https://community.cisco.com/t5/network-security/asa-management-over-ipsec-vpn/m-p/3810836#M1065630 <P>Thanks Josue,</P><P>&nbsp;</P><P>&nbsp;</P><P>But what will happen when the secondary(Standby) firewall initiates a traffic to a tacacs server for authentication, which is hosted over the vpn tunnel.</P><P>The solution you have provided will only work in one direction, from remote site to secondary firewall.</P><P>&nbsp;</P><P>I heard of new feature in 9.5 version , <SPAN>Separate routing table for management-only interfaces , can we apply this concept here </SPAN></P><P><SPAN>if yes , please explain .</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>Regards,</P> Wed, 27 Feb 2019 12:56:45 GMT GN974 2019-02-27T12:56:45Z https://community.cisco.com/t5/network-security/asa-management-over-ipsec-vpn/m-p/3195786#M1065627 <P>Hi There!</P> <P>Has anyone configured a dedicated management IPsec tunnel for ASA management which is in Active / Standby mode?</P> <P>For a standalone device it is working fine as per the documentation by applying the management-access inside command etc...</P> <P>However, if I use a failover pair the tunnel is building up only the primary ASA, the Secondary device shows it as a "Standby" tunnel.</P> <P>I am able to ping / ssh to the primary ASA's inside interface, but not to the Secondary one. The secondary actually receives the traffic, however it is doing a route lookup and sending towards to the "outside" where the tunnel is actually in "Standby".&nbsp;</P> <P>My goal would be that both devices are reachable from the management systems over the VPN, so it can&nbsp;health checked / snmp polled / sshd&nbsp;etc... Like if it were managed over a physical interface.</P> <P>&nbsp;</P> <P>Thanks!</P> Fri, 21 Feb 2020 14:27:37 GMT https://community.cisco.com/t5/network-security/asa-management-over-ipsec-vpn/m-p/3195786#M1065627 attilafejes 2020-02-21T14:27:37Z https://community.cisco.com/t5/network-security/asa-management-over-ipsec-vpn/m-p/3196239#M1065628 <P>Hi<SPAN class="UserName lia-user-name lia-user-rank-New-Member lia-component-message-view-widget-author-username">,<A id="link_14" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://supportforums.cisco.com/t5/user/viewprofilepage/user-id/360040" target="_self"></A> </SPAN></P> <P>&nbsp;</P> <P>You are right. The traffic will get to the standby unit and will try to be routed over the outside.<BR />In order to fix this, you need to NAT the remote traffic to the inside interface of the primary ASA so the traffic will be returned over the inside network.<BR /><BR />Remote site: 192.168.2.0/24<BR />Inside network of ASA's: 192.168.1.0/24<BR />Inside inteface ip address standby ASA: 192.168.1.2<BR /><BR />object network Remote_site<BR />network 192.168.2.0 255.255.255.0<BR />object network standby_ASA<BR />host 192.168.1.2<BR /><BR />nat (outside,inside) source dynamic Remote_site interface destination static Stanby_ASA Stanby_ASA<BR /><BR />management-access inside<BR />ssh 192.168.2.0 255.255.255.0 inside<BR /><BR /><BR />Rate if it helps.<BR /><BR />Regards,<BR />Josue Brenes<BR />TAC - VPN Engineer.</P> Tue, 10 Oct 2017 02:39:03 GMT https://community.cisco.com/t5/network-security/asa-management-over-ipsec-vpn/m-p/3196239#M1065628 Josue Brenes 2017-10-10T02:39:03Z https://community.cisco.com/t5/network-security/asa-management-over-ipsec-vpn/m-p/3196383#M1065629 <P>Thanks for the reply Josue! I need to check it in my lab. I will test it soon and get back to you with the results.</P> <P>&nbsp;</P> <P>Regards, Attila</P> Tue, 10 Oct 2017 10:44:18 GMT https://community.cisco.com/t5/network-security/asa-management-over-ipsec-vpn/m-p/3196383#M1065629 attilafejes 2017-10-10T10:44:18Z https://community.cisco.com/t5/network-security/asa-management-over-ipsec-vpn/m-p/3810836#M1065630 <P>Thanks Josue,</P><P>&nbsp;</P><P>&nbsp;</P><P>But what will happen when the secondary(Standby) firewall initiates a traffic to a tacacs server for authentication, which is hosted over the vpn tunnel.</P><P>The solution you have provided will only work in one direction, from remote site to secondary firewall.</P><P>&nbsp;</P><P>I heard of new feature in 9.5 version , <SPAN>Separate routing table for management-only interfaces , can we apply this concept here </SPAN></P><P><SPAN>if yes , please explain .</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>Regards,</P> Wed, 27 Feb 2019 12:56:45 GMT https://community.cisco.com/t5/network-security/asa-management-over-ipsec-vpn/m-p/3810836#M1065630 GN974 2019-02-27T12:56:45Z