09-14-2006 08:03 AM - edited 02-21-2020 01:10 AM
Hello I need to give access to all my users to a external ldap server to query email addresses, what is the command that I need to run?
my internal subnet is 10.1.0.x
thanks for your replies
09-14-2006 08:30 AM
You need probably an access-list but it depends if you have one the internal interface or not.
can you post your config, but remove all the confidential information as public IPs, users, passwords ...
example :
access-list inside tcp 10.x.x.x 255.255.255.0 host LDAP-Server-IP eq 389
access-group inside interface inside
If you do not have an access-list on your inside interface then all traffic from the higher security level to the lower interface is bt default permited. You just need a correct NAT - Network address translation.
See also:
Controlling Network Access and Use version 6.3x:
Version 7.0 guide:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/index.htm
sincerely
Patrick
09-14-2006 09:47 AM
09-14-2006 10:06 AM
Where is the LDAP server located ?
If it is on the outside then you should allready have access to it.
If it is on the dmz interface then you need to define a NONAT entry which disables the NAT from the inside to the DMZ interface or add a PAT entry that translates the inside IPs to a valid DMZ IP.
example NONAT inside to DMZ:
static (inside,DMZ) InsideNet InsideNet netmask InsideSubnetMask 0 0
sincerely
Patrick
09-14-2006 11:10 AM
yes, the LDAP server is located outside my network (I'm in Peru, the LDAP is on EE.UU.)
09-14-2006 01:21 PM
but anyway the pcs can't connect to the external LDAP
the only conf related to LDAP in my conf is
access-list 101 permit tcp any host A.B.C.70 eq ldap
where A.B.C.70 is a public IP from one of my internal servers (not the external LDAP that I wish to connect)
09-15-2006 10:36 AM
Your inside host should not have any problem to connect to the ouside LDAP which is on the internet. Because there is no access-list that blocks the connection.
Check your logs on the PIX. If you see the following line in the log : ....(SYN Timeout)
then the ldap server on the internet does not allow you to connect to server.
You can also try a telnet to the server to see if it responds in some way.
telnet LDAP-PubIP 389
sincerely
Patrick
09-15-2006 12:21 PM
thanks again for your reply, the case is that we need to allow to all my computers not neccesary only my host (A.B.C.70) to the external LDAP, for example if my computer have a private ip 10.1.1.170 and I put this command:
nat (inside) 1 10.1.0.170 255.255.255.255 0 0
this computer can connect to the external LDAP
if I delete:
no nat (inside) 1 10.1.0.170 255.255.255.255 0 0
now it can't
maybe I have to put something similar to this?
access-list 101 permit tcp any host 10.1.0.0 eq ldap
where 10.1.0.0 is my subnet....
(sorry but I'm learning cisco pix myself)
09-16-2006 12:29 PM
Hi Josky,
I suggest to type the following
no global (outside) 1 A.B.C.120-A.B.C.125
global (outside) 1 A.B.C.120-A.B.C.124
global (outside) 1 A.B.C.125
clear xlate
This will extend your hosts leaving to outside to unlimited instead of only 6 hosts...
I hope this helps!
Osama
09-18-2006 01:13 PM
thanks Osama, but I don't kwno is your advice will fix my problem with the LDAP.
:)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide