10-31-2018 03:15 AM - edited 02-21-2020 08:25 AM
We have an ASA 5515 running 9.9(1) providing VPN connectivity only.
Remote users are first authenticated via an external RSA service, then a secondary check to our own Microsoft DC's is performed to assign the correct Group-Policy through the use of LDAP mappings.
We have two servers listed in the AAA server group for the LDAP mappings check, one is accessed via the ASA on our internal L3 network, however the backup server is located at a site which connects via a site-to-site VPN to the same ASA.
Connectivity works fine to the first DC, however the ASA's connectivity to the second DC (via the tunnel) is dropped by the firewall.
The protected networks for this S2S VPN does include the network of the inside interface of the ASA, but it seems that the specific interface address is not included in the S2S VPN, if i do a packet trace with an IP address just one number different then the flow is allowed and sent over the vpn, using the ASA's interface address, the flow is immediately denied.
Is there any specific settings to allow the physical ASA to utilise the site-to-site VPN?
Solved! Go to Solution.
11-22-2018 12:48 AM
Resolved the issue, had to set the "management-access inside" command, as soon as this was enabled the ASA could do LDAP queries etc down the site to site VPN.
10-31-2018 09:28 AM
Source IP address of the LDAP request would be the interface where the route to the LDAP server points to. In your case, this should be the WAN/outside interface of the ASA (where S2S vpn is terminated). Try adding the Outside interface ip address of the ASA to the crypto ACL on both sides.
11-22-2018 12:48 AM
Resolved the issue, had to set the "management-access inside" command, as soon as this was enabled the ASA could do LDAP queries etc down the site to site VPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide