topic cannot access asdm over L2L VPN in Network Security

cannot access asdm over L2L VPN

ahmed.gadi — Fri, 21 Feb 2020 15:40:17 GMT

We have L2L VPN between 2 sites working without any issue, except we are not able to access ssh/asdm of remote ASA (DR) from local LAN of local ASA (HQ).

We have followed this cisco document

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118092-configure-asa-00.html#anc7

we have

1. route-lookup for No-NAT subnets (local and remote ASA)

2. management-access inside ( remote ASA)

3. SSH/HTTP allowed on inside interface (remote ASA)

4. SSH/HTTP allowed on outside interface (remote ASA)

5. Routing is okay

6. We can see packet leaves local ASA and hits remote ASA (ASDM monitoring).

Your input is highly appreciated and look forward for positive response.

Thanks & Regards

Ahmed...

Re: cannot access asdm over L2L VPN

Marius Gunnerud — Thu, 26 Apr 2018 07:40:39 GMT

Have you included the ASA inside interface that you are trying to connect to in the crypto ACL? Would help if you posted the full running configuration for both sides of the tunnel. Remember to remove any public IPs, usernames, passwords, and hostname of the devices.

Re: cannot access asdm over L2L VPN

ahmed.gadi — Thu, 26 Apr 2018 07:49:39 GMT

Yes included, I will post the desired config soon

Thank You

Re: cannot access asdm over L2L VPN

Florin Barhala — Thu, 26 Apr 2018 08:46:09 GMT

Interesting one; can you ping it at least?
I would run :capture type asp-drop match ip host ...".

I would also double check NAT config on both sides.

Re: cannot access asdm over L2L VPN

ahmed.gadi — Thu, 26 Apr 2018 09:09:06 GMT

Please check attached desired config

Re: cannot access asdm over L2L VPN

ahmed.gadi — Thu, 26 Apr 2018 09:10:36 GMT

Ping is blocked in whole path (Cisco ASA, CheckPoint Firewall and Perimeter router).

I have not done this capture type asp-drop match ip host ...".

Re: cannot access asdm over L2L VPN

Marius Gunnerud — Thu, 26 Apr 2018 09:26:49 GMT

This is just partial configuration please provide a full configuration of the two ASAs (remember to remove public IPs, usernames, passwords)

Or at least provide us with all Crypto configuration, NAT configuration, routing configuration, and information on which IP you are trying to access the ASA from.

Re: cannot access asdm over L2L VPN

Florin Barhala — Thu, 26 Apr 2018 19:04:19 GMT

Config is good - still capture asp-drop can tell you if something "unexpected" takes place.
You can also run a capture based on an ACL place on the inside interface and see how 'what you can see'

Re: cannot access asdm over L2L VPN

Marius Gunnerud — Thu, 26 Apr 2018 19:39:36 GMT

Is this by any chance an ASA5506 configured with BVI?

Re: cannot access asdm over L2L VPN

ahmed.gadi — Fri, 27 Apr 2018 18:32:21 GMT

After capturing packets and packet tracer, i found that the traffic was hitting different natting which did not have route lookup command, so after rectifying natting, asdm was accessible.

thanks for your input.

Re: cannot access asdm over L2L VPN

Marius Gunnerud — Sat, 28 Apr 2018 07:44:41 GMT

This is why I keep asking for the full running configuration of the ASA as there might be some configuration that people think is not relevant but it actually is.

Glad you found the solution though