cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3429
Views
5
Helpful
11
Replies

Anyconnect authentication to LDAP server at remote site (across Site-to-Site tunnel)

bquach001
Level 1
Level 1

Hi,

 

i have a 5506-x at Site B connecting to a 5515 at Site A via a site-to-site VPN tunnel.  there is only the one Domain Controller at Site A which i'm trying to setup LDAP authentication from Site B for Anyconnect VPN users.

 

if i setup authentication via LOCAL accounts the Anyconnect session is established and i can ping/rdp to the LDAP server in Site A.

 

the Interface of the AAA Server group (LDAP server) is set to EXTERNAL (outside) on Site B - assuming this is the correct interface as the traffic needs to route out across the tunnel (FYI i've tried both inside and outside interfaces and both still fail).

 

i've run debug 255 and get this result

 

debug ldap enabled at level 255

[-2147483638] Session Start
[-2147483638] New request Session, context 0x00007fd8ac0ad518, reqType = Other
[-2147483638] Fiber started
[-2147483638] Creating LDAP context with uri=ldap://10.61.39.2:389
[-2147483638] Connect to LDAP server: ldap://10.61.39.2:389, status = Failed
[-2147483638] Unable to read rootDSE. Can't contact LDAP server.
[-2147483638] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[-2147483638] Session End

 

on the LDAP server in Site A, i'm running wireshark to capture traffic but cant see anything in the packet capture.  i was filtering by destination port 389 (not sure if the the destination port changes after the tunneling??)

 

on the firewall log on Site A i can see this entry each time i 'test' the ldap connection from SiteB firewall

(sorry but i've just removed the first octet in the public IP addresses for some privacy)

6 Mar 27 2018 12:24:39 302303 XX.255.12.230 443 10.61.39.2 49561 Built TCP state-bypass connection 99877113 from EXTERNAL:XX.255.12.230/443 (XX.255.12.230/443) to DMZ-PAC:10.61.39.2/49561 (XXX.148.68.142 /49561)

 

again, if i connect via Anyconnect VPN via LOCAL authentication, i can connect to the remote LDAP server so would thing routing/natting/ACL is all correct?

 

 

any ideas?

 

thanks

1 Accepted Solution

Accepted Solutions

Let's make it simple:

 

(w.w.w.w)LAN----Site B (x.x.x.x)=====Tunnel==========(y.y.y.y) Site A-----Ldap server (z.z.z.z)

 

When you set the LDAP server to z.z.z.z on Site B, you need to have the crypto ACL as below:

 

Site B

 

ACL from x.x.x.x to z.z.z.z

 

Site A

 

ACL from z.z.z.z to x.x.x.x

 

Why is this important - Usually you only have the crypto ACL between the LAN networks on both sides of the tunnel. In this case, you need to have the WAN ip of the Site B in your crypto ACL. 

View solution in original post

11 Replies 11

On site A ASA check show route 10.61.39.2 and make sure that same interface
is used as LDAP interface

Hi Mohammed,

 

here's a show route of Site A, ASA

the VPN tunnel is built over interface EXTERNAL

 

Gateway of last resort is XXX.148.68.141 to network 0.0.0.0

C 10.61.62.0 255.255.255.224 is directly connected, TRUSTED
C 10.61.61.0 255.255.255.0 is directly connected, DMZ-3
C 10.61.60.0 255.255.255.0 is directly connected, DMZ-WIFI
C 10.61.39.0 255.255.255.0 is directly connected, DMZ-PAC
S 10.61.32.0 255.255.224.0 [1/0] via 10.61.62.1, TRUSTED
S 10.61.0.0 255.255.224.0 [1/0] via 10.61.62.1, TRUSTED
S 10.61.58.79 255.255.255.255 [1/0] via XXX.148.68.141, EXTERNAL
S 10.61.96.0 255.255.224.0 [1/0] via 10.61.62.1, TRUSTED
S 10.61.85.0 255.255.255.0 [1/0] via XXX.148.68.141, EXTERNAL
S 10.61.64.0 255.255.224.0 [1/0] via 10.61.62.1, TRUSTED
S 10.61.160.0 255.255.224.0 [1/0] via 10.61.62.1, TRUSTED
C XXX.148.68.140 255.255.255.252 is directly connected, EXTERNAL
S* 0.0.0.0 0.0.0.0 [1/0] via XXX.148.68.141, EXTERNAL

Use DMZ-PAC as you LDAP interface. Then AnyConnect using LDAP should
working assuming everything else is configured correctly.

so just to clarify

 

DMZ-PAC is the 'inside' interface of Site A ASA where the LDAP server is hosted

 

Anyconnect clients connect to Site B ASA, which then attempts to authenticate via the tunnel across to Site A

 

so i'm a bit lost when you say 'use the DMZ-PAC as LDAP interface'; in reference to what? what do i need to change/configure and on which Site ASA?

 

thanks

i think what Mo is getting at is that you will have to make sure that traffic from site B to A for LDAP authentication is part of the protected traffic on this s2s VPN. 

Please remember to rate useful posts, by clicking on the stars below.

Thanks for clarifying it Dennis. Sometimes the language doesn't help me :)

Hi Dennis,
can you kindly explain what i need to check for specifically? how can i ensire LDAP authentication is part of protected traffic on teh s2s?

(this part you'll hate)... most of my config ability is done via ASDM, so you can appreciate my lack of knowledge here

from what i can gather, i've allowed all IP traffic between the two sites and at risk of sounding like a broken record, when connected (via LOCAL authentication), i have full access from the PC connected via Anyconnect into Site B, to connect to the LDAp server in Site A. further this LDAP server serves as a DNS server and i can readily lookup hosts within my internal domain via this same server.

it's obviously the issue of authentication before the connection is my problem :/

Let's make it simple:

 

(w.w.w.w)LAN----Site B (x.x.x.x)=====Tunnel==========(y.y.y.y) Site A-----Ldap server (z.z.z.z)

 

When you set the LDAP server to z.z.z.z on Site B, you need to have the crypto ACL as below:

 

Site B

 

ACL from x.x.x.x to z.z.z.z

 

Site A

 

ACL from z.z.z.z to x.x.x.x

 

Why is this important - Usually you only have the crypto ACL between the LAN networks on both sides of the tunnel. In this case, you need to have the WAN ip of the Site B in your crypto ACL. 

Thank you Rahul!!

 

perfect.  i just added the ACL and NAT rules to both sides as you suggested and it works!

 

i'm so ever grateful! i've been trying to work this out for over a week.  i should have just come to the forums earlier! haha thanks again

points for you then

Please remember to rate useful posts, by clicking on the stars below.

Is there any way to force the ASA to make the requests using its LAN IP on the inside interface?

Review Cisco Networking for a $25 gift card