topic Re: Anyconnect authentication to LDAP server at remote site (across Site-to-Site tunnel) in Network Security

Anyconnect authentication to LDAP server at remote site (across Site-to-Site tunnel)

bquach001 — Fri, 21 Feb 2020 15:33:56 GMT

Hi,

i have a 5506-x at Site B connecting to a 5515 at Site A via a site-to-site VPN tunnel. there is only the one Domain Controller at Site A which i'm trying to setup LDAP authentication from Site B for Anyconnect VPN users.

if i setup authentication via LOCAL accounts the Anyconnect session is established and i can ping/rdp to the LDAP server in Site A.

the Interface of the AAA Server group (LDAP server) is set to EXTERNAL (outside) on Site B - assuming this is the correct interface as the traffic needs to route out across the tunnel (FYI i've tried both inside and outside interfaces and both still fail).

i've run debug 255 and get this result

debug ldap enabled at level 255

[-2147483638] Session Start
[-2147483638] New request Session, context 0x00007fd8ac0ad518, reqType = Other
[-2147483638] Fiber started
[-2147483638] Creating LDAP context with uri=ldap://10.61.39.2:389
[-2147483638] Connect to LDAP server: ldap://10.61.39.2:389, status = Failed
[-2147483638] Unable to read rootDSE. Can't contact LDAP server.
[-2147483638] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[-2147483638] Session End

on the LDAP server in Site A, i'm running wireshark to capture traffic but cant see anything in the packet capture. i was filtering by destination port 389 (not sure if the the destination port changes after the tunneling??)

on the firewall log on Site A i can see this entry each time i 'test' the ldap connection from SiteB firewall

(sorry but i've just removed the first octet in the public IP addresses for some privacy)

Mar 27 2018

12:24:39

302303

XX.255.12.230

443

10.61.39.2

49561

Built TCP state-bypass connection 99877113 from EXTERNAL:XX.255.12.230/443 (XX.255.12.230/443) to DMZ-PAC:10.61.39.2/49561 (XXX.148.68.142 /49561)

again, if i connect via Anyconnect VPN via LOCAL authentication, i can connect to the remote LDAP server so would thing routing/natting/ACL is all correct?

any ideas?

thanks

Re: Anyconnect authentication to LDAP server at remote site (across Site-to-Site tunnel)

Mohammed al Baqari — Tue, 27 Mar 2018 03:16:15 GMT

On site A ASA check show route 10.61.39.2 and make sure that same interface
is used as LDAP interface

Re: Anyconnect authentication to LDAP server at remote site (across Site-to-Site tunnel)

bquach001 — Tue, 27 Mar 2018 03:23:13 GMT

Hi Mohammed,

here's a show route of Site A, ASA

the VPN tunnel is built over interface EXTERNAL

Gateway of last resort is XXX.148.68.141 to network 0.0.0.0

C 10.61.62.0 255.255.255.224 is directly connected, TRUSTED
C 10.61.61.0 255.255.255.0 is directly connected, DMZ-3
C 10.61.60.0 255.255.255.0 is directly connected, DMZ-WIFI
C 10.61.39.0 255.255.255.0 is directly connected, DMZ-PAC
S 10.61.32.0 255.255.224.0 [1/0] via 10.61.62.1, TRUSTED
S 10.61.0.0 255.255.224.0 [1/0] via 10.61.62.1, TRUSTED
S 10.61.58.79 255.255.255.255 [1/0] via XXX.148.68.141, EXTERNAL
S 10.61.96.0 255.255.224.0 [1/0] via 10.61.62.1, TRUSTED
S 10.61.85.0 255.255.255.0 [1/0] via XXX.148.68.141, EXTERNAL
S 10.61.64.0 255.255.224.0 [1/0] via 10.61.62.1, TRUSTED
S 10.61.160.0 255.255.224.0 [1/0] via 10.61.62.1, TRUSTED
C XXX.148.68.140 255.255.255.252 is directly connected, EXTERNAL
S* 0.0.0.0 0.0.0.0 [1/0] via XXX.148.68.141, EXTERNAL

Re: Anyconnect authentication to LDAP server at remote site (across Site-to-Site tunnel)

Mohammed al Baqari — Tue, 27 Mar 2018 03:32:15 GMT

Use DMZ-PAC as you LDAP interface. Then AnyConnect using LDAP should
working assuming everything else is configured correctly.

Re: Anyconnect authentication to LDAP server at remote site (across Site-to-Site tunnel)

bquach001 — Tue, 27 Mar 2018 03:43:41 GMT

so just to clarify

DMZ-PAC is the 'inside' interface of Site A ASA where the LDAP server is hosted

Anyconnect clients connect to Site B ASA, which then attempts to authenticate via the tunnel across to Site A

so i'm a bit lost when you say 'use the DMZ-PAC as LDAP interface'; in reference to what? what do i need to change/configure and on which Site ASA?

thanks

Re: Anyconnect authentication to LDAP server at remote site (across Site-to-Site tunnel)

Dennis Mink — Tue, 27 Mar 2018 04:14:47 GMT

i think what Mo is getting at is that you will have to make sure that traffic from site B to A for LDAP authentication is part of the protected traffic on this s2s VPN.

Re: Anyconnect authentication to LDAP server at remote site (across Site-to-Site tunnel)

Mohammed al Baqari — Tue, 27 Mar 2018 04:38:50 GMT

Thanks for clarifying it Dennis. Sometimes the language doesn't help me 🙂

Re: Anyconnect authentication to LDAP server at remote site (across Site-to-Site tunnel)

bquach001 — Tue, 27 Mar 2018 04:43:45 GMT

Hi Dennis,
can you kindly explain what i need to check for specifically? how can i ensire LDAP authentication is part of protected traffic on teh s2s?

(this part you'll hate)... most of my config ability is done via ASDM, so you can appreciate my lack of knowledge here

from what i can gather, i've allowed all IP traffic between the two sites and at risk of sounding like a broken record, when connected (via LOCAL authentication), i have full access from the PC connected via Anyconnect into Site B, to connect to the LDAp server in Site A. further this LDAP server serves as a DNS server and i can readily lookup hosts within my internal domain via this same server.

it's obviously the issue of authentication before the connection is my problem 😕

Re: Anyconnect authentication to LDAP server at remote site (across Site-to-Site tunnel)

Rahul Govindan — Tue, 27 Mar 2018 20:02:59 GMT

Let's make it simple:

(w.w.w.w)LAN----Site B (x.x.x.x)=====Tunnel==========(y.y.y.y) Site A-----Ldap server (z.z.z.z)

When you set the LDAP server to z.z.z.z on Site B, you need to have the crypto ACL as below:

Site B

ACL from x.x.x.x to z.z.z.z

Site A

ACL from z.z.z.z to x.x.x.x

Why is this important - Usually you only have the crypto ACL between the LAN networks on both sides of the tunnel. In this case, you need to have the WAN ip of the Site B in your crypto ACL.

Re: Anyconnect authentication to LDAP server at remote site (across Site-to-Site tunnel)

bquach001 — Wed, 28 Mar 2018 00:38:46 GMT

Thank you Rahul!!

perfect. i just added the ACL and NAT rules to both sides as you suggested and it works!

i'm so ever grateful! i've been trying to work this out for over a week. i should have just come to the forums earlier! haha thanks again

Re: Anyconnect authentication to LDAP server at remote site (across Site-to-Site tunnel)

Dennis Mink — Wed, 28 Mar 2018 01:51:10 GMT

points for you then

Re: Anyconnect authentication to LDAP server at remote site (across Si

Jason Lista — Thu, 16 Sep 2021 17:48:57 GMT

Is there any way to force the ASA to make the requests using its LAN IP on the inside interface?