Hello,
I currently have a working config for VPN users to use my LDAP server for a single group of users. The LDAP server is directly connected to my inside interface.
I recently added another node to my branch offices. The new addition is another company and has its own domain and LDAP server. I have a working VPN connection between the 2 offices and can ping from my headquarters to the new office's LDAP server - no problem. I'd like users to be able to establish connectivity to our headquarters ip address but authenticate to the LDAP server at the remote location.
I have created a 2nd tunnel group and a 2nd LDAP server. When I activate Anyconnect and select the headquarters the new group is an option in the drop down box. I select it and enter username/password. I get "Login Error". On the headquarters box I have debug aaa enabled and all I see is:
ciscoasa# Marking server 192.168.1.140 down in servertag <2nd_LDAP_SERVER>
Marking server 192.168.16.140 in server tag <2nd_LDAP_SERVER> Up
AAA_BindServer: No server found
I'm using ASA software 9.1. Any thoughts?
Config below has been scrubbed. If i took out too much let me know.
The VPN tunnel for between HQ and PEER4-REMOTE_LAN_WAN is working fine. traffic passes, tunnel is up. i can ping between HQ subnet and REMOTE_LANS subnets.
The aaa server we're trying to authenticate to is AAA_SERVER2. it resides in a subnet in REMOTE_LANS. domain2 is the one i am having difficulty authenticating to.
*************************************************
RUNNING CONFIG BELOW - SCRUBBED
*************************************************
show run
: Saved
:
ASA Version 9.1(1)
!
hostname ciscoasa
domain-name sub1.domain.com
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
no names
dns-guard
ip local pool Group1_Pool 172.16.1.10-172.16.1.80 mask 255.255.255.0
!
interface Ethernet0/0
description Internet Connection
nameif outside
security-level 0
ip address <OUTSIDE_WAN> 255.255.255.248
!
interface Ethernet0/1
description <INSIDE HEADQUARTERS>
nameif inside
security-level 100
ip address <HQ_LAN>.1 255.255.255.0
!
boot system disk0:/asa911-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup MPLS_DMZ
dns domain-lookup management
dns server-group DefaultDNS
name-server <HQ_LAN>.52
domain-name sub1.domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network HQ
subnet <HQ_LAN>.0 255.255.255.0
description **HQ LAN**
object network HQ-VPN
subnet 172.16.1.0 255.255.255.0
description **HQ VPN CLIENTS**
object network obj_any-MPLS_DMZ
subnet 0.0.0.0 0.0.0.0
object network obj_any-MPLS_DMZ_TWTelcom
subnet 0.0.0.0 0.0.0.0
object network obj_any-HQ
subnet 0.0.0.0 0.0.0.0
object network obj_any-HQ_TWTelcom
subnet 0.0.0.0 0.0.0.0
object network HQ-VOICE
subnet 10.81.106.0 255.255.255.0
description **HQ VOICE**
object network remote_lan_1
subnet 192.168.16.0 255.255.255.0
description **REMOTE LAN 1**
object network remote_lan_2
subnet 192.168.17.0 255.255.255.0
description **REMOTE LAN 2**
object network remote_lan_3
subnet 192.168.32.0 255.255.255.0
description **REMOTE LAN 3**
object-group network HQ_LAN
network-object <HQ_LAN>.0 255.255.255.0
object-group network MPLS_SITES
group-object SITE1_LAN
group-object SITE2_LAN
group-object SITE3_LAN
object-group network REMOTE_LAN1n2
network-object 192.168.16.0 255.255.255.0
network-object 192.168.17.0 255.255.255.0
object-group network REMOTE_LAN3
network-object 192.168.32.0 255.255.255.0
object-group network REMOTE_LANS
group-object REMOTE_LAN1n2
group-object REMOTE_LAN3
access-list acl_outside remark **DENY BOGON**
access-list acl_outside extended deny ip host 255.255.255.255 any4
access-list acl_outside extended deny ip 0.0.0.0 255.0.0.0 any4
access-list acl_outside extended deny ip 10.0.0.0 255.0.0.0 any4
access-list acl_outside extended deny ip 127.0.0.0 255.0.0.0 any4
access-list acl_outside extended deny ip 169.254.0.0 255.255.0.0 any4
access-list acl_outside extended deny ip 172.16.0.0 255.240.0.0 any4
access-list acl_outside extended deny ip 192.0.2.0 255.255.255.0 any4
access-list acl_outside extended deny ip 192.168.0.0 255.255.0.0 any4 inactive
access-list acl_outside extended deny ip 198.18.0.0 255.255.255.0 any4
access-list acl_outside extended deny ip 223.0.0.0 255.0.0.0 any4
access-list acl_outside extended deny ip 224.0.0.0 224.0.0.0 any4
access-list LDAP_SplitTunnel_1_Working extended permit ip object-group MPLS_SITES object HQ-VPN
access-list LDAP_SplitTunnel_1_Working extended permit ip object HQ object HQ-VPN
access-list LDAP_SplitTunnel_1_Working extended permit ip object HQ-VOICE object HQ-VPN
access-list LDAP_SplitTunnel_1_Working extended permit ip object-group REMOTE_LANS object HQ-VPN
access-list MPLS_ACL extended permit ip any4 any4
access-list MPLS_ACL extended permit icmp any4 any4
access-list REMOTE_LANS_VPN extended permit ip object HQ-VPN object-group REMOTE_LANS
access-list REMOTE_LANS_VPN extended permit ip object HQ object-group REMOTE_LANS
access-list LDAP_SplitTunnel_2 extended permit ip object HQ object HQ-VPN
access-list LDAP_SplitTunnel_2 extended permit ip object-group REMOTE_LANS object HQ-VPN
pager lines 24
logging enable
logging timestamp
logging list VPN level debugging class vpn
logging buffer-size 100000
logging buffered critical
logging asdm emergencies
logging facility 16
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu MPLS_DMZ 1500
mtu Ethernet0/3 1500
mtu management 1500
mtu vv_voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any MPLS_DMZ
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static HQ HQ destination static HQ-VPN HQ-VPN
nat (outside,inside) source static HQ-VPN HQ-VPN destination static HQ HQ
nat (outside,MPLS_DMZ) source static HQ-VPN HQ-VPN destination static MPLS_SITES MPLS_SITES
nat (outside,inside) source static REMOTE_LANS REMOTE_LANS destination static HQ HQ
nat (inside,outside) source static HQ HQ destination static REMOTE_LANS REMOTE_LANS
nat (outside,outside) source static HQ-VPN HQ-VPN destination static REMOTE_LANS REMOTE_LANS
nat (outside,outside) source static REMOTE_LANS REMOTE_LANS destination static HQ-VPN HQ-VPN
!
object network obj_any-HQ
nat (inside,outside) dynamic interface
object network obj_any-HQ_TWTelcom
nat (inside,Ethernet0/3) dynamic interface
access-group acl_outside in interface outside
access-group MPLS_ACL in interface MPLS_DMZ
access-group acl_outside in interface Ethernet0/3
route outside 0.0.0.0 0.0.0.0 GATEWAY 1
route MPLS_DMZ 10.30.99.0 255.255.255.0 192.168.2.2 1
route MPLS_DMZ 10.81.44.0 255.255.255.0 192.168.2.2 1
route MPLS_DMZ 10.81.47.0 255.255.255.0 192.168.2.2 1
route MPLS_DMZ 10.81.48.0 255.255.255.0 192.168.2.2 1
route MPLS_DMZ 10.81.51.0 255.255.255.0 192.168.2.2 1
route MPLS_DMZ 10.85.163.0 255.255.255.0 192.168.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map CISCOMAP
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE ALLOWACCESS
ldap attribute-map CISCOMAP_REMOTE_LANS
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE ALLOWACCESS_REMOTE_LANS
dynamic-access-policy-record DfltAccessPolicy
sub1.domain.com
aaa-server AAA_SERVER1 protocol ldap
aaa-server AAA_SERVER1 (inside) host <HQ_LAN>.52
ldap-base-dn DC=sub1,DC=domain,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=asa,CN=Users,DC=sub1,DC=domain,DC=com
server-type auto-detect
ldap-attribute-map CISCOMAP
aaa-server AAA_SERVER2 protocol ldap
aaa-server AAA_SERVER2 (inside) host 192.168.16.140
ldap-base-dn DC=domain2,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=asa,CN=users,DC=domain2,DC=com
server-type auto-detect
ldap-attribute-map CISCOMAP_REMOTE_LANS
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address VPN1
crypto map outside_map 1 set peer PEER1-WAN
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address VPN2
crypto map outside_map 2 set peer PEER2-WAN
crypto map outside_map 2 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address VPN3
crypto map outside_map 3 set peer PEER3-WAN
crypto map outside_map 3 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 4 match address REMOTE_LAN_VPN
crypto map outside_map 4 set peer PEER4-REMOTE_LAN_WAN
crypto map outside_map 4 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 4 set security-association lifetime seconds 28800
crypto map outside_map 4 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint
enrollment terminal
fqdn VPN.FQDN.HERE
subject-name MORE.INFO.HERE
keypair PAIR.GOES.HERE
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint
certificate
<CERTIFICATE INFO HERE>
quit
crypto isakmp identity hostname
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet <HQ_LAN>.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 60
console timeout 0
management-access inside
l2tp tunnel hello 300
dhcpd address ADDRESS POOL management
dhcpd enable management
!
priority-queue outside
priority-queue MPLS_DMZ
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server NTP_ADDRESS source inside prefer
ssl trust-point ASDM_TrustPoint outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 3 regex "Intel Mac OS X"
anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 4 regex "Linux"
anyconnect profiles default disk0:/default.xml
anyconnect enable
tunnel-group-list enable
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol l2tp-ipsec
group-policy DfltGrpPolicy attributes
default-domain value sub1.domain.com
webvpn
anyconnect profiles value default type user
group-policy ALLOWACCESS_REMOTE_LANS internal
group-policy ALLOWACCESS_REMOTE_LANS attributes
dns-server value 192.168.16.140
vpn-access-hours none
vpn-simultaneous-logins 5
vpn-idle-timeout 120
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ssl-client
password-storage disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LDAP_SplitTunnel_2
default-domain value domain2.com
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
dns-server value <HQ_LAN>.52
vpn-access-hours none
vpn-simultaneous-logins 5
vpn-idle-timeout 120
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ssl-client
password-storage disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LDAP_SplitTunnel_1_Working
default-domain value sub1.domain.com
tunnel-group Group1 type remote-access
tunnel-group Group1 general-attributes
address-pool Group1_Pool
authentication-server-group AAA_SERVER1
tunnel-group Group1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group VPN1 type ipsec-l2l
tunnel-group VPN1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool Group1_Pool
authentication-server-group AAA_SERVER1
tunnel-group SSLVPN webvpn-attributes
group-alias GROUP_THAT_WORKS enable
tunnel-group VPN2 type ipsec-l2l
tunnel-group VPN2 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group VPN3 type ipsec-l2l
tunnel-group VPN3 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group PEER4-REMOTE_LAN_WAN type ipsec-l2l
tunnel-group PEER4-REMOTE_LAN_WAN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group SSLVPN_Domain2_notworking type remote-access
tunnel-group SSLVPN_Domain2_notworking general-attributes
address-pool Group1_Pool
authentication-server-group AAA_SERVER2
tunnel-group SSLVPN_Domain2_notworking webvpn-attributes
group-alias GROUP_THAT_DOESNT_WORK enable
!
class-map VOICE
match dscp ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map MPLS
class VOICE
priority
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect ip-options
policy-map OUTSIDE
class VOICE
priority
!
service-policy global_policy global
service-policy OUTSIDE interface outside
service-policy MPLS interface MPLS_DMZ
smtp-server <HQ_LAN>.56
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ece33f3215344dfccfae4501e4e483c5
: end
ciscoasa#