Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2768
Views
0
Helpful
6
Replies

ASA 5515 ASDM Access from remote network

davidsonyo
Level 1
Level 1

‎07-23-2015 05:39 AM - edited ‎03-11-2019 11:19 PM

Hey everyone,

 

Today I was asked to TSHOOT an issue with one of our customer's ASA.

 

Issue:

The local IT staff wants to access the HQ ASA via ASDM from a site to site VPN remote end location. (10.0.2.0 /24 subnet)

to the local ASA inside LAN interface 10.0.0.1

But the website dose not show up.

 

It's the error massage what we get:

 

2 Jul 23 2015 11:43:02 106016 Deny IP spoof from (10.0.2.71) to 10.0.0.1 on interface outside

 

First thing I checked was:

http 10.0.2.0 255.255.255.0 outside
To permit http access from the remote subnet

 

The reverse path:

ip verify reverse-path interface outside

 

Also the tunnel ACL both end was fine. Everyone can access everyone.

 

Also checked the inbound outside ACL for deny:

access-list outside_access_in_1 line 29 extended permit ip host 10.0.2.71 host 10.0.0.1

 

Anyone is familiar with the issue ?

 

Any help is appreciated!

 

Thanks,

 

Dave.

 


 

 

 

 

 

Labels:
0 Helpful
6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

‎07-23-2015 05:52 AM

Hi,

 

The first thing that comes to mind is that you might be missing one command

 

management-access <local interface nameif>

 

Since the remote management connection is coming through a VPN connection and the connection is also coming through the external interface of the ASA towards another interface IP address the above command is required to accomplish this as by default ASA does not allow any traffic to pass through one interface to another interface on the ASA. The same problem can be seen for example when you try to ping another ASA interface IP address from behind another interface.

 

So check if you have any "management-access" configurations on the ASA. This can be enabled on one interface only to my understanding but I have not checked if there has been any changes to it.

 

I also don't quite remember if the "http" command for this type of remote connections needed the "outside" or "inside" interface in the commands end. I guess you can safely check this when you try to test the management connection from the remote site.

 

I am not sure what causes the Spoof log message. I guess it might be related to the reverse check but I am not sure why it would be since the ASA should see this subnet originating from behind the correct interface for any traffic to work through the VPN.

 

In a tight spot you could always allow SSH/HTTPS (asdm) directly to the public IP address of the ASA.

 

Hope this helps :)

 

- Jouni

0 Helpful

davidsonyo
Level 1
Level 1
In response to Jouni Forss

‎07-23-2015 06:57 AM

Hello Jouni!

 

I just checked on the ASA and I have this enabled:

management-access local

 

Should I enable this for outside also ?

Like this:

management-access outside

 

and If I do this command it wont overwrite the already existing one right ?

 

Thanks!

 

Dave.

 

0 Helpful

Marc Magloire
Level 1
Level 1
In response to davidsonyo

‎07-23-2015 08:31 AM

http 10.0.2.0 255.255.255.0 outside

This command means that you would like HTTP access to your ASA from subnet 10.0.2.0 255.255.255.0. "outside" means that your connection will be coming from the outside interface.

Is this accurate?

Please send the output of the commands "sh run http" and "show ip"

0 Helpful

davidsonyo
Level 1
Level 1
In response to Marc Magloire

‎07-23-2015 02:15 PM

Hello Marc,

The reason it was added because the network 10.0.2.0 255.255.255.0 is coming from a site to site VPN tunnel which means the incoming interface is the outside interface.

 

The inside interface is 10.0.0.1.

 

The 10.0.2.0 network is not used for inside local at all on at the remote site's lan from the VPN.

 

So yes its accurate.

I think it's why we see this massage when we try to access the ASA via ASDM:

2 Jul 23 2015 11:43:02 106016 Deny IP spoof from (10.0.2.71) to 10.0.0.1 on interface outside

 

 

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to davidsonyo

‎07-23-2015 11:27 PM

Hi,

 

So you said that you have this command

 

management-access local

 

Does "local" in this case refer to the interface that has the IP address 10.0.0.1?

 

The interface "nameif" mentioned in the "management-access" command should be the one to which they are trying to connect to.

 

As I said before, you could always enable them to connect through the Internet to the public facing IP address. But there should be nothing that prevents accomplishing it through the L2L VPN.

 

I am still wondering what is generating that Spoof message.

 

- Jouni

0 Helpful

davidsonyo
Level 1
Level 1
In response to Jouni Forss

‎07-24-2015 03:30 AM

Hello Jouni,

Yes, we have this command on the router:

management-access inside

And yes. The local inside LAN interface IP address is: 10.0.0.1

 

The 10.0.2.71 IP is the address of the PC from the site to site VPN's end inside the lan.

Than each time we try to access the website of the ASA to use ASDM on the address 10.0.0.1 we get this and we can not access it:

2 Jul 23 2015 11:43:02 106016 Deny IP spoof from (10.0.2.71) to 10.0.0.1 on interface outside

 

 

Thanks!

 

 

Dave.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card