cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2559
Views
0
Helpful
6
Replies

ASA 5515 ASDM Access from remote network

davidsonyo
Level 1
Level 1

Hey everyone,

 

Today I was asked to TSHOOT an issue with one of our customer's ASA.

 

Issue:

The local IT staff wants to access the HQ ASA via ASDM from a site to site VPN remote end location. (10.0.2.0 /24 subnet)

to the local ASA inside LAN interface 10.0.0.1

But the website dose not show up.

 

It's the error massage what we get:

 

2 Jul 23 2015 11:43:02 106016 Deny IP spoof from (10.0.2.71) to 10.0.0.1 on interface outside

 

First thing I checked was:

http 10.0.2.0 255.255.255.0 outside
To permit http access from the remote subnet

 

The reverse path:

ip verify reverse-path interface outside

 

Also the tunnel ACL both end was fine. Everyone can access everyone.

 

Also checked the inbound outside ACL for deny:

access-list outside_access_in_1 line 29 extended permit ip host 10.0.2.71 host 10.0.0.1

 

Anyone is familiar with the issue ?

 

Any help is appreciated!

 

Thanks,

 

Dave.

 


 

 

 

 

 

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

The first thing that comes to mind is that you might be missing one command

 

management-access <local interface nameif>

 

Since the remote management connection is coming through a VPN connection and the connection is also coming through the external interface of the ASA towards another interface IP address the above command is required to accomplish this as by default ASA does not allow any traffic to pass through one interface to another interface on the ASA. The same problem can be seen for example when you try to ping another ASA interface IP address from behind another interface.

 

So check if you have any "management-access" configurations on the ASA. This can be enabled on one interface only to my understanding but I have not checked if there has been any changes to it.

 

I also don't quite remember if the "http" command for this type of remote connections needed the "outside" or "inside" interface in the commands end. I guess you can safely check this when you try to test the management connection from the remote site.

 

I am not sure what causes the Spoof log message. I guess it might be related to the reverse check but I am not sure why it would be since the ASA should see this subnet originating from behind the correct interface for any traffic to work through the VPN.

 

In a tight spot you could always allow SSH/HTTPS (asdm) directly to the public IP address of the ASA.

 

Hope this helps :)

 

- Jouni

Hello Jouni!

 

I just checked on the ASA and I have this enabled:

management-access local

 

Should I enable this for outside also ?

Like this:

management-access outside

 

and If I do this command it wont overwrite the already existing one right ?

 

Thanks!

 

Dave.

 

http 10.0.2.0 255.255.255.0 outside

This command means that you would like HTTP access to your ASA from subnet 10.0.2.0 255.255.255.0. "outside" means that your connection will be coming from the outside interface.

Is this accurate?

Please send the output of the commands "sh run http" and "show ip"

Hello Marc,

The reason it was added because the network 10.0.2.0 255.255.255.0 is coming from a site to site VPN tunnel which means the incoming interface is the outside interface.

 

The inside interface is 10.0.0.1.

 

The 10.0.2.0 network is not used for inside local at all on at the remote site's lan from the VPN.

 

So yes its accurate.

I think it's why we see this massage when we try to access the ASA via ASDM:

2 Jul 23 2015 11:43:02 106016 Deny IP spoof from (10.0.2.71) to 10.0.0.1 on interface outside

 

 

Hi,

 

So you said that you have this command

 

management-access local

 

Does "local" in this case refer to the interface that has the IP address 10.0.0.1?

 

The interface "nameif" mentioned in the "management-access" command should be the one to which they are trying to connect to.

 

As I said before, you could always enable them to connect through the Internet to the public facing IP address. But there should be nothing that prevents accomplishing it through the L2L VPN.

 

I am still wondering what is generating that Spoof message.

 

- Jouni

Hello Jouni,

Yes, we have this command on the router:

management-access inside

And yes. The local inside LAN interface IP address is: 10.0.0.1

 

The 10.0.2.71 IP is the address of the PC from the site to site VPN's end inside the lan.

Than each time we try to access the website of the ASA to use ASDM on the address 10.0.0.1 we get this and we can not access it:

2 Jul 23 2015 11:43:02 106016 Deny IP spoof from (10.0.2.71) to 10.0.0.1 on interface outside

 

 

Thanks!

 

 

Dave.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: