topic Re: VTI as Source Interface in Network Security

VTI as Source Interface

Ed Melendez — Fri, 15 Oct 2021 05:18:26 GMT

I have a 5506-x, v9.9, connecting to an AWS VPC with VTIs. Connectivity to AWS is fine, and all internal hosts can communicate with AWS resources.

Issue I'm having is that ASA cannot communicate with AWS resources with source interface set as "inside." AnyConnect is enabled on ASA and needs to communicate with LDAP resource in VPC to authenticate users. I'm guessing this is because the ASAs interface in this case would need to be the VTI, but it is not an option.

Anyone know of a way to get this working? How can I get the ASA to communicate with resources on the VTI side?

Re: VTI as Source Interface

Milos_Jovanovic — Sat, 16 Oct 2021 06:15:35 GMT

Hi @Ed Melendez,

Take a look at this old post. I just tried this, and it works on v9.14.

In your case, you should define server with address of 'inside' zone, and your routng for that destination should point you to VTI. Something like (in your case is should be LDAP protocol, and LDAP relevant config):

aaa-server ISE protocol radius
aaa-server ISE (inside) host 10.20.0.20
key *****
!
route VTI 10.20.0.0 255.255.255.0 10.13.0.1 1
!

BR,

Milos

Re: VTI as Source Interface

Ed Melendez — Sat, 16 Oct 2021 19:22:42 GMT

I already have the inside interface defined

and the route is known via BGP.

What I find interesting, is that I see "identity" as the interface according to the log:

Anyone know why I may be seeing that, and not an actual interface?

And I was hoping to skip any versions 9.10 and up as I'd like to keep firePOWER active, but will upgrade if I have to.

Thank you so much for your reply.

Re: VTI as Source Interface

Ed Melendez — Sat, 16 Oct 2021 19:27:22 GMT

---------

VTI as Source Interface

Milos_Jovanovic — Mon, 18 Oct 2021 08:44:52 GMT

Hi @Ed Melendez,

Identity means that this traffic was originated from ASA, instead of flowing through. In regular, most frequent flow, traffic enters on one interface (e.g. inside) and leaves on another (e.g. outside), in which case you would see both interfaces in log. In this case, ASA is the one sourcing the traffic (and there is no inbound interface), so it is presented as 'identity'.

Based on this log, I would assume that IP address next to 'identity' is actually IP address of your inside interface, and base on other end ('aws_vti_t1'), it looks to me it is doing exactly what you want. You can do a packet capture on VTI interface, to confirm that this traffic is indeed flowing this way.

You don't need to do an upgrade, as that post was from 2013, so it means it works same way long time ago. You should consider an upgrade, as 9.9 is announced EoL and no fixes are available for it anymore.

BR,

Milos