cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
980
Views
0
Helpful
5
Replies

remote access vpn and ldap authentication

mafija1975
Level 1
Level 1

I have a test environment with 2 hours fireval 5505: The first firewall is remote acces VPN server and the inside side of this firewall is a domain network with a domain controller, DNS server and one workstation. DHCP is off and the PCs have a static address.outside of the VPN server is attached to the outside of the other ASA 5505 firewall. on inner side of the firewall there's one workstation.the workstation would to connect through remote acces vpn on domain network. I have configured remote acces VPN server through a wizard, and his

configuration is as follows

Result of the command: "show running-config"

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name dri.local

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.13.74.5 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.30.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name dri.local

access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.240

access-list outside_access_in extended permit tcp 192.168.50.0 255.255.255.240 10.13.74.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 192.168.50.1-192.168.50.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.30.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

action terminate

dynamic-access-policy-record vpnldap

network-acl inside_nat0_outbound

aaa-server vpn protocol ldap

aaa-server vpn (inside) host 10.13.74.20

ldap-base-dn DC=DRI,DC=LOCAL

ldap-group-base-dn cn=test,cn=users,dc=dri,dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn cn=test,cn=users,dc=dri,dc=local

server-type microsoft

http server enable

http 10.13.74.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.13.74.9-10.13.74.40 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy drivpn internal

group-policy drivpn attributes

dns-server value 10.13.74.20 10.8.2.5

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value dri.local

tunnel-group drivpn type remote-access

tunnel-group drivpn general-attributes

address-pool vpnpool

authentication-server-group vpn

default-group-policy drivpn

tunnel-group drivpn ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1fc23fb20a74f208b3cde5711633ad3d

: end

when i tryed from workstation from inner side of the second firewall(not remote access vpn server) to connect on vpn all is ok. i used cisco vpn client but i can't ping domain controller, workstation, i can't use shared folder on them. why?

plz help me

thanks

1 Accepted Solution

Accepted Solutions

Thanks for letting me know! Can you please mark the post as "answered" ? Thanks!

View solution in original post

5 Replies 5

Herbert Baerten
Cisco Employee
Cisco Employee

hi Goran,

Can you ping the DC etc from the ASA? I suppose yes since your LDAP auth appears to work ok.

Do the inside hosts have the ASA as their default gateway, or do they have a route to 192.168.50.0 pointing to the ASA?

If that's not it, I would start by getting captures on the inside interface of the ASA (the one configured for RA VPN) when you ping the DC, to see if your echo requests go out and if there is any reply.

Herbert

yes i can ping the DC from the ASA. the inside hosts have the ASA as their default gateway.

i work the ping from workstation from the innerside of other asa 5505 firewall (remote access VPN users):

i can ping the inside hosts which connect directly on the ASA, but i can't ping the inside hosts which connect on the ASA over the switch.also, i can't ping the DC because of he is behind the switch.

so  you have :

DC ---switch --- ASA1 --- ASA2 --- client

host2 ----------/


and from the client, when it is connected via VPN to ASA1, you can ping host2 but not DC ?

but you *can* ping DC from the ASA?

very strange

the switch is it just layer 2 or is it a L3 switch?

can you do a capture on the inside of ASA1 ?

Herbert

problem solved. my the DC had faulty the default gateway.when i puted correct the default gateway. all is alright. thanks for help

Thanks for letting me know! Can you please mark the post as "answered" ? Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: