Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1270
Views
0
Helpful
3
Replies

ASA - configure AAA server behind L2L VPN

Go to solution
pawel.kisiel
Level 1
Level 1

‎12-04-2012 10:18 AM - edited ‎03-11-2019 05:32 PM

Hi,

I need to configure ASA with Radius server which is behind VPN established between this ASA and remote firewall. Is it possible?

I've tried so far:

1) add outside IP into cryptomaps each end

2) NAT outside IP to internal lan range (one defined in cryptomap) when connecting to Radius server and send it across VPN.

I'd prefer to do it via option 2) as I don't need to change routing on  Radius server far end.

In both cases I'm getting following message when trying to use packet tracer

     packet-tracer input outside udp x.x.x.x 1024 192.168.1.10 5500 xml

--

2Dec 04 201217:54:06106016



Deny IP spoof from (x.x.x.x) to 192.168.1.10 on interface outside

--

Kind Regards,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-04-2012 11:11 AM

Hi,

Trying to test traffic that is supposed to enter the ASA from "outside" encrypted with packet-tracer doesnt work. It should give the mentioned "spoof" message to my understanding.

I haven't tested this setup myself but could perhaps lab this at some point.

I have configured an ASA to send logs through L2L VPN and done SNMP over L2L VPN. I would imagine there is some setup to get this working too.

Are you saying that you have added the ASAs outside interface (trying the AAA server connection) and the destination AAA server IP address to the L2L VPN and configure the AAA servers with the "(outside)" configuration? If you have, have you tried to activate using the AAA server for authentication after that?

Have you tried using your inside interface as the interface behind which the AAA server is located and seen what would happen?

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-04-2012 11:11 AM

Hi,

Trying to test traffic that is supposed to enter the ASA from "outside" encrypted with packet-tracer doesnt work. It should give the mentioned "spoof" message to my understanding.

I haven't tested this setup myself but could perhaps lab this at some point.

I have configured an ASA to send logs through L2L VPN and done SNMP over L2L VPN. I would imagine there is some setup to get this working too.

Are you saying that you have added the ASAs outside interface (trying the AAA server connection) and the destination AAA server IP address to the L2L VPN and configure the AAA servers with the "(outside)" configuration? If you have, have you tried to activate using the AAA server for authentication after that?

Have you tried using your inside interface as the interface behind which the AAA server is located and seen what would happen?

- Jouni

0 Helpful

Go to solution
pawel.kisiel
Level 1
Level 1
In response to Jouni Forss

‎12-04-2012 01:31 PM

I'm aware of ASA's issue with packet tracer when you test incoming traffic to Outside, but this time round I'm trying to test outgoing traffic leaving ASA to vpn and to remote AAA server.

I have my outside interface (public IP) and remote AAA server (private IP) added to cryptomaps on each end, but it doesn't seem to work and I'm not sure how to troubleshoot it if packet tracer is not able to produce any useful output. I'm putting Outside interface as ingress interface in packet tracer, but in reality it's not Outside, but ASA's "loopback" as ASA makes connections to remote server herself. Obviously there is no option to specify that connection is actually originated from ASA.

I've tried to run traffic capture, but I'm getting similiar problem, as I'm not sure which interface to specify as Ingress? It's not Outside - that's for sure, Outside is egress interface in this case. ASDM logs do not show any activity when I'm testing AAA server from ASDM.

As I mentioned in first post, I'd like to NAT my outside interface to private IP and then route it to VPN to other side, as I don't need to make any special changes on other side network  (static routes to route my public IP to L2L VPN between sites).

My management interface configured in asa is Inside. I haven't tried configuring AAA as "seen" on Inside interface, but it could actually work like that. It works similiar way when I set up ssh/asdm access to branch office ASAs, so I can use VPN to get to ASAs instead of connecting via public IPs. I'll try to configure that tomorrow and will see if it makes any difference or not. Thanks for hint!

0 Helpful

Go to solution
pawel.kisiel
Level 1
Level 1
In response to pawel.kisiel

‎12-05-2012 07:51 AM 

Have you tried using your inside interface as the interface behind which the AAA server is located and seen what would happen?

I've managed to configure ASA the way I wanted. It was down to setting up AAA server to be "seen" coming from the same inteface which I had configured in management-access statement. If you don't have management-access set, this configuration won't work at all.In ASA logs you see that connection is being built from IP of Inside interface and sent to your AAA server.

Obviously packet tracer isn't helpful in this case as it thinks that this connection is denied by firewall.

so in nutshell:

----

management-access inside

aaa-server  radius_server protocol radius

aaa-server  radius_server ( inside ) host 192.168.1.10

------

This configuration will work not only for AAA but also:

-snmp

-syslog

-netflow

and potential any service which allows you to specify interface which this remote server will be "seen"

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card