- Posts: 2
- Thank you received: 0
ASA 5520 - Issues (not sure if its nat or.. )
14 years 11 months ago #32168
by RossM
ASA 5520 - Issues (not sure if its nat or.. ) was created by RossM
Hi All,
I have an issue with my ASA5520.
I am trying to setup VPN Auth via AD and have been successful in the past but this time something isnt quite right.
I get ERROR: Authorization Server not responding: AAA server has been removed. Googling suggested that this was reaching the server, but the logon details/LDAP String was incorrect.
When I look in the log on the AD I do not see any attempt to login etc... and when I look at the ASA log I see an oddity.... (which maybe a complete red herring to the problem above)
Instead of seeing From ASA to ADServer:389 I see it back to front... i.e as if the request is coming from the ADServer to the ASA.
Configuration:
Have static route for 10.15.20.0/23 to goto 10.1.1.1
Inside Interface: 10.1.1.2
So in essence i have 2 networks behind that 1 interface.
Internet works fine and appears normal in the log, I can ping from the ASA to the AD server and vise versa and that appears fine.
If I do a packet tracer from 10.1.1.25 to 10.15.20.21 that goes through fine. If I do 10.1.1.2 to 10.15.20.21 it fails saying it doesnt match the ACL rule. (even though I have set these up)
I have seen this before in that if the ASA knows it cannot get to the destination, it stops it before it goes out of the interface(?) and gives a bogus error.
Ive been working on this for the past day or so and have asked around a could of other cisco savvy people and they are stumped... Any help very gratefully received
Ross
I have an issue with my ASA5520.
I am trying to setup VPN Auth via AD and have been successful in the past but this time something isnt quite right.
I get ERROR: Authorization Server not responding: AAA server has been removed. Googling suggested that this was reaching the server, but the logon details/LDAP String was incorrect.
When I look in the log on the AD I do not see any attempt to login etc... and when I look at the ASA log I see an oddity.... (which maybe a complete red herring to the problem above)
Instead of seeing From ASA to ADServer:389 I see it back to front... i.e as if the request is coming from the ADServer to the ASA.
Configuration:
Have static route for 10.15.20.0/23 to goto 10.1.1.1
Inside Interface: 10.1.1.2
So in essence i have 2 networks behind that 1 interface.
Internet works fine and appears normal in the log, I can ping from the ASA to the AD server and vise versa and that appears fine.
If I do a packet tracer from 10.1.1.25 to 10.15.20.21 that goes through fine. If I do 10.1.1.2 to 10.15.20.21 it fails saying it doesnt match the ACL rule. (even though I have set these up)
I have seen this before in that if the ASA knows it cannot get to the destination, it stops it before it goes out of the interface(?) and gives a bogus error.
Ive been working on this for the past day or so and have asked around a could of other cisco savvy people and they are stumped... Any help very gratefully received
Ross
Time to create page: 0.117 seconds