Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3089
Views
5
Helpful
3
Replies

ASA management over IPsec VPN

Go to solution
attilafejes
Level 1
Level 1

‎10-09-2017 12:16 AM - edited ‎02-21-2020 06:27 AM

Hi There!

Has anyone configured a dedicated management IPsec tunnel for ASA management which is in Active / Standby mode?

For a standalone device it is working fine as per the documentation by applying the management-access inside command etc...

However, if I use a failover pair the tunnel is building up only the primary ASA, the Secondary device shows it as a "Standby" tunnel.

I am able to ping / ssh to the primary ASA's inside interface, but not to the Secondary one. The secondary actually receives the traffic, however it is doing a route lookup and sending towards to the "outside" where the tunnel is actually in "Standby". 

My goal would be that both devices are reachable from the management systems over the VPN, so it can health checked / snmp polled / sshd etc... Like if it were managed over a physical interface.

 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Josue Brenes
Cisco Employee
Cisco Employee

‎10-09-2017 07:39 PM

Hi,

 

You are right. The traffic will get to the standby unit and will try to be routed over the outside.
In order to fix this, you need to NAT the remote traffic to the inside interface of the primary ASA so the traffic will be returned over the inside network.

Remote site: 192.168.2.0/24
Inside network of ASA's: 192.168.1.0/24
Inside inteface ip address standby ASA: 192.168.1.2

object network Remote_site
network 192.168.2.0 255.255.255.0
object network standby_ASA
host 192.168.1.2

nat (outside,inside) source dynamic Remote_site interface destination static Stanby_ASA Stanby_ASA

management-access inside
ssh 192.168.2.0 255.255.255.0 inside


Rate if it helps.

Regards,
Josue Brenes
TAC - VPN Engineer.

View solution in original post

3 Replies 3

Go to solution
Josue Brenes
Cisco Employee
Cisco Employee

‎10-09-2017 07:39 PM

Hi,

 

You are right. The traffic will get to the standby unit and will try to be routed over the outside.
In order to fix this, you need to NAT the remote traffic to the inside interface of the primary ASA so the traffic will be returned over the inside network.

Remote site: 192.168.2.0/24
Inside network of ASA's: 192.168.1.0/24
Inside inteface ip address standby ASA: 192.168.1.2

object network Remote_site
network 192.168.2.0 255.255.255.0
object network standby_ASA
host 192.168.1.2

nat (outside,inside) source dynamic Remote_site interface destination static Stanby_ASA Stanby_ASA

management-access inside
ssh 192.168.2.0 255.255.255.0 inside


Rate if it helps.

Regards,
Josue Brenes
TAC - VPN Engineer.

Go to solution
attilafejes
Level 1
Level 1
In response to Josue Brenes

‎10-10-2017 03:44 AM

Thanks for the reply Josue! I need to check it in my lab. I will test it soon and get back to you with the results.

 

Regards, Attila

0 Helpful

Go to solution
GN974
Level 1
Level 1
In response to Josue Brenes

‎02-27-2019 04:56 AM

Thanks Josue,

 

 

But what will happen when the secondary(Standby) firewall initiates a traffic to a tacacs server for authentication, which is hosted over the vpn tunnel.

The solution you have provided will only work in one direction, from remote site to secondary firewall.

 

I heard of new feature in 9.5 version , Separate routing table for management-only interfaces , can we apply this concept here

if yes , please explain .

 

 

Regards,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card