Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1367
Views
0
Helpful
2
Replies

AAA lookup to DC via connected site-to-site VPN

Go to solution
tonymurphy30
Level 1
Level 1

‎10-31-2018 03:15 AM - edited ‎02-21-2020 08:25 AM

We have an ASA 5515 running 9.9(1) providing VPN connectivity only.

 

Remote users are first authenticated via an external RSA service, then a secondary check to our own Microsoft DC's is performed to assign the correct Group-Policy through the use of LDAP mappings.

 

We have two servers listed in the AAA server group for the LDAP mappings check, one is accessed via the ASA on our internal L3 network, however the backup server is located at a site which connects via a site-to-site VPN to the same ASA.

 

Connectivity works fine to the first DC, however the ASA's connectivity to the second DC (via the tunnel) is dropped by the firewall.

 

The protected networks for this S2S VPN does include the network of the inside interface of the ASA, but it seems that the specific interface address is not included in the S2S VPN, if i do a packet trace with an IP address just one number different then the flow is allowed and sent over the vpn, using the ASA's interface address, the flow is immediately denied.

 

Is there any specific settings to allow the physical ASA to utilise the site-to-site VPN?

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tonymurphy30
Level 1
Level 1
In response to Rahul Govindan

‎11-22-2018 12:48 AM

Resolved the issue, had to set the "management-access inside" command, as soon as this was enabled the ASA could do LDAP queries etc down the site to site VPN.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎10-31-2018 09:28 AM

Source IP address of the LDAP request would be the interface where the route to the LDAP server points to. In your case, this should be the WAN/outside interface of the ASA (where S2S vpn is terminated). Try adding the Outside interface ip address of the ASA to the crypto ACL on both sides. 

0 Helpful

Go to solution
tonymurphy30
Level 1
Level 1
In response to Rahul Govindan

‎11-22-2018 12:48 AM

Resolved the issue, had to set the "management-access inside" command, as soon as this was enabled the ASA could do LDAP queries etc down the site to site VPN.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card