Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1454
Views
0
Helpful
9
Replies

Azure to ASA site to site policybase VPN. Cannot reach Azure subnet from ASA

Viboosha paliyaguru
Level 1
Level 1

‎08-12-2020 11:06 AM

i have recently configured a azure to asa site to site policy base vpn. Devices on the inside subnet can reach azure subnet. But when i try to ping azure subnet from ASA it fails. This makes LDAP authentication to fail since the ASA cant reach the LDAP server on the azure subnet. i executed a trace route to azure subnet it ends up heading out of outside interface not the vpn tunnel.

0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎08-12-2020 11:17 AM

Hi,
The source of the LDAP traffic would be your outside interface ip address, try including your outside IP address in your crypto ACL.

HTH
0 Helpful

Viboosha paliyaguru
Level 1
Level 1
In response to Rob Ingram

‎08-12-2020 11:53 AM

The LDAP sever is connected via the VPN and devices on the inside subnet
can reach the server and i have tested authentication with LDP.exe tool
work fine. I am having trouble figuring out why the asa cannot connect with
LDAP server via the VPN.
0 Helpful

Viboosha paliyaguru
Level 1
Level 1
In response to Viboosha paliyaguru

‎08-12-2020 11:58 AM

Through the inside interface
0 Helpful

Rob Ingram
VIP
VIP
In response to Viboosha paliyaguru

‎08-12-2020 12:01 PM

Are you referring to LDAP authentication to the ASA itself, i.e. for RAVPN or mgmt authentication?
0 Helpful

Viboosha paliyaguru
Level 1
Level 1
In response to Rob Ingram

‎08-12-2020 12:18 PM

RAVPN
0 Helpful

Rob Ingram
VIP
VIP
In response to Viboosha paliyaguru

‎08-12-2020 12:22 PM

Right, so when the ASA communicates with the LDAP server (on the end of the VPN tunnel) it will attempt to communicate using it's outside interface IP address, is that IP address defined in your crypto ACL (used to define the interesting traffic)?
0 Helpful

Viboosha paliyaguru
Level 1
Level 1
In response to Rob Ingram

‎08-12-2020 12:42 PM

Yes it is the public IP of the azure subnet
0 Helpful

Rob Ingram
VIP
VIP
In response to Viboosha paliyaguru

‎08-12-2020 01:00 PM

No. The public/outside IP address of the ASA will need to be included in the crypto ACL that defines the interesting traffic for the VPN tunnel.
0 Helpful

Viboosha paliyaguru
Level 1
Level 1
In response to Rob Ingram

‎08-12-2020 07:37 PM

Would this work 

 

My outside interface of ASA is 103.31.114.116

Azure subnet are: 10.0.0.0 ,10.0.1.0

 

access-list Azure-acl line 2 extended permit ip object 103.31.114.116-ASA-OUTSIDE object-group Azure-NET (hitcnt=0) 0x306ca30a
access-list Azure-acl line 2 extended permit ip host 103.31.114.116 10.0.0.0 255.255.255.0 (hitcnt=0) 0x3eeca94b
access-list Azure-acl line 2 extended permit ip host 103.31.114.116 10.0.1.0 255.255.255.0 (hitcnt=0) 0xcd0de5a4

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card