Showing results for 
Search instead for 
Did you mean: 

Remote Access VPN on an ASA that Authenticates against a Remote LDAP server through a site to site VPN.


I've got a question here that I don't know the answer to off hand.

I've got a remote site that is a small office.  There are no servers(Active Directory) at that site, though there is a local file store.  The site has a l2l tunnel back to HQ, where they get active directory services.  Is there any way to have a remote access VPN authenticate against the remote LDAP server group through the VPN?

I can make an LDAP server group, but when I assign an interface, that's where I get stuck.  It's obviously not on the inside interface, as the servers don't reside in that subnet.  If I choose the outside interface, the ASA will look for the private IP on that side, and not find it because it doesn't seem to send that off to the remote site.

Is there something that can be configured so the ASA recognizes that it needs to send it through the VPN ?

1 Reply 1

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

I don't see any reason that it shouldn't work. The following has to be done:

1) Specify the LDAP with the outside interface

2) Make sure you have a route to the network of the LDAP-server pointing to your WAN-router or your provider.

3) include your public IP in the crypto ACL as the LDAP-traffic will be originated from the public IP of the ASA.

Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers