Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
355
Views
0
Helpful
4
Replies

managing ASA using private interface accross IPSec tunnel

Go to solution
tato386
Level 6
Level 6

‎09-19-2016 05:27 PM - edited ‎03-12-2019 01:17 AM

I am using a pair of ASA5515s running 9.5 to connect two sites using a L2L IPSec tunnel.  The tunnel works fine for hosts on each of the two private subnets but the ASA units themselves cannot be reached or managed  (ICMP, ASDM, etc) accross the tunnel using a private IP on one side of the tunnel to the private network interface of the ASA on the other side of the tunnel. 

I guess what is happening is that the ASA is using its "closest" interface which is the public interface to try to send packets to the remote private subnet but if this is the case how can I tell it to use its private interface and IP?

Thanks,
Diego

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
S-Lemming
Level 1
Level 1

‎09-20-2016 03:50 AM

You need to specify management access to the inside interface. Just run the command in global config: management access <interface name>

Hope this helps.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
S-Lemming
Level 1
Level 1

‎09-20-2016 03:50 AM

You need to specify management access to the inside interface. Just run the command in global config: management access <interface name>

Hope this helps.

0 Helpful

Go to solution
tato386
Level 6
Level 6
In response to S-Lemming

‎09-20-2016 05:14 PM

Cool, syslog across the tunnel is working now which is probably the most important thing I needed.  However ASDM and ICMP still don't go even though I specifically allow both of these on all interfaces.  Any ideas?

Thank you very much,

Diego

0 Helpful

Go to solution
S-Lemming
Level 1
Level 1
In response to tato386

‎09-20-2016 11:45 PM

If you are trying to ping between the ASAs you need to specify the inside interface as source interface, otherwise it will use the closest interface which is the outside and the packet will not be encrypted.

On the ASA you want to reach through VPN, please set the ASDM access rule to allow the remote subnet on the inside interface (which you specified as the management interface above).

Let me know how it goes.

0 Helpful

Go to solution
tato386
Level 6
Level 6
In response to S-Lemming

‎09-21-2016 05:17 AM

I believe I am allowing all subnets ICMP and ASDM using the following commands and also sourcing ping from inside interface.  Is there something else I am missing?


icmp permit any inf_Inside
icmp permit any inf_Outside

http 0.0.0.0 0.0.0.0 inf_Inside
http 0.0.0.0 0.0.0.0 inf_Outside

Thanks,

Diego

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card