Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2923
Views
5
Helpful
11
Replies

Anyconnect authentication to LDAP server at remote site (across Site-to-Site tunnel)

Go to solution
bquach001
Level 1
Level 1

‎03-26-2018 07:59 PM - edited ‎02-21-2020 07:33 AM

Hi,

 

i have a 5506-x at Site B connecting to a 5515 at Site A via a site-to-site VPN tunnel.  there is only the one Domain Controller at Site A which i'm trying to setup LDAP authentication from Site B for Anyconnect VPN users.

 

if i setup authentication via LOCAL accounts the Anyconnect session is established and i can ping/rdp to the LDAP server in Site A.

 

the Interface of the AAA Server group (LDAP server) is set to EXTERNAL (outside) on Site B - assuming this is the correct interface as the traffic needs to route out across the tunnel (FYI i've tried both inside and outside interfaces and both still fail).

 

i've run debug 255 and get this result

 

debug ldap enabled at level 255

[-2147483638] Session Start
[-2147483638] New request Session, context 0x00007fd8ac0ad518, reqType = Other
[-2147483638] Fiber started
[-2147483638] Creating LDAP context with uri=ldap://10.61.39.2:389
[-2147483638] Connect to LDAP server: ldap://10.61.39.2:389, status = Failed
[-2147483638] Unable to read rootDSE. Can't contact LDAP server.
[-2147483638] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[-2147483638] Session End

 

on the LDAP server in Site A, i'm running wireshark to capture traffic but cant see anything in the packet capture.  i was filtering by destination port 389 (not sure if the the destination port changes after the tunneling??)

 

on the firewall log on Site A i can see this entry each time i 'test' the ldap connection from SiteB firewall

(sorry but i've just removed the first octet in the public IP addresses for some privacy)

6 Mar 27 2018 12:24:39 302303 XX.255.12.230 443 10.61.39.2 49561 Built TCP state-bypass connection 99877113 from EXTERNAL:XX.255.12.230/443 (XX.255.12.230/443) to DMZ-PAC:10.61.39.2/49561 (XXX.148.68.142 /49561)

 

again, if i connect via Anyconnect VPN via LOCAL authentication, i can connect to the remote LDAP server so would thing routing/natting/ACL is all correct?

 

 

any ideas?

 

thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to bquach001

‎03-27-2018 01:02 PM

Let's make it simple:

 

(w.w.w.w)LAN----Site B (x.x.x.x)=====Tunnel==========(y.y.y.y) Site A-----Ldap server (z.z.z.z)

 

When you set the LDAP server to z.z.z.z on Site B, you need to have the crypto ACL as below:

 

Site B

 

ACL from x.x.x.x to z.z.z.z

 

Site A

 

ACL from z.z.z.z to x.x.x.x

 

Why is this important - Usually you only have the crypto ACL between the LAN networks on both sides of the tunnel. In this case, you need to have the WAN ip of the Site B in your crypto ACL. 

View solution in original post

11 Replies 11

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎03-26-2018 08:16 PM

On site A ASA check show route 10.61.39.2 and make sure that same interface
is used as LDAP interface
0 Helpful

Go to solution
bquach001
Level 1
Level 1
In response to Mohammed al Baqari

‎03-26-2018 08:19 PM - edited ‎03-26-2018 08:23 PM

Hi Mohammed,

 

here's a show route of Site A, ASA

the VPN tunnel is built over interface EXTERNAL

 

Gateway of last resort is XXX.148.68.141 to network 0.0.0.0

C 10.61.62.0 255.255.255.224 is directly connected, TRUSTED
C 10.61.61.0 255.255.255.0 is directly connected, DMZ-3
C 10.61.60.0 255.255.255.0 is directly connected, DMZ-WIFI
C 10.61.39.0 255.255.255.0 is directly connected, DMZ-PAC
S 10.61.32.0 255.255.224.0 [1/0] via 10.61.62.1, TRUSTED
S 10.61.0.0 255.255.224.0 [1/0] via 10.61.62.1, TRUSTED
S 10.61.58.79 255.255.255.255 [1/0] via XXX.148.68.141, EXTERNAL
S 10.61.96.0 255.255.224.0 [1/0] via 10.61.62.1, TRUSTED
S 10.61.85.0 255.255.255.0 [1/0] via XXX.148.68.141, EXTERNAL
S 10.61.64.0 255.255.224.0 [1/0] via 10.61.62.1, TRUSTED
S 10.61.160.0 255.255.224.0 [1/0] via 10.61.62.1, TRUSTED
C XXX.148.68.140 255.255.255.252 is directly connected, EXTERNAL
S* 0.0.0.0 0.0.0.0 [1/0] via XXX.148.68.141, EXTERNAL

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to bquach001

‎03-26-2018 08:32 PM

Use DMZ-PAC as you LDAP interface. Then AnyConnect using LDAP should
working assuming everything else is configured correctly.
0 Helpful

Go to solution
bquach001
Level 1
Level 1
In response to Mohammed al Baqari

‎03-26-2018 08:43 PM

so just to clarify

 

DMZ-PAC is the 'inside' interface of Site A ASA where the LDAP server is hosted

 

Anyconnect clients connect to Site B ASA, which then attempts to authenticate via the tunnel across to Site A

 

so i'm a bit lost when you say 'use the DMZ-PAC as LDAP interface'; in reference to what? what do i need to change/configure and on which Site ASA?

 

thanks

0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni
In response to bquach001

‎03-26-2018 09:14 PM

i think what Mo is getting at is that you will have to make sure that traffic from site B to A for LDAP authentication is part of the protected traffic on this s2s VPN. 

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to Dennis Mink

‎03-26-2018 09:38 PM

Thanks for clarifying it Dennis. Sometimes the language doesn't help me :)
0 Helpful

Go to solution
bquach001
Level 1
Level 1
In response to Dennis Mink

‎03-26-2018 09:43 PM

Hi Dennis,
can you kindly explain what i need to check for specifically? how can i ensire LDAP authentication is part of protected traffic on teh s2s?

(this part you'll hate)... most of my config ability is done via ASDM, so you can appreciate my lack of knowledge here

from what i can gather, i've allowed all IP traffic between the two sites and at risk of sounding like a broken record, when connected (via LOCAL authentication), i have full access from the PC connected via Anyconnect into Site B, to connect to the LDAp server in Site A. further this LDAP server serves as a DNS server and i can readily lookup hosts within my internal domain via this same server.

it's obviously the issue of authentication before the connection is my problem :/
0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to bquach001

‎03-27-2018 01:02 PM

Let's make it simple:

 

(w.w.w.w)LAN----Site B (x.x.x.x)=====Tunnel==========(y.y.y.y) Site A-----Ldap server (z.z.z.z)

 

When you set the LDAP server to z.z.z.z on Site B, you need to have the crypto ACL as below:

 

Site B

 

ACL from x.x.x.x to z.z.z.z

 

Site A

 

ACL from z.z.z.z to x.x.x.x

 

Why is this important - Usually you only have the crypto ACL between the LAN networks on both sides of the tunnel. In this case, you need to have the WAN ip of the Site B in your crypto ACL. 

Go to solution
bquach001
Level 1
Level 1
In response to Rahul Govindan

‎03-27-2018 05:38 PM

Thank you Rahul!!

 

perfect.  i just added the ACL and NAT rules to both sides as you suggested and it works!

 

i'm so ever grateful! i've been trying to work this out for over a week.  i should have just come to the forums earlier! haha thanks again

0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni
In response to Rahul Govindan

‎03-27-2018 06:51 PM

points for you then

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
Jason Lista
Level 1
Level 1
In response to Rahul Govindan

‎09-16-2021 08:34 AM - edited ‎09-16-2021 10:48 AM

Is there any way to force the ASA to make the requests using its LAN IP on the inside interface?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card