Hello I have tried this out today and made a blog post about it. Please give me feedback! :-)
http://blogg.kvistofta.nu/asa-generated-traffic-thru-lan2lan-tunnel/ <http://blogg.kvistofta.nu/asa-generated-traffic-thru-lan2lan-tunnel/>/Jimmy 2011/4/14 Andrew Wurster <[email protected]> > oh true i forgot about that aaa server interface. that specifies the > interface to egress to reach the aaa server. so yes in your case specify > the outside interface there and also that interface's address in your crypto > acls and you should be golden. i am 99.9% sure you need to specify both of > those things using the outside interface. > > keep us posted. > On Apr 14, 2011 12:59 PM, "Jimmy Larsson" <[email protected]> wrote: > > Cool! This is mu gut feeling aswell, but I have never tried it. One > question > > is regarding the interface-relation when defining a radius-server. If I > look > > at the ASA-syntax it saids: > > > > ciscoasa(config)# aaa-server RAD ? > > > > configure mode commands/options: > > ( Open parenthesis for the name of the network > > interface > > where the designated AAA server is accessed > > deadtime Specify the amount of time that will elapse between > > the > > disabling of the last server in the group and the > > subsequent re-enabling of all servers > > host Enter this keyword to specify the IP address for the > > server > > max-failed-attempts Specify the maximum number of failures that will be > > allowed for any server in the group before that > > server > > is deactivated > > protocol Enter the protocol for a AAA server group > > > > In my world there is really no need for defining an interface for this > since > > it´s "all about routing". Given that the radius-server ip is x.x.x.x and > > there is a rout for x.x.x.x, why defining an interface? My own feeling > about > > this is that this is for defining the source ip for outbound radius > packets. > > But looking at the syntax help above the interface-relationship is only a > > way to define where to send the traffic (which in my world could be done > > just by using the routing table). > > > > So you are saying that I should define my remote radius-server as > (outside)? > > Another hypothesis I had (if I were right regarding the > interface-definition > > above) was to use (inside) so that the radius-packets were sourced from > the > > inside ip and thereby included in the "normal" crypto-acl defining > > inside-LAN-2-Inside-Lan (and sending it via outside only because of the > > default route). > > > > Two theories. Mine is probably wrong. I will also lab it up quite soon if > > noone else here knows for sure. ;) > > > > Thanks for your input! > > > > /Jimmy Larsson > > > > > > 2011/4/14 Andrew Wurster <[email protected]> > > > >> jimmy - > >> > >> as bruno said - it's possible :) . > >> > >> think about it from a routing perspective. know that the crypto happens > as > >> the traffic is pushed towards the egress interface (post nat). this is > true > >> for routers and firewalls, but on firewall we choose the local address > based > >> on routing only, so we usually have no "source address" or looback > interface > >> selection commands like we do on the routers (think local-address for > the > >> crypto map commands in IOS). > >> > >> SO... you're most likely going to assume it will be sourced using the > >> outside interface IP address. so all you've got to do is add the traffic > >> between ASA1's outside interface IP address to the internal radius > server > >> behind ASA2. AND THEN of course you've got to tell your SNMP server that > >> the client is at the public outside interface IP address (for instance > >> 20.20.20.20) and not the private inside one. AND ALSO if you're doing > NAT - > >> make sure to exempt the NAT from the SNMP server to the new host > address. > >> it's all about the layers baby!!! > >> > >> so it might look something like: > >> > >> !!! ASA1 !!! > >> access-list CRYPTO_ACL extend permit ip host 20.20.20.20 host > 192.168.2.10 > >> > >> !!! ASA2 !!! > >> access-list CRYPTO_ACL extend permit ip host 192.168.2.10 host > 20.20.20.20 > >> access-list NO_NAT extend permit ip host 192.168.2.10 host 20.20.20.20 > >> > >> and bingo bango (hopefully)... give it a shot and let us know. i'll try > to > >> lab it up for you this weekend if i have time. > >> > >> cheers, > >> > >> andrew > >> > >> On Thu, Apr 14, 2011 at 11:36 AM, Jimmy Larsson <[email protected] > >wrote: > >> > >>> Hi guys > >>> > >>> I have a question that I have tried to find time to lab out myself > without > >>> success so I am throwing it out here in hope for a quick answer. > >>> > >>> Lets say that my ASA1 has a Lan2Lan-tunnel to ASA2. On the inside of > ASA2 > >>> is a radius-server and ASA1 needs to authenticate vpn-clients on that > radius > >>> server. Can I do that thru the vpn-tunnel? And if so, how do I define > the > >>> crypto acl and which interface should I specify in ASA1 that the > >>> radius-server resides on? > >>> > >>> Topology: > >>> > >>> Radius-server .10 on Lan2 192.168.2.0/24 -----(.1) ASA2 > =====VPN-tunnel > >>> over internet=====ASA1 .1 --- Lan1 192.168.1.0/24 > >>> > >>> How do I configure aaa-server for radius on ASA1? > >>> > >>> Thanks in advance! > >>> > >>> Best regards > >>> Jimmy Larsson > >>> > >>> > >>> -- > >>> ------- > >>> Jimmy Larsson > >>> Ryavagen 173 > >>> s-26030 Vallakra > >>> Sweden > >>> http://blogg.kvistofta.nu > >>> ------- > >>> > >>> _______________________________________________ > >>> For more information regarding industry leading CCIE Lab training, > please > >>> visit www.ipexpert.com > >>> > >>> > >> > > > > > > -- > > ------- > > Jimmy Larsson > > Ryavagen 173 > > s-26030 Vallakra > > Sweden > > http://blogg.kvistofta.nu > > ------- > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
