Re: Access Cisco ASA via ASDM from remote via different Interface

jensscheuvens · ‎02-06-2024

Hello,

we would like to access ASA1`s management01 Interface IP (192.168.4.1) from a host behind ASA4´s Interface GigabitEthernet0/1.1 via ASDM.
The flow is SRC: 10.10.10.5 DST: 192.168.4.1 Port: 443 & 22 (ASA4 > ASA3 > ASA2 > ASA1)

On ASA1 in the packet tracer I can see "no route to host" and in the log file "failed to locate egress interface".
We are able to access other hosts behind GigabitEthernet0/3 on ASA1 from hosts behind ASA4´s Interface GigabitEthernet0/1.1 just fine.

We have tried the following to make it work on ASA1:

specifiy "management-access management01"
configure SRC host from ASA4 to be allowed to access ASA1 via ASDM & SSH:

http 10.10.10.5 255.255.255.255 transfer-vpn
ssh 10.10.10.5 255.255.255.255 transfer-vpn

create NAT excemption rule
nat (transfer-vpn, management01) 7 source static 10.10.10.5 10.10.10.5 destination static 192.168.4.1 192.168.4.1 no-proxy-arp

also tried the other way around:

nat (management01, transfer-vpn) 7 source static 192.168.4.1 192.168.4.1 destination static 10.10.10.5 10.10.10.5 no-proxy-arp

create NAT excemption rule with "lookup route table to locate egress interface" enabled

ASAs 5545 is running 9.12(4)54

Do we miss something here or is this scenario even not possible?

ASA1:
GigabitEthernet0/2
nameif transfer-vpn
security-level 10
ip address 194.1.1.1 255.255.255.240

GigabitEthernet0/3
nameif management01
security level 100
ip address 192.168.4.1 255.255.255.0

ASA2:
GigabitEthernet0/2
nameif transfer-vpn
security-level 0
ip address 194.1.1.5 255.255.255.240

ASA3:
GigabitEthernet0/0
nameif outside
security-level 0
ip address 193.1.1.1 255.255.255.240

ASA4:

GigabitEthernet0/0
nameif outside
security-level 0
ip address 193.1.1.5 255.255.255.240

GigabitEthernet0/1.1
vlan 10
nameif hosts
security level 66
ip address 10.10.10.1 255.255.255.0

The IPs are of course not our real used.

Thank you

MHM Cisco World · ‎02-07-2024

The asa mgmt routing plane is separate than data routing plane

You need to make mgmt acces via data interface this done by access-management command

MHM

jensscheuvens · ‎02-07-2024

Hi,

thanks for your reply.

"management-access management01" was already set before but it did not solve the problem.

MHM Cisco World · ‎02-07-2024

Management-access <data interface through which you can access asa>

MHM

jensscheuvens · ‎02-07-2024

Traffic is first hitting ASA1 via GigabitEthernet0/2 transfer-vpn but I would like to access ASA1 via GigabitEthernet0/3 management01.

So command should be "management-access transfer-vpn" ?

Will this do any harm or break some traffic?

MHM Cisco World · ‎02-07-2024

Yes you need

management-access transfer-vpn

And if this command is harmful' NO it suggest by cisco.

Read more about command before apply to be more comfortable.

MHM

jensscheuvens · ‎02-07-2024

Hi,

I have changed this to "management-access transfer-vpn" but it still do not work.

Packet tracer still showing "no route to host" and in the logs I can see "failed to locate egress interface"

jensscheuvens · ‎02-08-2024

Note the VPN traffic is terminating on ASA2 and not ASA1.

I have also tried the following:

On ASA1 there is a subinterface (which was not used) which I have configured with the "management only" command.

ASA1:
GigabitEthernet0/4.2
management-only
vlan 40
nameif test_log
security level 90
ip address 10.3.50.254 255.255.255.0

If trying now to access 10.3.50.254 via ASDM via transfer-vpn at least in the log I am not promted with the "failed to locate egress interface" but traffic timeouts because it seems not beeing forwared to test_log:
Teardown TCP connection for transfer-vpn:10.10.10.5/57230 to transfer-vpn:10.3.50.254/443 duration 0:00:30 bytes 0 SYN Timeout

MHM Cisco World · ‎02-08-2024

interfaceX : this is new subinterface you add in ASA1

ASA1(interfaceX)-ASA2-Tunnel IPSec S2S VPN-ASA3
if we connect to ASA3 and try to access ASA1 interfaceX
you need to add interfaceX to Tunnel of ASA2

also we need managment-access interfaceX (remove the management-only under the interfaceX)

then we need to add
http <subnet> interfaceX

jensscheuvens · ‎02-08-2024

It is actually not a new interface and it was already existing on ASA1.
GigabitEthernet0/4.2 was already part of the the VPN tunnel between ASA2 <> ASA3.

I have exactly tried this before with GigabitEthernet0/3 management01 (it is also part of the tunnel on both ends) on ASA1 but no luck:

"if we connect to ASA3 and try to access ASA1 interfaceX
you need to add interfaceX to Tunnel of ASA2

also we need managment-access interfaceX (remove the management-only under the interfaceX)

then we need to add
http <subnet> interfaceX"

Or is there a difference because GigabitEthernet0/3 is hardware and GigabitEthernet0/4.2 a subinterface?

MHM Cisco World · ‎02-08-2024

there are two concept here
1- management-access

below form cisco doc.

If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec site-to-site, and the AnyConnect SSL VPN client.

2- management-only
this use to turn the data interface into mgmt interface (i.e. add it to mgmt plane)

MHM

jensscheuvens · ‎02-08-2024

ok thanks. If I understood correctly then in our case option 1- management-access will not work since VPN traffic is terminating on ASA2. But we would like to access other interface on ASA1 (GigabitEthernet0/3). So there should be no VPN traffic accessing ASA1 on GigabitEthernet0/2.

For the option 2- management-only I have tried that with a different inside interface on ASA1 GigabitEthernet0/4.2 but I am also not able to access the ASA via that.

Traffic seems not to be forwarded to GigabitEthernet0/4.2 but instead going back directly via GigabitEthernet0/2

MHM Cisco World · ‎02-09-2024

show route
then
show route management-only

check if the mgmt plane use different egress interface for return traffic
MHM

jensscheuvens · ‎02-09-2024

Result of the command: "show route | inc 10.3.50.0"

The command has been sent to the device

######################################################################################

Result of the command: "show route management-only"

Routing Table: mgmt-only
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set

C 10.3.50.0 255.255.255.0 is directly connected, test_log
L 10.3.50.254 255.255.255.255 is directly connected, test_log

Interface should be correct. Instead of passing from transfer-vpn to test_log in the logs it shows traffic directly returned back to transfer-vpn:

Teardown TCP connection for transfer-vpn:10.10.10.5/57230 to transfer-vpn:10.3.50.254/443 duration 0:00:30 bytes 0 SYN Timeout

MHM Cisco World · ‎02-09-2024

to make it clear for both I make this topology
please check it and write note if there is