I need to be access network resources on the outside from the Inside interface IP address. I have been unable to pass any traffic originating from the INSIDE interface adress to anywehere on the outside of the network. Other INSIDE traffic is working fine, just the actual INSIDE interface IP. Specifically, I'm trying to setup LDAP for VPN logins and the INSIDE interface needs to contact the LDAP server which is on the OUTSIDE of the network. I am not using NAT.
The packet tracker says a "config implicit rule" is dropping the traffic but I can't find the affending rule....
Are you trying to get the asa to talk directly to the ldap server or is it a computer behind the asa connected to the inside interface of the asa?
Are you using the asa as the vpn connection point with vpn client software (Like anyconnect or ipsec client)?
Yes, trying to get ASA to talk directly to LDAP server Yes, ASA is VPN connection point and I'm using Cisco VPN client. VPN is working fine now but I have to utilize LDAP for user accounts instead of the local ASA database.
Gotcha. I'm guessing you have an authentication (aaa-server) setup in the asa pointing to the ip address of the ldap server and specifying the outside interface?
aaa-server SERVERNAME protocol ldap
aaa-server SERVERNAME (Outside) host x.x.x.x
Then specifying the authentication-server-group in the vpn tunnel-group general attributes? (Based on asa ver. 8.2)
I have: aaa-server SERVERNAME (INSIDE) host x.x.x.x host x.x.x.x is unfortunately on the outside of my network.
The traffic to the LDAP server( which I have no control over) is required to be from the INSIDE address range. The OUTSIDE address range is blocked by numerous firewalls.
I see (Kinda.) Just to understand, the traffic is blocked at some point going to the ldap server from your outside IP range? I'm not sure it will work like that without something to allow that traffic from you?
If the ldap server is on the outside, the aaa-server command would need to have (Outside) instead of (Inside) for it to connect. Otherwise, it will try to connect behind the inside interface for the ldap server.
Exactly! I was hoping the ASA could do this but it's not looking good. Although I don't understand why the INSIDE interface can't connect to outside resources when everything else on inside of the inside interface can.
Yeah, I think with this it's not so much the inside not connecting to outside resources, just those commands being interface centric so whatever interface is specified, is where the asa tries to connect via. Best of luck! Cheers.