ASA inside interface not able to reach across IPsec tunnel

Ali Razavi · ‎10-28-2013

Hey everyone,

I have an active tunnel between an ASA and a router. Both inside networks are able to communicate just fine across the tunnel. However, I'm running into a problem where the inside interface on the ASA itself is not able to reach the inside network on the opposing side. This is causing a problem now because I have setup radius configuration on the ASA but it has to reach across the tunnel to the radius server on the other side for authentication. In fact Is there a mechanism in the ASA that causes this by default?

Thanks,

Ali

Marvin Rhoads · ‎10-28-2013

Yes that can be an issue since the ASA uses its routing table to tell it how to get to the remote network. Since the route is via the outside interface, the ASA will try to use that address and never encapsulate the packets in IPsec.

jumora · ‎10-28-2013

The ASA has an option that is for management access, the command is "management-access" but it is not for authentication, for that you will need to add the interface where the crypto map is applied to the remote IP address of the server and add the aaa-server command with that same interface. If for example you have the tunnel applied to the outside interface of the ASA, this would be the interface (IP address) that you would need to use for the interesting traffic and for the aaa-server command.

Value our effort and rate the assistance!

Ali Razavi · ‎10-29-2013

Thanks guys! Actually the following config solved it:

management-access Inside

And I was able to immediately reach the inside interface from the remote LAN, as well as the ASA reaching across the tunnel for authentication through the remote radius server.

Marvin Rhoads · ‎10-29-2013

Thanks for reminding us the usefulness of that command in this context! +5

jumora · ‎10-31-2013

Please update the ticket as resolved or answered so we can close out followup.

Value our effort and rate the assistance!