02-06-2024 04:19 AM
Hello,
we would like to access ASA1`s management01 Interface IP (192.168.4.1) from a host behind ASA4´s Interface GigabitEthernet0/1.1 via ASDM.
The flow is SRC: 10.10.10.5 DST: 192.168.4.1 Port: 443 & 22 (ASA4 > ASA3 > ASA2 > ASA1)
On ASA1 in the packet tracer I can see "no route to host" and in the log file "failed to locate egress interface".
We are able to access other hosts behind GigabitEthernet0/3 on ASA1 from hosts behind ASA4´s Interface GigabitEthernet0/1.1 just fine.
We have tried the following to make it work on ASA1:
specifiy "management-access management01"
configure SRC host from ASA4 to be allowed to access ASA1 via ASDM & SSH:
http 10.10.10.5 255.255.255.255 transfer-vpn
ssh 10.10.10.5 255.255.255.255 transfer-vpn
create NAT excemption rule
nat (transfer-vpn, management01) 7 source static 10.10.10.5 10.10.10.5 destination static 192.168.4.1 192.168.4.1 no-proxy-arp
also tried the other way around:
nat (management01, transfer-vpn) 7 source static 192.168.4.1 192.168.4.1 destination static 10.10.10.5 10.10.10.5 no-proxy-arp
create NAT excemption rule with "lookup route table to locate egress interface" enabled
ASAs 5545 is running 9.12(4)54
Do we miss something here or is this scenario even not possible?
ASA1:
GigabitEthernet0/2
nameif transfer-vpn
security-level 10
ip address 194.1.1.1 255.255.255.240
GigabitEthernet0/3
nameif management01
security level 100
ip address 192.168.4.1 255.255.255.0
<Transfer Network between ASA1 and ASA2>
ASA2:
GigabitEthernet0/2
nameif transfer-vpn
security-level 0
ip address 194.1.1.5 255.255.255.240
<VPN ASA2 to ASA3>
ASA3:
GigabitEthernet0/0
nameif outside
security-level 0
ip address 193.1.1.1 255.255.255.240
<Transfer Network between ASA3 and ASA4>
ASA4:
GigabitEthernet0/0
nameif outside
security-level 0
ip address 193.1.1.5 255.255.255.240
GigabitEthernet0/1.1
vlan 10
nameif hosts
security level 66
ip address 10.10.10.1 255.255.255.0
The IPs are of course not our real used.
Thank you
02-07-2024 05:08 AM
The asa mgmt routing plane is separate than data routing plane
You need to make mgmt acces via data interface this done by access-management command
MHM
02-07-2024 07:30 AM
Hi,
thanks for your reply.
"management-access management01" was already set before but it did not solve the problem.
02-07-2024 07:38 AM
Management-access <data interface through which you can access asa>
MHM
02-07-2024 07:54 AM
Traffic is first hitting ASA1 via GigabitEthernet0/2 transfer-vpn but I would like to access ASA1 via GigabitEthernet0/3 management01.
So command should be "management-access transfer-vpn" ?
Will this do any harm or break some traffic?
02-07-2024 07:56 AM
Yes you need
management-access transfer-vpn
And if this command is harmful' NO it suggest by cisco.
Read more about command before apply to be more comfortable.
MHM
02-07-2024 11:19 PM
Hi,
I have changed this to "management-access transfer-vpn" but it still do not work.
Packet tracer still showing "no route to host" and in the logs I can see "failed to locate egress interface"
02-08-2024 02:15 AM
Note the VPN traffic is terminating on ASA2 and not ASA1.
I have also tried the following:
On ASA1 there is a subinterface (which was not used) which I have configured with the "management only" command.
ASA1:
GigabitEthernet0/4.2
management-only
vlan 40
nameif test_log
security level 90
ip address 10.3.50.254 255.255.255.0
If trying now to access 10.3.50.254 via ASDM via transfer-vpn at least in the log I am not promted with the "failed to locate egress interface" but traffic timeouts because it seems not beeing forwared to test_log:
Teardown TCP connection for transfer-vpn:10.10.10.5/57230 to transfer-vpn:10.3.50.254/443 duration 0:00:30 bytes 0 SYN Timeout
02-08-2024 02:29 AM
interfaceX : this is new subinterface you add in ASA1
ASA1(interfaceX)-ASA2-Tunnel IPSec S2S VPN-ASA3
if we connect to ASA3 and try to access ASA1 interfaceX
you need to add interfaceX to Tunnel of ASA2
also we need managment-access interfaceX (remove the management-only under the interfaceX)
then we need to add
http <subnet> interfaceX
02-08-2024 04:45 AM
It is actually not a new interface and it was already existing on ASA1.
GigabitEthernet0/4.2 was already part of the the VPN tunnel between ASA2 <> ASA3.
I have exactly tried this before with GigabitEthernet0/3 management01 (it is also part of the tunnel on both ends) on ASA1 but no luck:
"if we connect to ASA3 and try to access ASA1 interfaceX
you need to add interfaceX to Tunnel of ASA2
also we need managment-access interfaceX (remove the management-only under the interfaceX)
then we need to add
http <subnet> interfaceX"
Or is there a difference because GigabitEthernet0/3 is hardware and GigabitEthernet0/4.2 a subinterface?
02-08-2024 10:05 PM - edited 02-08-2024 10:05 PM
there are two concept here
1- management-access
below form cisco doc.
If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec site-to-site, and the AnyConnect SSL VPN client.
2- management-only
this use to turn the data interface into mgmt interface (i.e. add it to mgmt plane)
MHM
02-08-2024 11:39 PM
ok thanks. If I understood correctly then in our case option 1- management-access will not work since VPN traffic is terminating on ASA2. But we would like to access other interface on ASA1 (GigabitEthernet0/3). So there should be no VPN traffic accessing ASA1 on GigabitEthernet0/2.
For the option 2- management-only I have tried that with a different inside interface on ASA1 GigabitEthernet0/4.2 but I am also not able to access the ASA via that.
Traffic seems not to be forwarded to GigabitEthernet0/4.2 but instead going back directly via GigabitEthernet0/2
02-09-2024 12:09 AM - edited 02-09-2024 12:09 AM
show route
then
show route management-only
check if the mgmt plane use different egress interface for return traffic
MHM
02-09-2024 12:29 AM
Result of the command: "show route | inc 10.3.50.0"
The command has been sent to the device
######################################################################################
Result of the command: "show route management-only"
Routing Table: mgmt-only
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 10.3.50.0 255.255.255.0 is directly connected, test_log
L 10.3.50.254 255.255.255.255 is directly connected, test_log
Interface should be correct. Instead of passing from transfer-vpn to test_log in the logs it shows traffic directly returned back to transfer-vpn:
Teardown TCP connection for transfer-vpn:10.10.10.5/57230 to transfer-vpn:10.3.50.254/443 duration 0:00:30 bytes 0 SYN Timeout
02-09-2024 01:28 AM - edited 02-09-2024 01:30 AM
to make it clear for both I make this topology
please check it and write note if there is
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide