09-09-2018 02:15 AM - edited 03-12-2019 04:10 AM
Hello everyone!
I have Cisco ASA5506-X (ver. 9.8(2)20, asdm 7.9(1)151) on my remote site. I want to setup VPN access with authentication from Active Directory. I want to use AD passwords for auth in ASDM and SSH (if it fails use LOCAL) also.
I already did it past on Cisco PIX515E and Cisco ASA5505 using this manual:
But now I have trouble because it is first time when I use radius server (NPS) located on remote site (behind IPSec Site-to-SIte). When I try to execute test I receive Time out.
Log:
Built outbound UDP connection 2053719 for outside:192.168.111.246/1645 (192.168.111.246/1645) to identity:86.222.222.222/7272 (86.222.222.222/7272)
where 192.168.111.246 is IP of my NPS servers located on remote site behind IPSec.
86.222.222.222 is my public IP of ASA5506.
I guess I need to make NAT exempt between inside-bridge and outside interface as I did it for inside1 and inside2 interfaces in order to avoid natting into outside interface.
nat (inside-bridge,outside) 7 source static inside-bridge-network inside-bridge-network destination static bs-office-networks bs-office-networks no-proxy-arp route-lookup
But I cannot do it:
P.S. If I make ping 192.168.111.246 from ASA with source inside-bridge then ping successful, but it fails from inside1 or 2 OR without source interface:
P.S.S: I understand that I can public my remote NPS server ports 1645-1646 to internet IP address on remote site and specify it address on ASA (with source as outside interface), but I don't want to do it (security considerations).
09-09-2018 04:01 AM
09-09-2018 09:16 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide