topic Re: FPR1010 ASA v9.18(2) Management Access Inside question in Network Security

FPR1010 ASA v9.18(2) Management Access Inside question

TRENT WAITE — Tue, 17 Sep 2024 13:31:29 GMT

I know a couple years back, and couple OS revisions back, there was a significant change to how one could access via SNMP the ASA's inside interface through a L2L tunnel. I have encountered now 2x FPR1010 (ASAs) with v9.18(2) that through the VPN I can not access the ASA's inside interface (ping, SSH, etc.) either direction. From the ASA I can ping a server, and traffic will not initiate tunnel. From the server I can initiate tunnel but no traffic.

I am not aware of what has actually changed, and what I can do for a work around. The purpose is usually to access the ASA from within the tunnel, and to save configs to tftp (within the tunnel) as well as remote monitoring (until the SNMP change).

Anyone else encountering similar, and was there a solution you found?

Re: FPR1010 ASA v9.18(2) Management Access Inside question

Rob Ingram — Tue, 17 Sep 2024 13:35:54 GMT

@TRENT WAITE from ASA 9.14 for SNMP polling over a site-to-site VPN, you had to include the IP address of the outside interface in the crypto map access-list as part of the VPN configuration.

In ASA 9.18 you can use a loopback interface for SNMP, so perhaps route that loopback network over the VPN. https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

Re: FPR1010 ASA v9.18(2) Management Access Inside question

TRENT WAITE — Tue, 17 Sep 2024 13:51:24 GMT

I am not aware of loopback's being created on the ASA platform. I can not create interfaces, only use what is available. Can the management port be used in this situation, i.e. provide that port with new IP/subnet and add to tunnel config & ACLs?

Re: FPR1010 ASA v9.18(2) Management Access Inside question

Rob Ingram — Tue, 17 Sep 2024 14:00:25 GMT

@TRENT WAITE the easiest thing to do would be to include the outside IP address in the crypto ACL.

Perhaps you could connect the ASA mgmt interface to a VLAN on the local switch and route that network over the VPN (include that network in the crypto ACL).

Re: FPR1010 ASA v9.18(2) Management Access Inside question

MHM Cisco World — Tue, 17 Sep 2024 14:24:48 GMT

Use outside as source interface to connect for snmp' and then include host IP of outside interface in VPN ACL.

Try this way

MHM

Re: FPR1010 ASA v9.18(2) Management Access Inside question

TRENT WAITE — Tue, 17 Sep 2024 14:35:25 GMT

I was using the change to SNMP as an example of changes the ASAs have made. My real problem is I need to access the inside interface of the ASA to send a config to the tftp server, or to access it from the server to make a necessary change. The old solution when this situation occurred was due to the "management access inside" not being applied to the config. That is no longer the case, the fix for access to that inside interface of the ASA is what is eluding me.

Re: FPR1010 ASA v9.18(2) Management Access Inside question

MHM Cisco World — Tue, 17 Sep 2024 14:57:19 GMT

You can use flexconfig for add mgmt access inside if not work check bug below

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg50549?rfs=iqvred