topic Hello Marc,The reason it was in Network Security

ASA 5515 ASDM Access from remote network

davidsonyo — Tue, 12 Mar 2019 06:19:19 GMT

Hey everyone,

Today I was asked to TSHOOT an issue with one of our customer's ASA.

Issue:

The local IT staff wants to access the HQ ASA via ASDM from a site to site VPN remote end location. (10.0.2.0 /24 subnet)

to the local ASA inside LAN interface 10.0.0.1

But the website dose not show up.

It's the error massage what we get:

2 Jul 23 2015 11:43:02 106016 Deny IP spoof from (10.0.2.71) to 10.0.0.1 on interface outside

First thing I checked was:

http 10.0.2.0 255.255.255.0 outside
To permit http access from the remote subnet

The reverse path:

ip verify reverse-path interface outside

Also the tunnel ACL both end was fine. Everyone can access everyone.

Also checked the inbound outside ACL for deny:

access-list outside_access_in_1 line 29 extended permit ip host 10.0.2.71 host 10.0.0.1

Anyone is familiar with the issue ?

Any help is appreciated!

Thanks,

Dave.

Hi, The first thing that

Jouni Forss — Thu, 23 Jul 2015 12:52:53 GMT

Hi,

The first thing that comes to mind is that you might be missing one command

management-access <local interface nameif>

Since the remote management connection is coming through a VPN connection and the connection is also coming through the external interface of the ASA towards another interface IP address the above command is required to accomplish this as by default ASA does not allow any traffic to pass through one interface to another interface on the ASA. The same problem can be seen for example when you try to ping another ASA interface IP address from behind another interface.

So check if you have any "management-access" configurations on the ASA. This can be enabled on one interface only to my understanding but I have not checked if there has been any changes to it.

I also don't quite remember if the "http" command for this type of remote connections needed the "outside" or "inside" interface in the commands end. I guess you can safely check this when you try to test the management connection from the remote site.

I am not sure what causes the Spoof log message. I guess it might be related to the reverse check but I am not sure why it would be since the ASA should see this subnet originating from behind the correct interface for any traffic to work through the VPN.

In a tight spot you could always allow SSH/HTTPS (asdm) directly to the public IP address of the ASA.

Hope this helps 🙂

- Jouni

Hello Jouni! I just checked

davidsonyo — Thu, 23 Jul 2015 13:57:07 GMT

Hello Jouni!

I just checked on the ASA and I have this enabled:

management-access local

Should I enable this for outside also ?

Like this:

management-access outside

and If I do this command it wont overwrite the already existing one right ?

Thanks!

Dave.

http 10.0.2.0 255.255.255.0

Marc Magloire — Thu, 23 Jul 2015 15:31:01 GMT

http 10.0.2.0 255.255.255.0 outside

This command means that you would like HTTP access to your ASA from subnet 10.0.2.0 255.255.255.0. "outside" means that your connection will be coming from the outside interface.

Is this accurate?

Please send the output of the commands "sh run http" and "show ip"

Hello Marc,The reason it was

davidsonyo — Thu, 23 Jul 2015 21:15:10 GMT

Hello Marc,

The reason it was added because the network 10.0.2.0 255.255.255.0 is coming from a site to site VPN tunnel which means the incoming interface is the outside interface.

The inside interface is 10.0.0.1.

The 10.0.2.0 network is not used for inside local at all on at the remote site's lan from the VPN.

So yes its accurate.

I think it's why we see this massage when we try to access the ASA via ASDM:

2 Jul 23 2015 11:43:02 106016 Deny IP spoof from (10.0.2.71) to 10.0.0.1 on interface outside

Hi, So you said that you have

Jouni Forss — Fri, 24 Jul 2015 06:27:40 GMT

Hi,

So you said that you have this command

management-access local

Does "local" in this case refer to the interface that has the IP address 10.0.0.1?

The interface "nameif" mentioned in the "management-access" command should be the one to which they are trying to connect to.

As I said before, you could always enable them to connect through the Internet to the public facing IP address. But there should be nothing that prevents accomplishing it through the L2L VPN.

I am still wondering what is generating that Spoof message.

- Jouni

Hello Jouni,Yes, we have this

davidsonyo — Fri, 24 Jul 2015 10:30:53 GMT

Hello Jouni,

Yes, we have this command on the router:

management-access inside

And yes. The local inside LAN interface IP address is: 10.0.0.1

The 10.0.2.71 IP is the address of the PC from the site to site VPN's end inside the lan.

Than each time we try to access the website of the ASA to use ASDM on the address 10.0.0.1 we get this and we can not access it:

2 Jul 23 2015 11:43:02 106016 Deny IP spoof from (10.0.2.71) to 10.0.0.1 on interface outside

Thanks!

Dave.