topic How to access asacx over L2L VPN in Network Security

How to access asacx over L2L VPN

natec — Tue, 12 Mar 2019 04:53:01 GMT

I am trying to access the asacx module installed on a remote ASA 5525 over a L2L VPN tunnel. When attempting to access the asacx module I see the following in the ASA logs: The IP address of the asacx module is 192.168.148.3. The IP address of the management interface on the ASA is 192.168.148.2.

<172>%ASA-4-418001: Through-the-device packet to/from management-only network is denied: tcp src outside:192.168.50.112/58002 dst management:192.168.148.3/443

Is there anyway to get around it this? Is there a possible way to route back to the management network through the router on the other side?

I think if I could delete the connected route for the 192.168.148.0 network I could just route through the inside interface and then back to the management. How do you all access your asacx's remotely?

Thank you in advance for any help that you can provide.

Hi,This is expected as the

Vibhor Amrodia — Thu, 09 Oct 2014 02:01:52 GMT

Hi,

This is expected as the management interface will never allow any through traffic. You would have to route this traffic through a different interface and probably the Inside interface of the ASA device.

Put a static route to the inside interface for the CX management IP and that should resolve this issue for you.

Check this Doc for more information[Scenario 4]:-

http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113690-ips-config-mod-00.html

Thanks and Regards,

Vibhor Amrodia

Vibhor's answer is the

Marvin Rhoads — Thu, 09 Oct 2014 03:44:17 GMT

Vibhor's answer is the correct approach. I have used it successfully myself.

Thank you Vibhor and Marvin

natec — Thu, 09 Oct 2014 21:17:42 GMT

Thank you Vibhor and Marvin,

For completeness I will also add that if you have an IP address on the management interface of the ASA you will have to take it off or it will show a connected route which will be weighted lower than the static. Once I put the static in and took the IP address off of the management interface I was able to access the asacx module.

You don't need to remove the

Marvin Rhoads — Thu, 09 Oct 2014 22:11:07 GMT

You don't need to remove the ASA management IP as the connected routes on that interface are only the /32 of the ASA management address itself and the subnet to which it belongs, be it a /24 or whatever.

Your static route for the CX management should be a /32 route for that address. Thus the longest prefix match will choose that static route despite it belonging to the same subnet as the ASA management interface.