Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problems with LDAP Authentication and cisco routing.

    Scheduled Pinned Locked Moved Routing and Multi WAN
    9 Posts 2 Posters 936 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Malad
      last edited by

      Good morning guys, I'm simulating a small network where a pfSense is implemented and the topology includes an internet link, a cisco router and an LDAP server (the pfsense is before the router, that is from the internet: link-pfsense-router) . In the Router there is NAT. There is also port redirection: ip nat inside source tcp 10.0.5.65 389 192.168.1.254 389. The problem is that authentication is not performed properly and I am sure that the LDAP configuration is correct, any suggestions?
      Thanks everyone, greetings.

      M 1 Reply Last reply Reply Quote 0
      • M
        Malad @Malad
        last edited by

        @malad said in Problems with LDAP Authentication and cisco routing.:

        Good morning guys, I'm simulating a small network where a pfSense is implemented and the topology includes an internet link, a cisco router and an LDAP server (the pfsense is before the router, that is from the internet: link-pfsense-router) . In the Router there is NAT. There is also port redirection: ip nat inside source tcp 10.0.5.65 389 192.168.1.254 389. The problem is that authentication is not performed properly and I am sure that the LDAP configuration is correct, any suggestions?
        Thanks everyone, greetings.

        I add what the logs of the system indicate about the event: 0_1531756364215_35a74862-0f1b-4925-aba6-4eba8e5b3da9-image.png

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          All of that traffic is out of state or R anyway.

          Why are you trying to to port redirection?? Yeah that is normally going to cause all sorts of asymmetrical traffic if you do not source nat it as well.

          I would suggest you draw up how you have this all connected and lay out how you think traffic should flow on this drawing.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • M
            Malad
            last edited by

            Thank you very much for the answer, the following graph indicates the simulated topology: the red arrows indicate all the outgoing traffic (internet browsing), the blue arrows indicate the authentication of the vpn by LDAP against the AD server (Winserver) and the arrow black the incoming traffic of the vpn. Greetings. 0_1531764138931_9a2abad5-d994-4ed5-870a-a633460fcf6b-image.png

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              @malad said in Problems with LDAP Authentication and cisco routing.:

              ip nat inside source tcp 10.0.5.65 389 192.168.1.254 389

              where does that come into play?

              What is the point of the router between pfsense and the switch? Seems pointless..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • M
                Malad
                last edited by

                In the communication between the pfSense (fa 0/0: 192.168.1.254) and the Winserver server (e0: 10.0.5.65). In the cisco router there is a NAT applied, it is located there because it is a project and it is required that the sea works in that way, it can not be removed. Saludos.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Why would you nat? There is no reason to nat rfc1918 in such setup.

                  So pfsense wants to auth to your winserver.. He would send traffic to router IP on 192.168.1.254 and it would get forwarded to 10.0.5.65 by the router.

                  The SA would be answer to the Syn... It should not be blocked. Unless the traffic went out some other direction, etc.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • M
                    Malad
                    last edited by

                    If the NAT is removed from the router, the rest of the network below it can not exit to pfSense.

                    1 Reply Last reply Reply Quote 0
                    • M
                      Malad
                      last edited by

                      Thank you very much for your help, I already solved by removing the NAT. regards

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.