10-28-2013 03:04 PM - edited 03-11-2019 07:57 PM
Hey everyone,
I have an active tunnel between an ASA and a router. Both inside networks are able to communicate just fine across the tunnel. However, I'm running into a problem where the inside interface on the ASA itself is not able to reach the inside network on the opposing side. This is causing a problem now because I have setup radius configuration on the ASA but it has to reach across the tunnel to the radius server on the other side for authentication. In fact Is there a mechanism in the ASA that causes this by default?
Thanks,
Ali
10-28-2013 04:38 PM
Yes that can be an issue since the ASA uses its routing table to tell it how to get to the remote network. Since the route is via the outside interface, the ASA will try to use that address and never encapsulate the packets in IPsec.
10-28-2013 06:28 PM
The ASA has an option that is for management access, the command is "management-access" but it is not for authentication, for that you will need to add the interface where the crypto map is applied to the remote IP address of the server and add the aaa-server command with that same interface. If for example you have the tunnel applied to the outside interface of the ASA, this would be the interface (IP address) that you would need to use for the interesting traffic and for the aaa-server command.
10-29-2013 09:03 AM
Thanks guys! Actually the following config solved it:
management-access Inside
And I was able to immediately reach the inside interface from the remote LAN, as well as the ASA reaching across the tunnel for authentication through the remote radius server.
10-29-2013 09:06 AM
Thanks for reminding us the usefulness of that command in this context! +5
10-31-2013 10:50 AM
Please update the ticket as resolved or answered so we can close out followup.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide