Re: cannot access asdm over L2L VPN

ahmed.gadi · ‎04-26-2018

We have L2L VPN between 2 sites working without any issue, except we are not able to access ssh/asdm of remote ASA (DR) from local LAN of local ASA (HQ).

We have followed this cisco document

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118092-configure-asa-00.html#anc7

we have

1. route-lookup for No-NAT subnets (local and remote ASA)

2. management-access inside ( remote ASA)

3. SSH/HTTP allowed on inside interface (remote ASA)

4. SSH/HTTP allowed on outside interface (remote ASA)

5. Routing is okay

6. We can see packet leaves local ASA and hits remote ASA (ASDM monitoring).

Your input is highly appreciated and look forward for positive response.

Thanks & Regards

Ahmed...

Marius Gunnerud · ‎04-26-2018

Have you included the ASA inside interface that you are trying to connect to in the crypto ACL? Would help if you posted the full running configuration for both sides of the tunnel. Remember to remove any public IPs, usernames, passwords, and hostname of the devices.

--
Please remember to select a correct answer and rate helpful posts

ahmed.gadi · ‎04-26-2018

Yes included, I will post the desired config soon

Thank You

Florin Barhala · ‎04-26-2018

Interesting one; can you ping it at least?
I would run :capture type asp-drop match ip host ...".

I would also double check NAT config on both sides.

ahmed.gadi · ‎04-26-2018

Please check attached desired config

Marius Gunnerud · ‎04-26-2018

This is just partial configuration please provide a full configuration of the two ASAs (remember to remove public IPs, usernames, passwords)

Or at least provide us with all Crypto configuration, NAT configuration, routing configuration, and information on which IP you are trying to access the ASA from.

--
Please remember to select a correct answer and rate helpful posts

ahmed.gadi · ‎04-26-2018

Ping is blocked in whole path (Cisco ASA, CheckPoint Firewall and Perimeter router).

I have not done this capture type asp-drop match ip host ...".

Florin Barhala · ‎04-26-2018

Config is good - still capture asp-drop can tell you if something "unexpected" takes place.
You can also run a capture based on an ACL place on the inside interface and see how 'what you can see'

ahmed.gadi · ‎04-27-2018

After capturing packets and packet tracer, i found that the traffic was hitting different natting which did not have route lookup command, so after rectifying natting, asdm was accessible.

thanks for your input.

Marius Gunnerud · ‎04-28-2018

This is why I keep asking for the full running configuration of the ASA as there might be some configuration that people think is not relevant but it actually is.

Glad you found the solution though

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎04-26-2018

Is this by any chance an ASA5506 configured with BVI?

--
Please remember to select a correct answer and rate helpful posts