Ahhh, i see...
Well, only feasible solution I see if for you to perform Identity NAT (or
nat 0) for the hosts in question....
Good luck buddy...
Sadiq
On Sat, May 30, 2009 at 6:27 AM, Ajay mehra <ajaymehra01_at_gmail.com> wrote:
> Hi Sadiq,
>
> All the clients are PAT translated just before reaching AAA so essentially
> coming from same ip address. Thus sourcing RAD/TAC traffic from different ip
> wil not help.
>
> Thanks,
> Ajay
>
> 2009/5/29 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>
> I am not sure you can do this Ajay...
>>
>> On the clients' side though, you could source their RADIUS/TACACS traffic
>> off different IPs (or interfaces) to properly segment them.
>>
>> HTH a little,
>> Sadiq
>>
>> On Fri, May 29, 2009 at 2:15 PM, Ajay mehra <ajaymehra01_at_gmail.com>wrote:
>>
>>> Hi Experts,
>>>
>>> My AAA server is connected to ASA1 and all of the clients will be source
>>> translated by ASA before they reach AAA. Let us say I have three client
>>> R2,
>>> ASA1 and ASA2 which will be taking to AAA. All of these client will come
>>> to
>>> AAA with only one ip address because of NAT on ASA1(let's say 1.1.1.1)
>>>
>>> ASA2: RADIUS (Cisco VPN 3000/ASA/PIX 7.x+) (1.1.1.1) (for telnet)
>>> ASA1: TACACS+ (Cisco IOS) (1.1.1.1) (for ssh)
>>> R2: RADIUS (Cisco IOS / PIX) (1.1.1.1) (for auth-proxy)
>>>
>>> for R2 I get the error
>>>
>>> "An overlapping IP range has been detected 1.1.1.1 conflicts with ASA2
>>> entry of 1.1.1.1"
>>>
>>> Is there any way that I can support this condition?
>>>
>>> Thanks,
>>> Ajay
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> CCIE #19963
>>
>
>
-- CCIE #19963 Blogs and organic groups at http://www.ccie.netReceived on Sat May 30 2009 - 11:39:09 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:43 ART