip 192.168.240.0 0.0.0.63 10.77.10.0 0.0.0.255
access-list 150 permit ip 192.168.239.0 0.0.0.63 10.77.10.0 0.0.0.255
access-list 150 permit ip host w.w.w.w 0.0.0.0 255.255.255.0
access-list 155 deny ip 192.168.239.0 0.0.0.63 10.64.169.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 10.77.10.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 10.64.169.0 0.0.0.255
access-list 155 deny ip 192.168.239.0 0.0.0.63 192.168.100.0 0.0.0.255
access-list 155 deny ip 192.168.239.0 0.0.0.63 10.153.0.0 0.0.0.255
access-list 155 deny ip 192.168.239.0 0.0.0.63 10.153.1.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 10.153.1.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 192.168.100.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 10.153.0.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.16.10.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 204.55.0.0 0.0.31.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.26.5.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.28.2.128 0.0.0.63
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.28.2.64 0.0.0.63
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.1.128 0.0.0.127
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.0.128 0.0.0.127
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.28.1.192 0.0.0.63
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.28.1.128 0.0.0.63
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.28.1.64 0.0.0.63
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.28.1.0 0.0.0.63
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.28.3.0 0.0.0.63
access-list 155 deny ip 192.168.240.0 0.0.0.63 10.2.3.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 10.2.33.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 192.168.171.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 192.168.111.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.26.14.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.26.13.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.26.15.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.26.17.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.26.16.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.26.18.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.28.0.64 0.0.0.63
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.28.0.192 0.0.0.63
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.28.4.64 0.0.0.63
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.28.4.0 0.0.0.63
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.28.5.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.12.0 0.0.0.127
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.14.0 0.0.0.127
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.11.0 0.0.0.127
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.10.0 0.0.0.127
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.2.128 0.0.0.127
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.5.128 0.0.0.127
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.2.0 0.0.0.127
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.1.0 0.0.0.127
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.28.2.0 0.0.0.63
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.16.128 0.0.0.127
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.16.0 0.0.0.127
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.6.0 0.0.0.127
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.4.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.26.8.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.10.128 0.0.0.127
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.5.0 0.0.0.127
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.26.2.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.27.13.0 0.0.0.255
access-list 155 deny ip 192.168.240.0 0.0.0.63 172.26.10.0 0.0.0.255
access-list 155 permit ip 192.168.239.0 0.0.0.63 any
access-list 155 permit ip 192.168.240.0 0.0.0.63 any
access-list 155 permit ip 192.168.240.64 0.0.0.63 any
access-list 155 permit ip 10.100.24.0 0.0.0.63 any
access-list 155 deny ip 192.168.239.0 0.0.0.63 10.77.10.0 0.0.0.255

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GRANT3779
Spotlight
Spotlight

‎07-14-2017 01:53 PM

Is the desired result to be able to manage / connect to router via tacacs?

Can you not add ip tacacs source-interface y.y.y.y?

Ensuring you have y.y.y.y added as device within ACS.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
GRANT3779
Spotlight
Spotlight

‎07-14-2017 01:53 PM

Is the desired result to be able to manage / connect to router via tacacs?

Can you not add ip tacacs source-interface y.y.y.y?

Ensuring you have y.y.y.y added as device within ACS.

0 Helpful

Go to solution
Joe R.
Level 1
Level 1
In response to GRANT3779

‎07-14-2017 02:10 PM

I'm a little bit embarrassed that I didn't know that command. Thanks!

0 Helpful
Customers Also Viewed These Support Documents