Can a PIX use a AAA server that is on the other side of its own IPSec tunnel?

Discussion in 'Cisco' started by shahidsheikh....com, Mar 5, 2006.

  1. This is what I have:

    AAA Server (main office) <---> PIX 515 <--- IPSec tunnel ---> PIX 501
    <--> Satellite office

    My question is can the PIX 501 use the AAA server thru the tunnel? I
    have a couple of users that use the Cisco VPN client to connect to the
    515 and get authenticated using the AAA server. But all the resources
    they use are in the Satellite office and I would like them to just
    establish the VPN to the 501.

    Thanks,

    Shahid
     
    shahidsheikh....com, Mar 5, 2006
    #1
    1. Advertisements

  2. In theory, Yes. I believe I've seen a cisco configuration example
    for that case (but I'm not sure I could find it now.)
     
    Walter Roberson, Mar 5, 2006
    #2
    1. Advertisements

  3. shahidsheikh....com

    Merv Guest

    Here is a Cisco example of paaing SNMP and syslog over a PIX VPN
    tunnel.

    See no reason why AAA could not use similiar setup.

    Monitoring Cisco Secure PIX Firewall Using SNMP and Syslog Through VPN
    Tunnel
    http://www.cisco.com/en/US/
    /products/hw/vpndevc/ps2030/products_configuration_example09186a0080094469.shtml
     
    Merv, Mar 5, 2006
    #3
  4. Thanks for the replies. So far I have been unable to make it work. It
    works if I let the traffic go unencrypted between the remote PIX and
    the AAA server but as soon as the I add the respective source and
    destination IPs in my access list to be protected by the crypto map it
    quits working.

    Will have to do some sniffing and troubleshooting to see what I'm doing
    wrong.

    Thanks,

    Shahid
     
    shahidsheikh....com, Mar 8, 2006
    #4
  5. shahidsheikh....com

    Tosh Guest

    works if I let the traffic go unencrypted between the remote PIX and
    Have you tried with:
    management-access inside ?
    Bye,
    Max.
     
    Tosh, Mar 8, 2006
    #5
  6. shahidsheikh....com

    Merv Guest

    try using the capture command on the PIX closest to the AAA server to
    capture the AAA packets.

    You can set up and access list to go along with the capture command so
    that the capture can be restricted to just the AAA packets
     
    Merv, Mar 8, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.