Cisco asa external radius Server Azure

Vasiliy P · ‎05-14-2024

Hello, we are facing the problem "can't connect external Radius Server from Azure to Cisco ASA"

Tunnel is configured, connection with servers is there, between local networks 10.17.0.0.0/22 and 10.14.19.0/24.

But when connecting Radius Server to Cisco ASA an error occurs.
Also Radius Server 10.14.19.4/24 cannot ping to Cisco ASA 10.17.1.253/22,
but Radius Server 10.14.19.4/24 can ping to the local machine 10.17.1.2/22.
For the purity of the experiment, firewalls were disabled on the server and local machine.

My task is to connect the external Radius Server 10.14.19.4/24 to Cisco ASA 10.17.1.253/22.

Config ASA 10.17.1.253/22

interface Ethernet1/1
no switchport
no nameif
no security-level
no ip address

interface Ethernet1/1.x
description MTEUCLOUD
vlan x
nameif MTEUCLOUD
security-level 0
ip address 192.70.236.227 255.255.255.254

interface Ethernet1/3
no switchport
nameif LOC-LAN
security-level 100
ip address 10.17.1.253 255.255.252.0

interface Tunnel2
nameif MTEU-I-FW1
ip address 10.70.200.1 255.255.255.252
tunnel source interface MTEUCLOUD
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile AZURE-PROPOSAL

router bgp 65000
bgp log-neighbor-changes
bgp graceful-restart
address-family ipv4 unicast
neighbor 10.14.18.158 remote-as 65570
neighbor 10.14.18.158 ebgp-multihop 255
neighbor 10.14.18.158 activate
network 10.17.0.0 mask 255.255.252.0
no auto-summary
no synchronization
exit-address-family

route MTEUCLOUD 0.0.0.0 0.0.0.0 192.70.236.226 3

aaa-server MTIS-SRV3-RADIUS (MTEUCLOUD) host 10.14.19.4
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****

class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns
inspect esmtp
inspect icmp
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect icmp

MHM Cisco World · ‎05-14-2024

You use different IP for bgp neighbor that tunnel peer IP sure it not work.

10.70.200.x 255.255.255.252 <- ypu need to use neighbor IP for this subnet

And the connect network need to advertise by bgp need to config under bgp

Network x.x.x.x

MHM

Vasiliy P · ‎05-15-2024

Hello, can you please tell me what exactly is wrong here? I need to change the ip on the ASA? I don't know which one.

MHM Cisco World · ‎05-16-2024

interface Tunnel2
nameif MTEU-I-FW1
ip address 10.70.200.1 255.255.255.252
tunnel source interface MTEUCLOUD
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile AZURE-PROPOSAL

router bgp 65000
neighbor 10.70.200.x remote-as 65570

you build VTI tunnel to use it with BGP, so we need to use tunnel IP in BGP as neighbor not as network

MHM

balaji.bandi · ‎05-16-2024

Also Radius Server 10.14.19.4/24 cannot ping to Cisco ASA 10.17.1.253/22,

Run the debug on the ASA and check is the packet reaching the interface ?

Does the PC can able to ping ASA Interface ?

Where is the Gateway for 10.17.0.0/22 ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Vasiliy P · ‎05-16-2024

Vasiliy P · ‎05-16-2024

We did it according to these instructions
Configure ASA IPsec VTI Connection to Azure - Cisco
I must have sent a screenshot of the wrong gateway from azure

MHM Cisco World · ‎05-16-2024

That not matched what you config in original post

Check neighbor IP ypu use'

The neighbor IP must be tunnel peer IP

MHM