cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
522
Views
0
Helpful
2
Replies

ASA5506-X auth LDAP via IPSec

Yura Kazakevich
Beginner
Beginner

Hello everyone!

I have Cisco ASA5506-X (ver. 9.8(2)20, asdm 7.9(1)151) on my remote site. I want to setup VPN access with authentication from Active Directory. I want to use AD passwords for auth in ASDM and SSH (if it fails use LOCAL) also.

I already did it past on Cisco PIX515E and Cisco ASA5505 using this manual:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

But now I have trouble because it is first time when I use radius server (NPS) located on remote site (behind IPSec Site-to-SIte). When I try to execute test I receive Time out.nps_asa5506.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Log:

 

Built outbound UDP connection 2053719 for outside:192.168.111.246/1645 (192.168.111.246/1645) to identity:86.222.222.222/7272 (86.222.222.222/7272)

where 192.168.111.246 is IP of my NPS servers located on remote site behind IPSec.

86.222.222.222 is my public IP of ASA5506. 

I guess I need to make NAT exempt  between inside-bridge and outside interface as I did it for inside1 and inside2 interfaces in order to avoid natting into outside interface.

 nat (inside-bridge,outside) 7 source static inside-bridge-network inside-bridge-network destination static bs-office-networks bs-office-networks no-proxy-arp route-lookup

But I cannot do it:nat_error.jpg

 

P.S. If I make ping 192.168.111.246 from ASA with source inside-bridge then ping successful, but it fails from inside1 or 2 OR without source interface:ping_asa.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

P.S.S: I understand that I can public my remote NPS server ports 1645-1646 to internet IP address on remote site and specify it address on ASA (with source as outside interface), but I don't want to do it (security considerations).

2 Replies 2

Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
This syntax is wrong. Make sure that you have the object groups created and using the same names (its case sensitive)

Are you talking about this?
nat (inside-bridge,outside) 7 source static inside-bridge-network inside-bridge-network destination static bs-office-networks bs-office-networks no-proxy-arp route-lookup

This syntax is output from ASDM. I didn't write it by hand in CLI.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers