Re: Pix 515e and LDAP access

josky_jara · ‎09-14-2006

Hello I need to give access to all my users to a external ldap server to query email addresses, what is the command that I need to run?

my internal subnet is 10.1.0.x

thanks for your replies

Patrick Iseli · ‎09-14-2006

You need probably an access-list but it depends if you have one the internal interface or not.

can you post your config, but remove all the confidential information as public IPs, users, passwords ...

example :

access-list inside tcp 10.x.x.x 255.255.255.0 host LDAP-Server-IP eq 389

access-group inside interface inside

If you do not have an access-list on your inside interface then all traffic from the higher security level to the lower interface is bt default permited. You just need a correct NAT - Network address translation.

See also:

Controlling Network Access and Use version 6.3x:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278e.html

Version 7.0 guide:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/index.htm

sincerely

Patrick

josky_jara · ‎09-14-2006

here is my conf, the pwd to open the rar file is ciscoforum

(see atached file)

Patrick Iseli · ‎09-14-2006

Where is the LDAP server located ?

If it is on the outside then you should allready have access to it.

If it is on the dmz interface then you need to define a NONAT entry which disables the NAT from the inside to the DMZ interface or add a PAT entry that translates the inside IPs to a valid DMZ IP.

example NONAT inside to DMZ:

static (inside,DMZ) InsideNet InsideNet netmask InsideSubnetMask 0 0

sincerely

Patrick

josky_jara · ‎09-14-2006

yes, the LDAP server is located outside my network (I'm in Peru, the LDAP is on EE.UU.)

josky_jara · ‎09-14-2006

but anyway the pcs can't connect to the external LDAP

the only conf related to LDAP in my conf is

access-list 101 permit tcp any host A.B.C.70 eq ldap

where A.B.C.70 is a public IP from one of my internal servers (not the external LDAP that I wish to connect)

Patrick Iseli · ‎09-15-2006

Your inside host should not have any problem to connect to the ouside LDAP which is on the internet. Because there is no access-list that blocks the connection.

Check your logs on the PIX. If you see the following line in the log : ....(SYN Timeout)

then the ldap server on the internet does not allow you to connect to server.

You can also try a telnet to the server to see if it responds in some way.

telnet LDAP-PubIP 389

sincerely

Patrick

josky_jara · ‎09-15-2006

thanks again for your reply, the case is that we need to allow to all my computers not neccesary only my host (A.B.C.70) to the external LDAP, for example if my computer have a private ip 10.1.1.170 and I put this command:

nat (inside) 1 10.1.0.170 255.255.255.255 0 0

this computer can connect to the external LDAP

if I delete:

no nat (inside) 1 10.1.0.170 255.255.255.255 0 0

now it can't

maybe I have to put something similar to this?

access-list 101 permit tcp any host 10.1.0.0 eq ldap

where 10.1.0.0 is my subnet....

(sorry but I'm learning cisco pix myself)

oabduo983 · ‎09-16-2006

Hi Josky,

I suggest to type the following

no global (outside) 1 A.B.C.120-A.B.C.125

global (outside) 1 A.B.C.120-A.B.C.124

global (outside) 1 A.B.C.125

clear xlate

This will extend your hosts leaving to outside to unlimited instead of only 6 hosts...

I hope this helps!

Osama

josky_jara · ‎09-18-2006

thanks Osama, but I don't kwno is your advice will fix my problem with the LDAP.

:)