NAT for Tacacs Servers
could anyone tell me if it is possible to NAT authentication requests for a specific TACACS server to an alternative address, which would be a new TACACS server - all device subnets have direct connections to a PIX firewall
eg: network devices on 10.50.X.X authenticate to 10.51.20.100. I want any device destined for 10.51.20.100 using port 49 to translate to 192.168.1.100.
I have tried numerous ways to achieve this but I think the problem is that they all have direct connections to the firewall and therefore it will never get translated. Please see attached diagram.
many thanks
Using 'add destination service' in the group rule NATs the original client IP as the VIP (in your case), and ensures that return traffic from the remote 20.x.x.x servers flows back to the CSS and then to the client instead of directly to the client (which would reject the traffic). There's no need to worry about any kind of load balancing loop being created. The downside to implementing this is that your servers will see all traffic as originating from the VIP and not the unique client IPs, and since the CSS doesn't support the x-forwarded-for header you're kinda stuck with that side effect.
Also, it's my understanding that the group rule must match the content rule in terms of VIP address and services within it to be effective. You would need to change your group rule to the following for it to work:
FROM:
group Gateway
vip address 61.61.61.61
add destination service 20.1.1.1
add destination service 20.1.1.2
active
TO:
group Gateway
vip address 61.61.61.61
add destination service 10.1.1.1
add destination service 10.1.1.2
add destination service 20.1.1.1
add destination service 20.1.1.2
active
Good luck!
James
Similar Messages
-
How to set up NAT for two servers using same port with ASDM ASA 5505
Hi there,
We have a new installation of a ASA 5505 and are trying to get some NAT issues straightened out. Here is the scenario: On our internal network, we have two servers running Filemaker Server, a relational database server that clients connect with using port 5003. Our goal is to be able to allow users from the outside to access either of these servers as needed. I know how to set up a simple static NAT rule and matching Access rule in ASDM which would be fine for a case in which only one server using a given port is running on a network, but for simple static rules I seem to be blocked from entering a different translated port number from the orginal port number, which becomes a problem when two servers we need to access from the outside are running software using the same port number.
What is the simplest way to address this need? I am guessing that I need to set up a scenario like this, where port 5004 (or any arbitrarily choosen unused port, can be used to access the second server:
Outside user enters FQDN:5004 and this translates to Database server # 1 as 192.168.1.40:5003
and
Outside user enters FQDN:5003 and this translates to Database server # 1 as 192.168.1.38:5003
If so, what is the easist way to get this done? Or is there a better what to handle this scenario?
Thanks in advance,
JamesI would create two objects and use object NAT
object network Obj_5004
host 192.168.1.40
object network Obj_5004
nat (inside,outside) static service tcp 5003 5004
object network Obj_5003
host 192.168.1.38
object network Obj_5003
nat (inside,outside) static service tcp 5003 5003
Of course you will need to open your outside interface for tcp ports 5003 and 5004 to make this happen -
Source NAT for specific servers in a rule
Hello,
I am trying to achieve source NATing on the CSS and want to confirm if below configuration is good.
VIP address: 61.61.61.61
Services: 10.1.1.1, 10.1.1.2, 20.1.1.1 and 20.1.1.2
Front-end circuit IP: 61.61.61.1 (Same subnet as 61.61.61.61)
Back-end circuit: 10.1.1.10 (Same subnet as 10.1.1.1 or .2)
service AAAA
ip address 10.1.1.1
active
service BBBB
ip address 10.1.1.2
active
service XXXX
ip address 20.1.1.1
active
service YYYY
ip address 20.1.1.2
active
owner Gateway
content Gateway1
vip address 61.61.61.61
add service 10.1.1.1
add service 10.1.1.2
add service 20.1.1.2
add service 20.1.1.1
active
As the two servers 20.1.1.1 and 20.1.1.2 are not in the same subnet, we configured the below to source NAT specifically to these two servers.
group Gateway
vip address 61.61.61.61
add destination service 20.1.1.1
add destination service 20.1.1.2
active
In the past this configuration didn't work. We are going to try it again. Is there anything missing and what else should we check to get it to work.
Appreciate any help.Using 'add destination service' in the group rule NATs the original client IP as the VIP (in your case), and ensures that return traffic from the remote 20.x.x.x servers flows back to the CSS and then to the client instead of directly to the client (which would reject the traffic). There's no need to worry about any kind of load balancing loop being created. The downside to implementing this is that your servers will see all traffic as originating from the VIP and not the unique client IPs, and since the CSS doesn't support the x-forwarded-for header you're kinda stuck with that side effect.
Also, it's my understanding that the group rule must match the content rule in terms of VIP address and services within it to be effective. You would need to change your group rule to the following for it to work:
FROM:
group Gateway
vip address 61.61.61.61
add destination service 20.1.1.1
add destination service 20.1.1.2
active
TO:
group Gateway
vip address 61.61.61.61
add destination service 10.1.1.1
add destination service 10.1.1.2
add destination service 20.1.1.1
add destination service 20.1.1.2
active
Good luck!
James -
Static NAT to two servers using same port
I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
Any help would be very much appreciated.
Thanks,
- MikeHi,
Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
But nevertheless its a possibility.
So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
- Jouni -
Configure Nexus 7k for TACACS in Cisco ACS
Hi,
Please advise on how to configure Cisco Nexus 7k for TACACS to authenticate in Cisco ACS. Our Cisco ACS is getting users from the Active
Directory.
Please advise if the below config are acceptable:
feature tacacs+
tacacs-server key KEY
tacacs-server timeout 20
tacacs-server host 1.1.1.1 key KEY
aaa group server tacacs+ TEST
server 1.1.1.1
use-vrf management
source-interface mgmt0
tacacs-server directed-request
aaa authentication login default group TEST
aaa authentication login console none
aaa authorization commands default group TEST
aaa accounting default group TEST
aaa authentication login error-enableHi,
What OS version are u using on your servers?
Craig -
Hello All,
I want to download a free, yet reliable AAA and TACACS servers, can you guide me? Also, I need help with configuring them for study purpose.You may download the eval version ACS 4.2.0.124, if you've access to cisco.com
ACS v4.2.0.124 90-Days Evaluation Software
eval-ACS-4.2.0.124-SW.zip
http://tools.cisco.com/squish/9B37e
Path:
Cisco.com > Downloads Home > Products > Cloud and Systems Management > Security and Identity Management
> Cisco Secure Access Control Server Products > Cisco Secure Access Control Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access Control Server (ACS) for Windows-4.2.0.124
~BR
Jatin Katyal
**Do rate helpful posts** -
TACACs servers in different locations
Is it possible to have a switch/ router configured for a 2 x Tacacs servers in different locations. They are not clustered, they are on the same network, but different domains and in different countries and use different login credentials
You can configure multiple ACS in your switches and routers. It doesn't matter where these servers are located as long they are reachable by the AAA-client. If both servers work with different credentials I would configure them with different prompts so that the admin can see which server is asked.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Problem setting 7606 router for TACACS+ authentication
Hello Support Community,
I have two Cisco 7606 routers which I have tried in vain to have users authenticated using TACACS+ servers. As shown below, I have two servers (1.1.1.1 and 2.2.2.2) reachable via vrf OAM which is reachable from desktops for ssh login. The true IP addresses and vrf have been altered because it's a company router.
I use the two servers to authenticate many other Cisco devices in the network they are working fine.
I can reach the servers from the vrf and the source interface in use. I can also telnet port 49 if the servers from the source interface and the vrf.
The server key is hidden but at the time of configuration, I can ascertain that it's correct.
The problem is that after confuring for TACACS authentication, the router still uses the enable password instead of TACACS. While the debug output shows 'bad password', why is the router not authenticating using TACACS? Why is it using the enable password?
Please study the outputs below and help point out what I may need to change.
PS: I have tried out many other combinations, including deprecated ones without success including the method suggested in this page;
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
Please help I'm stuck.
ROUTER#sh running-config | sec aaa
aaa new-model
aaa group server tacacs+ admin
server name admin
server name admin1
ip vrf forwarding OAM
ip tacacs source-interface GigabitEthernet1
aaa authentication login admin group tacacs+ local enable
aaa session-id common
ROUTER#sh running-config | sec tacacs
aaa group server tacacs+ admin
server name admin
server name admin1
ip vrf forwarding OAM
ip tacacs source-interface GigabitEthernet1
aaa authentication login admin group tacacs+ local enable
tacacs server admin
address ipv4 1.1.1.1
key 7 XXXXXXXXXXXXXXXXXXXX
tacacs server admin1
address ipv4 2.2.2.2
key 7 XXXXXXXXXXXXXXXXxxxx
line vty 0 4
login authentication admin
ROUTER#sh tacacs
Tacacs+ Server - public :
Server name: admin
Server address: 1.1.1.1
Server port: 49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
Tacacs+ Server - public :
Server name: admin1
Server address: 2.2.2.2
Server port: 49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
Oct 22 12:38:57.587: AAA/BIND(0000001A): Bind i/f
Oct 22 12:38:57.587: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
Oct 22 12:39:04.335: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
Oct 22 12:39:10.679: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
ROUTER#sh ver
Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 30-Mar-12 08:34 by prod_rel_team
ROM: System Bootstrap, Version 12.2(33r)SRE, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
ROUTER uptime is 7 weeks, 5 days, 16 hours, 48 minutes
Uptime for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes
System returned to ROM by reload (SP by reload)
System restarted at 20:00:59 UTC Wed Aug 28 2013
System image file is "sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO7606-S (M8500) processor (revision 1.1) with 3670016K/262144K bytes of memory.
Processor board ID FOX1623G61B
BASEBOARD: RSP720
CPU: MPC8548_E, Version: 2.1, (0x80390021)
CORE: E500, Version: 2.2, (0x80210022)
CPU:1200MHz, CCB:400MHz, DDR:200MHz,
L1: D-cache 32 kB enabled
I-cache 32 kB enabled
Last reset from power-on
3 Virtual Ethernet interfaces
76 Gigabit Ethernet interfaces
8 Ten Gigabit Ethernet interfaces
3964K bytes of non-volatile configuration memory.
500472K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
Configuration register is 0x2102In order to resolve this issue. Please replace the below listed command
aaa authentication login admin group tacacs+ local enable
with;
aaa authentication login default group admin local enable
You defined the server group name as method list and instead of using admin as a server-group, you used tacacs+
Note: Please ensure you have local user and enable password configured in case of tacacs server unreachable.
~BR
Jatin Katyal
**Do rate helpful posts** -
How to configure email Alerts in OEM Cloud 12c for Database Servers up/down
Hi everybody,
How to configure email Alerts in OEM Cloud 12c for Database Servers up/down status?
Regards,
Miguel VegaHi Miguel Vega,
Information regarding the notifications:
==============================
Configuring notification rules in 12c is different from earlier releases.
The concept and function of notification rules has been replaced with a two-tier system consisting of Incident Rules and Incident Rule Sets :
1. Incident Rules: Operate at the lowest level granularity (on discrete events) and performs the same role as notification rules from earlier releases.
By using incident rules, you can automate the response to incoming incidents and their updates.
A rule contains a set of automated actions to be taken on specific events, incidents or problems.
The actions taken are for example : sending e-mails, creating incidents, updating incidents, and creating tickets.
2. Incident Rule Set: A rule set is a collection of rules that applies to a common set of objects, for example, targets, jobs, and templates.
To help you to achieve the Notification Rules configuration, refer those notes :
How To Configure Notification Rules in 12C Enterprise Manager Cloud Control ? Doc ID 1368036.1
EM12c How to Add and Configure Email Addresses to EM Administrators and Update the Notification Schedule ?Doc ID 1368262.1
EM12c How to Subscribe or Unsubscribe for Email Notification for an Incident Rule Set ?Doc ID 1389460.1
EM 12c How to Configure Notifications for Job Executions ? Doc ID 1386816.1
Best Regards,
Venkat -
How can I list all the domains configured for Weblogic Servers?
How can I list all the domains configured for Weblogic Servers?
I saw a note, which says the following:
"WebLogic Server does not support multi-domain interaction using either the Administration Console, the weblogic.Admin utility, or WebLogic Ant tasks. This restriction does not, however, explicitly preclude a user written Java application from accessing multiple domains simultaneously."
In my case, I just want to list all the domains, is that possible by using any scripts?
Thanks
AJIf you use WLS Node Manager and the Config Wizard was used to create the domains, then the list of domains should be in a location like this:
<MIDDLEWARE_HOME>\wlserver_10.3\common\nodemanager\nodemanager.domains
Enterprise Manager Grid Control also has support for multi-domain management of WLS in a console. -
Need script for getting Uptime for remote servers
Hi Guys,
I'm in need of a script to get the UP time for windows servers in number of days. i have more than 1000 servers.
I dont want PowerShell script as i have many WIndows 2003 servers where PowerShell is not installed.
Please help me with this.
Thanks,
Kiran RajHi,
I'd look at the LastBootUpTime property that can be found by querying Win32_OperatingSystem.
Don't retire TechNet! -
(Don't give up yet - 12,700+ strong and growing) -
Hi,
We planning to go one level higher to automat and have more dynamic Software Update Management for Windows Servers. We have SCCM 2012 R2, SCOM 2012 R2 and SCO 2012 R2.
Our plan is to pur server in an AD-Group to get Update Schedule, from the servers will be importet to an Collection for Automatic Update and reboot. If I understand Everything right SCOM can't read AD-Group and put then in an Schedule maintenance mode. SCOM
can read reg value as exempel.
IS there any smar way to make the SCOM Maintenance Mode Schedule dynamic?
I found this
http://www.scom2k7.com/scom-2012-maintenance-mode-scheduler/?
/SaiTechYou could use Orchestrator to put the servers from a specific collection, or AD group, in maintenance mode in SCOM. For an example see:
http://www.systemcentercentral.com/orchestrator-how-to-scom-maintenance-mode-for-windows-computers-in-an-sccm-collection/
My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude -
Ok i been tryin to get my NAT set to open for MW2 for abit now but cant seem to figure out what the problem is. Can anyone please help me with opening the NAT for this router for Modern Warfare 2 on the PC, not Xbox or PS3. Any help would be appreciated thanks.
Honestly ive never had to mess with my routers ports before and honestly dont know exactly how to do it right. I know where to go in the routers settings im just abit foggy on what numbers to put in where. There are 4 boxes across each line 2 for port triggering and 2 for port forwarding, then the option to enable it. Dont mean to sound like an idiot but abit more help would be greatly appreciated Thanks for the help btw greencross
-
IronPort ESA best practice for DNS servers?
Hello!
Is there a best practice for what servers should be used for the Cisco IronPort DNS servers?
Currently when I check our configuration, we have set it to "Use these DNS servers" and the first two are our domain controllers and last two are Google DNS.
Is there a best practice way of doing this? I'm thinking of selecting the "Use the Internet's Root DNS Servers" option as I can't really see an advantage of using internal DC's.
Thoughts?Best practice is to use Internet Root DNS Servers and define specific dns servers for any domain that you need to give different answers for. Since internal mail delivery is controlled by smtproutes using internal dns servers is normally not required.
If you must use internal dns servers I recommend servers dedicated to your Ironports and not just using servers that handle enterprise lookups as well. Ironports can place a very high load on dns servers because every outside connection results in multiple dns lookups. (forward, reverse, sbrs)
If you don't have enough dns horsepower you are susceptible to a DOS attack either through accident or design. If the Ironports overload your internal dns servers it can impact your entire enterprise. -
NAT overload has been done successfully as follows:
1. ip nat inside and ip nat outside configured on the appropriate interfaces i.e.fa0/0 and fa0/1
2. default route added on the router.
3.additional configuration is added:
ip nat inside source list 1 interface fa0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255
Now I am trying to use static NAT for FTP:
ip nat inside source static tcp 192.168.1.X 21 x.x.x.x 21 extendable
But this does not work please help. I am trying to access FTP server from LAN by entering public address in the browser. Can access the FTP server with private address but this defeats the purpose of FTP. Please help.Router(config)#interface fa0/0
Router(config-if)#ip address 192.168.1.254 255.255.255.0
Router(config-if)#no shut
Router(config-if)#ip nat inside
Router(config-if)#interface fa0/1
Router(config-if)#ip address 203.109.120.2 255.255.255.252
Router(config-if)#no shut
Router(config-if)#ip nat outside
Router(config)#ip route 0.0.0.0 0.0.0.0 interface fa0/1
Router(config)#ip nat inside source list 1 interface fa0/1 overlaod
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Maybe you are looking for
-
So, i received from service Lumia, that had problems with some homepages woth messahe, that I have to regularry update software. My surprise was that now I have still "unreleased" win 7.8 on my device (Nokia lumia 800). Why confuse customer and blame
-
Windows 7 won't boot after adding a third partition with gparted
I needed extra space on my bootcamp partition so I : 1. resized macintosh hd partition with disk utility 2.booted with gparted live disk and "growed" the bootcamp partition Now Windows doesn't boot. Any suggestions?
-
[HELP] problem with receiving data through rs232
When I connect my VI with MCU (using proteus to simulate), why does it run stable in only 20 seconds? After that, it seem to be unstable. And when I stop simulation in proteus, why does my VI still run and stop after about more than 10 seconds?
-
I would like to open NEFs in either Photoshop or Nikon Capture NX2 (depending on the picture). I would like to be able to have Photoshop as my default application, so that if I double-click on the thumbnail, the picture will open in Photoshop. But I
-
Reset weblogic console passowrd in weblogic culster environment
Hi, here i am doing one POC. i have a cluter envrimonment 1 admin 2 mangeservers. i changed admin password thorugh console. After restarting the mangeserver with boot.properties chagnes it not working. Getting security access denied error . Any body