05-14-2024 02:06 AM
Hello, we are facing the problem "can't connect external Radius Server from Azure to Cisco ASA"
Tunnel is configured, connection with servers is there, between local networks 10.17.0.0.0/22 and 10.14.19.0/24.
But when connecting Radius Server to Cisco ASA an error occurs.
Also Radius Server 10.14.19.4/24 cannot ping to Cisco ASA 10.17.1.253/22,
but Radius Server 10.14.19.4/24 can ping to the local machine 10.17.1.2/22.
For the purity of the experiment, firewalls were disabled on the server and local machine.
My task is to connect the external Radius Server 10.14.19.4/24 to Cisco ASA 10.17.1.253/22.
Config ASA 10.17.1.253/22
interface Ethernet1/1
no switchport
no nameif
no security-level
no ip address
interface Ethernet1/1.x
description MTEUCLOUD
vlan x
nameif MTEUCLOUD
security-level 0
ip address 192.70.236.227 255.255.255.254
interface Ethernet1/3
no switchport
nameif LOC-LAN
security-level 100
ip address 10.17.1.253 255.255.252.0
interface Tunnel2
nameif MTEU-I-FW1
ip address 10.70.200.1 255.255.255.252
tunnel source interface MTEUCLOUD
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile AZURE-PROPOSAL
router bgp 65000
bgp log-neighbor-changes
bgp graceful-restart
address-family ipv4 unicast
neighbor 10.14.18.158 remote-as 65570
neighbor 10.14.18.158 ebgp-multihop 255
neighbor 10.14.18.158 activate
network 10.17.0.0 mask 255.255.252.0
no auto-summary
no synchronization
exit-address-family
route MTEUCLOUD 0.0.0.0 0.0.0.0 192.70.236.226 3
aaa-server MTIS-SRV3-RADIUS (MTEUCLOUD) host 10.14.19.4
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns
inspect esmtp
inspect icmp
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect icmp
05-14-2024 02:51 AM
You use different IP for bgp neighbor that tunnel peer IP sure it not work.
10.70.200.x 255.255.255.252 <- ypu need to use neighbor IP for this subnet
And the connect network need to advertise by bgp need to config under bgp
Network x.x.x.x
MHM
05-15-2024 11:29 PM
Hello, can you please tell me what exactly is wrong here? I need to change the ip on the ASA? I don't know which one.
05-16-2024 12:06 AM
interface Tunnel2
nameif MTEU-I-FW1
ip address 10.70.200.1 255.255.255.252
tunnel source interface MTEUCLOUD
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile AZURE-PROPOSAL
router bgp 65000
neighbor 10.70.200.x remote-as 65570
you build VTI tunnel to use it with BGP, so we need to use tunnel IP in BGP as neighbor not as network
MHM
05-16-2024 12:02 AM
Also Radius Server 10.14.19.4/24 cannot ping to Cisco ASA 10.17.1.253/22,
Run the debug on the ASA and check is the packet reaching the interface ?
Does the PC can able to ping ASA Interface ?
Where is the Gateway for 10.17.0.0/22 ?
05-16-2024 12:46 AM
05-16-2024 01:00 AM
We did it according to these instructions
Configure ASA IPsec VTI Connection to Azure - Cisco
I must have sent a screenshot of the wrong gateway from azure
05-16-2024 01:05 AM
That not matched what you config in original post
Check neighbor IP ypu use'
The neighbor IP must be tunnel peer IP
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide