topic Re: Access Cisco ASA via ASDM from remote via different Interface in Network Security

Access Cisco ASA via ASDM from remote via different Interface

jensscheuvens — Tue, 06 Feb 2024 12:19:07 GMT

Hello,

we would like to access ASA1`s management01 Interface IP (192.168.4.1) from a host behind ASA4´s Interface GigabitEthernet0/1.1 via ASDM.
The flow is SRC: 10.10.10.5 DST: 192.168.4.1 Port: 443 & 22 (ASA4 > ASA3 > ASA2 > ASA1)

On ASA1 in the packet tracer I can see "no route to host" and in the log file "failed to locate egress interface".
We are able to access other hosts behind GigabitEthernet0/3 on ASA1 from hosts behind ASA4´s Interface GigabitEthernet0/1.1 just fine.

We have tried the following to make it work on ASA1:

specifiy "management-access management01"
configure SRC host from ASA4 to be allowed to access ASA1 via ASDM & SSH:

http 10.10.10.5 255.255.255.255 transfer-vpn
ssh 10.10.10.5 255.255.255.255 transfer-vpn

create NAT excemption rule
nat (transfer-vpn, management01) 7 source static 10.10.10.5 10.10.10.5 destination static 192.168.4.1 192.168.4.1 no-proxy-arp

also tried the other way around:

nat (management01, transfer-vpn) 7 source static 192.168.4.1 192.168.4.1 destination static 10.10.10.5 10.10.10.5 no-proxy-arp

create NAT excemption rule with "lookup route table to locate egress interface" enabled

ASAs 5545 is running 9.12(4)54

Do we miss something here or is this scenario even not possible?

ASA1:
GigabitEthernet0/2
nameif transfer-vpn
security-level 10
ip address 194.1.1.1 255.255.255.240

GigabitEthernet0/3
nameif management01
security level 100
ip address 192.168.4.1 255.255.255.0

ASA2:
GigabitEthernet0/2
nameif transfer-vpn
security-level 0
ip address 194.1.1.5 255.255.255.240

ASA3:
GigabitEthernet0/0
nameif outside
security-level 0
ip address 193.1.1.1 255.255.255.240

ASA4:

GigabitEthernet0/0
nameif outside
security-level 0
ip address 193.1.1.5 255.255.255.240

GigabitEthernet0/1.1
vlan 10
nameif hosts
security level 66
ip address 10.10.10.1 255.255.255.0

The IPs are of course not our real used.

Thank you

Re: Access Cisco ASA via ASDM from remote via different Interface

MHM Cisco World — Wed, 07 Feb 2024 13:08:40 GMT

The asa mgmt routing plane is separate than data routing plane

You need to make mgmt acces via data interface this done by access-management command

MHM

Re: Access Cisco ASA via ASDM from remote via different Interface

jensscheuvens — Wed, 07 Feb 2024 15:30:28 GMT

Hi,

thanks for your reply.

"management-access management01" was already set before but it did not solve the problem.

Re: Access Cisco ASA via ASDM from remote via different Interface

MHM Cisco World — Wed, 07 Feb 2024 15:38:27 GMT

Management-access <data interface through which you can access asa>

MHM

Re: Access Cisco ASA via ASDM from remote via different Interface

jensscheuvens — Wed, 07 Feb 2024 15:54:20 GMT

Traffic is first hitting ASA1 via GigabitEthernet0/2 transfer-vpn but I would like to access ASA1 via GigabitEthernet0/3 management01.

So command should be "management-access transfer-vpn" ?

Will this do any harm or break some traffic?

Re: Access Cisco ASA via ASDM from remote via different Interface

MHM Cisco World — Wed, 07 Feb 2024 15:56:46 GMT

Yes you need

management-access transfer-vpn

And if this command is harmful' NO it suggest by cisco.

Read more about command before apply to be more comfortable.

MHM

Re: Access Cisco ASA via ASDM from remote via different Interface

jensscheuvens — Thu, 08 Feb 2024 07:19:07 GMT

Hi,

I have changed this to "management-access transfer-vpn" but it still do not work.

Packet tracer still showing "no route to host" and in the logs I can see "failed to locate egress interface"

Re: Access Cisco ASA via ASDM from remote via different Interface

jensscheuvens — Thu, 08 Feb 2024 10:15:39 GMT

Note the VPN traffic is terminating on ASA2 and not ASA1.

I have also tried the following:

On ASA1 there is a subinterface (which was not used) which I have configured with the "management only" command.

ASA1:
GigabitEthernet0/4.2
management-only
vlan 40
nameif test_log
security level 90
ip address 10.3.50.254 255.255.255.0

If trying now to access 10.3.50.254 via ASDM via transfer-vpn at least in the log I am not promted with the "failed to locate egress interface" but traffic timeouts because it seems not beeing forwared to test_log:
Teardown TCP connection for transfer-vpn:10.10.10.5/57230 to transfer-vpn:10.3.50.254/443 duration 0:00:30 bytes 0 SYN Timeout

Re: Access Cisco ASA via ASDM from remote via different Interface

MHM Cisco World — Thu, 08 Feb 2024 10:29:56 GMT

interfaceX : this is new subinterface you add in ASA1

ASA1(interfaceX)-ASA2-Tunnel IPSec S2S VPN-ASA3
if we connect to ASA3 and try to access ASA1 interfaceX
you need to add interfaceX to Tunnel of ASA2

also we need managment-access interfaceX (remove the management-only under the interfaceX)

then we need to add
http <subnet> interfaceX

Re: Access Cisco ASA via ASDM from remote via different Interface

jensscheuvens — Thu, 08 Feb 2024 12:45:43 GMT

It is actually not a new interface and it was already existing on ASA1.
GigabitEthernet0/4.2 was already part of the the VPN tunnel between ASA2 <> ASA3.

I have exactly tried this before with GigabitEthernet0/3 management01 (it is also part of the tunnel on both ends) on ASA1 but no luck:

"if we connect to ASA3 and try to access ASA1 interfaceX
you need to add interfaceX to Tunnel of ASA2

also we need managment-access interfaceX (remove the management-only under the interfaceX)

then we need to add
http <subnet> interfaceX"

Or is there a difference because GigabitEthernet0/3 is hardware and GigabitEthernet0/4.2 a subinterface?

Re: Access Cisco ASA via ASDM from remote via different Interface

MHM Cisco World — Fri, 09 Feb 2024 06:05:30 GMT

there are two concept here
1- management-access

below form cisco doc.

If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec site-to-site, and the AnyConnect SSL VPN client.

2- management-only
this use to turn the data interface into mgmt interface (i.e. add it to mgmt plane)

MHM

Re: Access Cisco ASA via ASDM from remote via different Interface

jensscheuvens — Fri, 09 Feb 2024 07:39:16 GMT

ok thanks. If I understood correctly then in our case option 1- management-access will not work since VPN traffic is terminating on ASA2. But we would like to access other interface on ASA1 (GigabitEthernet0/3). So there should be no VPN traffic accessing ASA1 on GigabitEthernet0/2.

For the option 2- management-only I have tried that with a different inside interface on ASA1 GigabitEthernet0/4.2 but I am also not able to access the ASA via that.

Traffic seems not to be forwarded to GigabitEthernet0/4.2 but instead going back directly via GigabitEthernet0/2

Re: Access Cisco ASA via ASDM from remote via different Interface

MHM Cisco World — Fri, 09 Feb 2024 08:09:47 GMT

show route
then
show route management-only

check if the mgmt plane use different egress interface for return traffic
MHM

Re: Access Cisco ASA via ASDM from remote via different Interface

jensscheuvens — Fri, 09 Feb 2024 08:29:52 GMT

Result of the command: "show route | inc 10.3.50.0"

The command has been sent to the device

######################################################################################

Result of the command: "show route management-only"

Routing Table: mgmt-only
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set

C 10.3.50.0 255.255.255.0 is directly connected, test_log
L 10.3.50.254 255.255.255.255 is directly connected, test_log

Interface should be correct. Instead of passing from transfer-vpn to test_log in the logs it shows traffic directly returned back to transfer-vpn:

Teardown TCP connection for transfer-vpn:10.10.10.5/57230 to transfer-vpn:10.3.50.254/443 duration 0:00:30 bytes 0 SYN Timeout

Re: Access Cisco ASA via ASDM from remote via different Interface

MHM Cisco World — Fri, 09 Feb 2024 09:30:53 GMT

to make it clear for both I make this topology
please check it and write note if there is

Re: Access Cisco ASA via ASDM from remote via different Interface

jensscheuvens — Fri, 09 Feb 2024 13:21:51 GMT

Hi,

thanks for all your effort 🙂

As a workaround we did now the following:

- created a NAT on ASA4 so that traffic to 192.168.4.1 will be translated to public IP
- permit ASDM/SSH traffic for IP on ASA1

With that traffic flow is no longer via ASA4 <transfer net> ASA3 <VPN> ASA2 <transfer net> ASA1.
Now we are able to access ASA1 via 192.168.4.1 via ASDM and SSH from internal hosts behind ASA4

Best regards

Re: Access Cisco ASA via ASDM from remote via different Interface

MHM Cisco World — Fri, 09 Feb 2024 13:41:12 GMT

Friend you are so so welcome

Have a nice weekend

MHM

Re: Access Cisco ASA via ASDM from remote via different Interface

jensscheuvens — Fri, 09 Feb 2024 13:49:17 GMT

thanks you too