cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


142
Views
0
Helpful
2
Replies

ASA5506-X auth LDAP via IPSec

Hello everyone!

I have Cisco ASA5506-X (ver. 9.8(2)20, asdm 7.9(1)151) on my remote site. I want to setup VPN access with authentication from Active Directory. I want to use AD passwords for auth in ASDM and SSH (if it fails use LOCAL) also.

I already did it past on Cisco PIX515E and Cisco ASA5505 using this manual:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

But now I have trouble because it is first time when I use radius server (NPS) located on remote site (behind IPSec Site-to-SIte). When I try to execute test I receive Time out.nps_asa5506.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Log:

 

Built outbound UDP connection 2053719 for outside:192.168.111.246/1645 (192.168.111.246/1645) to identity:86.222.222.222/7272 (86.222.222.222/7272)

where 192.168.111.246 is IP of my NPS servers located on remote site behind IPSec.

86.222.222.222 is my public IP of ASA5506. 

I guess I need to make NAT exempt  between inside-bridge and outside interface as I did it for inside1 and inside2 interfaces in order to avoid natting into outside interface.

 nat (inside-bridge,outside) 7 source static inside-bridge-network inside-bridge-network destination static bs-office-networks bs-office-networks no-proxy-arp route-lookup

But I cannot do it:nat_error.jpg

 

P.S. If I make ping 192.168.111.246 from ASA with source inside-bridge then ping successful, but it fails from inside1 or 2 OR without source interface:ping_asa.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

P.S.S: I understand that I can public my remote NPS server ports 1645-1646 to internet IP address on remote site and specify it address on ASA (with source as outside interface), but I don't want to do it (security considerations).

Everyone's tags (1)
2 REPLIES 2
VIP Advisor

Re: ASA5506-X auth LDAP via IPSec

This syntax is wrong. Make sure that you have the object groups created and using the same names (its case sensitive)

Re: ASA5506-X auth LDAP via IPSec

Are you talking about this?
nat (inside-bridge,outside) 7 source static inside-bridge-network inside-bridge-network destination static bs-office-networks bs-office-networks no-proxy-arp route-lookup

This syntax is output from ASDM. I didn't write it by hand in CLI.