08-07-2015 03:14 AM - edited 03-11-2019 11:23 PM
Hello,
we configured the user-identity on asa 5506.
we have some problems with agent installed on server. We configured on bvi interface an ip with subnet mask /20.
If we make this configuration the comunication(test) from the agent on server and firewall does't work, instead, if we change the mask, and we configure /24 it works.
First question: why ? :-)
we need necessarily a /20 beacuse our network and the servers segregated behind the firewall are on the same network.
the firewall is attached on datacenter on INSIDE interface, and the segregated servers are on OUTSIDE interface.
you have to know that the comunication between the firewall and LDAP server (AD) works correctly, in fact if you search a domain user on firewall , the firewall find him correctly.
instead, If you do the test of agent, it fails.
when you create a rule having a domain user as source, the rule doesn't work, instead, if you make a rule with ip as source it works.
can you indicate to me what can i see on configuration to solve the problem?
thaks a lot.
Leandro
08-11-2015 06:46 AM
Hi,
Firstly , I assume that agent is the CDA :)
Now , as per your description , communication between the ASA and AD is good.
Now , did you check the status of the AD on the CDA device ? Does it show UP ?
Refer to this document and verify the steps:-
http://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10/cda_wrkng.html
Also , do you see the user-ip mapping on the CDA ?
Thanks and Regards,
Vibhor Amrodia
08-11-2015 07:25 AM
Hi,
thanks for answer.
We identificated the issue.
the problem is on ADAGENT, it does not associate the source ip with the user in domain.
In this way the firewall doesn't match the rule with the user.
all the tests on firewall, with Domain controller, the adagent on the server in domain works.
only the association with source ip and user in domain doesn't work.
any suggestion??
thanks
bye
08-11-2015 07:36 AM
Hi,
I would strongly recommend you to move to CDA as ADGENT is out of support.
Refer this :-
http://www.cisco.com/c/en/us/td/docs/security/ibf/setup_guide/ad_agent_setup_guide/ibf10_troubleshooting.html
Thanks and Regards,
Vibhor Amrodia
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide