cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
416
Views
0
Helpful
3
Replies

User-identity configuration on asa 5506

Hello, 

we configured the user-identity on asa 5506.

we have some problems with agent installed on server. We configured on bvi interface an ip with subnet mask /20.

If we make this configuration the comunication(test) from the agent on server and firewall does't work, instead, if we change the mask, and we configure /24 it works.

First question: why ? :-)

 

we need necessarily a /20 beacuse our network and the servers segregated behind the firewall are on the same network.

the firewall is attached on datacenter on INSIDE interface, and the segregated servers are on OUTSIDE interface.

you have to know that the comunication between the firewall and LDAP server (AD) works correctly, in fact if you search a domain user on firewall , the firewall find him correctly.

instead, If you do the test of agent, it fails.

when you create a rule having a domain user as source, the rule doesn't work, instead, if you make a rule with ip as source it works.

can you indicate to me what can i see on configuration to solve the problem?

 

thaks a lot.

 

Leandro

3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

Firstly , I assume that agent is the CDA :)

Now , as per your description , communication between the ASA and AD is good.

Now , did you check the status of the AD on the CDA device ? Does it show UP ?

Refer to this document and verify the steps:-

http://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10/cda_wrkng.html

Also , do you see the user-ip mapping on the CDA ?

Thanks and Regards,

Vibhor Amrodia

 

Hi,
thanks for answer.
We identificated the issue.
the problem is on ADAGENT, it does not associate the source ip with the user in domain.
In this way the firewall doesn't match the rule with the user.

all the tests on firewall, with Domain controller, the adagent on the server in domain works.

only the association with source ip and user in domain doesn't work.

any suggestion??

 

thanks

 

bye

 

Hi,

I would strongly recommend you to move to CDA as ADGENT is out of support.

Refer this :-

http://www.cisco.com/c/en/us/td/docs/security/ibf/setup_guide/ad_agent_setup_guide/ibf10_troubleshooting.html

Thanks and Regards,

Vibhor Amrodia

Review Cisco Networking for a $25 gift card