NAT for Tacacs Servers

Similar Messages

• How to set up NAT for two servers using same port with ASDM ASA 5505

  Hi there,
  We have a new installation of a ASA 5505 and are trying to get some NAT issues straightened out. Here is the scenario: On our internal network, we have two servers running Filemaker Server, a relational database server that clients connect with using port 5003. Our goal is to be able to allow users from the outside to access either of these servers as needed. I know how to set up a simple static NAT rule and matching Access rule in ASDM which would be fine for a case in which only one server using a given port is running on a network, but for simple static rules I seem to be blocked from entering a different translated port number from the orginal port number, which becomes a problem when two servers we need to access from the outside are running software using the same port number.
  What is the simplest way to address this need? I am guessing that I need to set up a scenario like this, where port 5004 (or any arbitrarily choosen unused port, can be used to access the second server:
  Outside user enters   FQDN:5004  and this translates to Database server # 1 as   192.168.1.40:5003
  and
  Outside user enters   FQDN:5003  and this translates to Database server # 1 as   192.168.1.38:5003
  If so, what is the easist way to get this done? Or is there a better what to handle this scenario?
  Thanks in advance,
  James

  I would create two objects and use object NAT
  object network Obj_5004
  host 192.168.1.40
  object network Obj_5004
  nat (inside,outside) static service tcp 5003 5004
  object network Obj_5003
  host 192.168.1.38
  object network Obj_5003
  nat (inside,outside) static service tcp 5003 5003
  Of course you will need to open your outside interface for tcp ports 5003 and 5004 to make this happen

• Source NAT for specific servers in a rule

  Hello,
  I am trying to achieve source NATing on the CSS and want to confirm if below configuration is good.
  VIP address: 61.61.61.61
  Services: 10.1.1.1, 10.1.1.2, 20.1.1.1 and 20.1.1.2
  Front-end circuit IP: 61.61.61.1 (Same subnet as 61.61.61.61)
  Back-end circuit: 10.1.1.10 (Same subnet as 10.1.1.1 or .2)
  service AAAA
  ip address 10.1.1.1
  active
  service BBBB
  ip address 10.1.1.2
  active
  service XXXX
  ip address 20.1.1.1
  active
  service YYYY
  ip address 20.1.1.2
  active
  owner Gateway
  content Gateway1
  vip address 61.61.61.61
  add service 10.1.1.1
  add service 10.1.1.2
  add service 20.1.1.2
  add service 20.1.1.1
  active
  As the two servers 20.1.1.1 and 20.1.1.2 are not in the same subnet, we configured the below to source NAT specifically to these two servers.
  group Gateway
  vip address 61.61.61.61
  add destination service 20.1.1.1
  add destination service 20.1.1.2
  active
  In the past this configuration didn't work. We are going to try it again. Is there anything missing and what else should we check to get it to work.
  Appreciate any help.

  Using 'add destination service' in the group rule NATs the original client IP as the VIP (in your case), and ensures that return traffic from the remote 20.x.x.x servers flows back to the CSS and then to the client instead of directly to the client (which would reject the traffic). There's no need to worry about any kind of load balancing loop being created. The downside to implementing this is that your servers will see all traffic as originating from the VIP and not the unique client IPs, and since the CSS doesn't support the x-forwarded-for header you're kinda stuck with that side effect.
  Also, it's my understanding that the group rule must match the content rule in terms of VIP address and services within it to be effective. You would need to change your group rule to the following for it to work:
  FROM:
  group Gateway
    vip address 61.61.61.61
    add destination service 20.1.1.1
    add destination service 20.1.1.2
    active
  TO:
  group Gateway
    vip address 61.61.61.61
    add destination service 10.1.1.1
    add destination service 10.1.1.2
    add destination service 20.1.1.1
    add destination service 20.1.1.2
    active
  Good luck!
  James

• Static NAT to two servers using same port

  I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
  I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
  Any help would be very much appreciated.
  Thanks,
  - Mike                  

  Hi,
  Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
  On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
  I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
  But nevertheless its a possibility.
  So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
  - Jouni

• Configure Nexus 7k for TACACS in Cisco ACS

  Hi,
  Please advise on how to configure Cisco Nexus 7k for TACACS to authenticate in Cisco ACS. Our Cisco ACS is getting users from the Active
  Directory.
  Please advise if the below config are acceptable:
  feature tacacs+
  tacacs-server key KEY
  tacacs-server timeout 20
  tacacs-server host 1.1.1.1 key KEY
  aaa group server tacacs+ TEST
      server 1.1.1.1
      use-vrf management
      source-interface mgmt0
  tacacs-server directed-request
  aaa authentication login default group TEST
  aaa authentication login console none
  aaa authorization commands default group TEST
  aaa accounting default group TEST
  aaa authentication login error-enable

  Hi,
  What OS version are u using on your servers?
  Craig

• AAA and TACACS servers

  Hello All,
  I want to download a free, yet reliable AAA and TACACS servers, can you guide me? Also, I need help with configuring them for study purpose.

  You may download the eval version ACS 4.2.0.124, if you've access to cisco.com
  ACS v4.2.0.124 90-Days Evaluation Software
  eval-ACS-4.2.0.124-SW.zip
  http://tools.cisco.com/squish/9B37e
  Path:
  Cisco.com > Downloads Home > Products > Cloud and Systems Management > Security and Identity Management
  > Cisco Secure Access Control Server Products > Cisco Secure Access Control Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access Control Server (ACS) for Windows-4.2.0.124
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• TACACs servers in different locations

           Is it possible to have a switch/ router configured for  a 2 x Tacacs servers in  different locations. They are not clustered, they are on the same network, but different domains and in different countries and use different login credentials   

  You can configure multiple ACS in your switches and routers. It doesn't matter where these servers are located as long they are reachable by the AAA-client. If both servers work with different credentials I would configure them with different prompts so that the admin can see which server is asked.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Problem setting 7606 router for TACACS+ authentication

  Hello Support Community,
  I have two Cisco 7606 routers which I have tried in vain to have users authenticated using TACACS+ servers. As shown below, I have two servers (1.1.1.1 and 2.2.2.2) reachable via vrf OAM which is reachable from desktops for ssh login. The true IP addresses and vrf have been altered because it's a company router.
  I use the two servers to authenticate many other Cisco devices in the network they are working fine.
  I can reach the servers from the vrf and the source interface in use. I can also telnet port 49 if the servers from the source interface and the vrf.
  The server key is hidden but at the time of configuration, I can ascertain that it's correct.
  The problem is that after confuring for TACACS authentication, the router still uses the enable password instead of TACACS. While the debug output shows 'bad password', why is the router not authenticating using TACACS? Why is it using the enable password?
  Please study the outputs below and help point out what I may need to change.
  PS: I have tried out many other combinations, including deprecated ones without success including the method suggested in this page;
  http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
  Please help I'm stuck.
  ROUTER#sh running-config | sec aaa
  aaa new-model
  aaa group server tacacs+ admin
  server name admin
  server name admin1
  ip vrf forwarding OAM
  ip tacacs source-interface GigabitEthernet1
  aaa authentication login admin group tacacs+ local enable
  aaa session-id common
  ROUTER#sh running-config | sec tacacs
  aaa group server tacacs+ admin
  server name admin
  server name admin1
  ip vrf forwarding OAM
  ip tacacs source-interface GigabitEthernet1
  aaa authentication login admin group tacacs+ local enable
  tacacs server admin
  address ipv4 1.1.1.1
  key 7 XXXXXXXXXXXXXXXXXXXX
  tacacs server admin1
  address ipv4 2.2.2.2
  key 7 XXXXXXXXXXXXXXXXxxxx
  line vty 0 4
  login authentication admin
  ROUTER#sh tacacs
  Tacacs+ Server -  public  :
                 Server name: admin
              Server address: 1.1.1.1
                 Server port: 49
                Socket opens:         15
               Socket closes:         15
               Socket aborts:          0
               Socket errors:          0
             Socket Timeouts:          0
     Failed Connect Attempts:          0
          Total Packets Sent:          0
          Total Packets Recv:          0
  Tacacs+ Server -  public  :
                 Server name: admin1
              Server address: 2.2.2.2
                 Server port: 49
                Socket opens:         15
               Socket closes:         15
               Socket aborts:          0
               Socket errors:          0
             Socket Timeouts:          0
     Failed Connect Attempts:          0
          Total Packets Sent:          0
          Total Packets Recv:          0
  Oct 22 12:38:57.587: AAA/BIND(0000001A): Bind i/f 
  Oct 22 12:38:57.587: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
  Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
  Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
  Oct 22 12:39:04.335: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
  Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
  Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
  Oct 22 12:39:10.679: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
  Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
  Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
  ROUTER#sh ver
  Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Fri 30-Mar-12 08:34 by prod_rel_team
  ROM: System Bootstrap, Version 12.2(33r)SRE, RELEASE SOFTWARE (fc1)
  BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
  ROUTER uptime is 7 weeks, 5 days, 16 hours, 48 minutes
  Uptime for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes
  System returned to ROM by reload (SP by reload)
  System restarted at 20:00:59 UTC Wed Aug 28 2013
  System image file is "sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3.bin"
  Last reload type: Normal Reload
  Last reload reason: power-on
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco CISCO7606-S (M8500) processor (revision 1.1) with 3670016K/262144K bytes of memory.
  Processor board ID FOX1623G61B
  BASEBOARD: RSP720
  CPU: MPC8548_E, Version: 2.1, (0x80390021)
  CORE: E500, Version: 2.2, (0x80210022)
  CPU:1200MHz, CCB:400MHz, DDR:200MHz,
  L1:    D-cache 32 kB enabled
          I-cache 32 kB enabled
  Last reset from power-on
  3 Virtual Ethernet interfaces
  76 Gigabit Ethernet interfaces
  8 Ten Gigabit Ethernet interfaces
  3964K bytes of non-volatile configuration memory.
  500472K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
  Configuration register is 0x2102

  In order to resolve this issue. Please replace the below listed command
  aaa authentication login admin group tacacs+ local enable
  with;
  aaa authentication login default group admin local enable
  You defined the server group name as method list and instead of using admin as a server-group, you used tacacs+
  Note: Please ensure you have local user and enable password configured in case of tacacs server unreachable.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• How to configure email Alerts in OEM Cloud 12c for Database Servers up/down

  Hi everybody,
  How to configure email Alerts in OEM Cloud 12c for Database Servers up/down status?
  Regards,
  Miguel Vega

  Hi Miguel Vega,
  Information regarding the notifications:
  ==============================
  Configuring notification rules in 12c is different from earlier releases.
  The concept and function of notification rules has been replaced with a two-tier system consisting of Incident Rules and Incident Rule Sets :
  1. Incident Rules: Operate at the lowest level granularity (on discrete events) and performs the same role as notification rules from earlier releases.
  By using incident rules, you can automate the response to incoming incidents and their updates.
  A rule contains a set of automated actions to be taken on specific events, incidents or problems.
  The actions taken are for example : sending e-mails, creating incidents, updating incidents, and creating tickets.
  2. Incident Rule Set: A rule set is a collection of rules that applies to a common set of objects, for example, targets, jobs, and templates.
  To help you to achieve the Notification Rules configuration, refer those notes :
  How To Configure Notification Rules in 12C Enterprise Manager Cloud Control ? Doc ID 1368036.1
  EM12c How to Add and Configure Email Addresses to EM Administrators and Update the Notification Schedule ?Doc ID 1368262.1
  EM12c How to Subscribe or Unsubscribe for Email Notification for an Incident Rule Set ?Doc ID 1389460.1
  EM 12c How to Configure Notifications for Job Executions ? Doc ID 1386816.1
  Best Regards,
  Venkat

• How can I list all the domains configured for Weblogic Servers?

  How can I list all the domains configured for Weblogic Servers?
  I saw a note, which says the following:
  "WebLogic Server does not support multi-domain interaction using either the Administration Console, the weblogic.Admin utility, or WebLogic Ant tasks. This restriction does not, however, explicitly preclude a user written Java application from accessing multiple domains simultaneously."
  In my case, I just want to list all the domains, is that possible by using any scripts?
  Thanks
  AJ

  If you use WLS Node Manager and the Config Wizard was used to create the domains, then the list of domains should be in a location like this:
  <MIDDLEWARE_HOME>\wlserver_10.3\common\nodemanager\nodemanager.domains
  Enterprise Manager Grid Control also has support for multi-domain management of WLS in a console.

• Need script for getting Uptime for remote servers

  Hi Guys,
  I'm in need of a script to get the UP time for windows servers in number of days. i have more than 1000 servers.
  I dont want PowerShell script as i have many WIndows 2003 servers where PowerShell is not installed.
  Please help me with this.
  Thanks,
  Kiran Raj

  Hi,
  I'd look at the LastBootUpTime property that can be found by querying Win32_OperatingSystem.
  Don't retire TechNet! -
  (Don't give up yet - 12,700+ strong and growing)

• SCCM 2012 Software Update Management for Windows Servers and how to automatic set SCOM maintenance mode?

  Hi,
  We planning to go one level higher to automat and have more dynamic Software Update Management for Windows Servers. We have SCCM 2012 R2, SCOM 2012 R2 and SCO 2012 R2.
  Our plan is to pur server in an AD-Group to get Update Schedule, from the servers will be importet to an Collection for Automatic Update and reboot. If I understand Everything right SCOM can't read AD-Group and put then in an Schedule maintenance mode. SCOM
  can read reg value as exempel.
  IS there any smar way to make the SCOM Maintenance Mode Schedule dynamic?
  I found this
  http://www.scom2k7.com/scom-2012-maintenance-mode-scheduler/?
  /SaiTech

  You could use Orchestrator to put the servers from a specific collection, or AD group, in maintenance mode in SCOM. For an example see:
  http://www.systemcentercentral.com/orchestrator-how-to-scom-maintenance-mode-for-windows-computers-in-an-sccm-collection/
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Open Nat for WRT54GSV4

  Ok i been tryin to get my NAT set to open for MW2 for abit now but cant seem to figure out what the problem is. Can anyone please help me with opening the NAT for this router for Modern Warfare 2 on the PC, not Xbox or PS3.  Any help would be appreciated thanks.

  Honestly ive never had to mess with my routers ports before and honestly dont know exactly how to do it right. I know where to go in the routers settings im just abit foggy on what numbers to put in where. There are 4 boxes across each line 2 for port triggering and 2 for port forwarding, then the option to enable it. Dont mean to sound like an idiot but abit more help would be greatly appreciated Thanks for the help btw greencross

• IronPort ESA best practice for DNS servers?

  Hello!
  Is there a best practice for what servers should be used for the Cisco IronPort DNS servers?
  Currently when I check our configuration, we have set it to "Use these DNS servers" and the first two are our domain controllers and last two are Google DNS.
  Is there a best practice way of doing this? I'm thinking of selecting the "Use the Internet's Root DNS Servers" option as I can't really see an advantage of using internal DC's.
  Thoughts?

  Best practice is to use Internet Root DNS Servers and define specific dns servers for any domain that you need to give different answers for. Since internal mail delivery is controlled by smtproutes using internal dns servers is normally not required.
  If you must use internal dns servers I recommend servers dedicated to your Ironports and not just using servers that handle enterprise lookups as well. Ironports can place a very high load on dns servers because every outside connection results in multiple dns lookups. (forward, reverse, sbrs)
  If you don't have enough dns horsepower you are susceptible to a DOS attack either through accident or design. If the Ironports overload your internal dns servers it can impact your entire enterprise.

• Static NAT for FTP access

  NAT overload has been done successfully as follows:
  1. ip nat inside and ip nat outside configured on the appropriate interfaces i.e.fa0/0 and fa0/1
  2. default route added on the router.
  3.additional configuration is added:
  ip nat inside source list 1 interface fa0/1 overload
  access-list 1 permit 192.168.1.0 0.0.0.255
  Now I am trying to use static NAT for FTP:
  ip nat inside source static tcp 192.168.1.X 21 x.x.x.x 21 extendable
  But this does not work please help. I am trying to access FTP server from LAN by entering public address in the browser. Can access the FTP server with private address but this defeats the purpose of FTP. Please help.

  Router(config)#interface fa0/0
  Router(config-if)#ip address 192.168.1.254 255.255.255.0
  Router(config-if)#no shut
  Router(config-if)#ip nat inside
  Router(config-if)#interface fa0/1
  Router(config-if)#ip address 203.109.120.2 255.255.255.252
  Router(config-if)#no shut
  Router(config-if)#ip nat outside
  Router(config)#ip route 0.0.0.0 0.0.0.0 interface fa0/1
  Router(config)#ip nat inside source list 1 interface fa0/1 overlaod
  Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255