Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
478
Views
5
Helpful
4
Replies

ASA: Unable to use the outside-IF as management-IF through a S2S-tunne

swscco001
Level 3
Level 3

‎01-30-2023 05:32 AM

Hello everybody,

our customer is running a ASA5516 with rel. 9.16(3)19.

Because of a bug Cisco recommended to change the management-IF from
inside-IF to the outside-IF for our management software.

I adapted the S2S-tunnel on both sides and added the outside-IP
IP address to the encrypted networks.

I also set the:
same-security-traffic permit intra-interface

We get no ICMP and SNMP response from the outside-IF of the remote ASA.

I tried to change the management-IF from inside-IF to the outside-IF
using the ASDM (see screendump), but go the error message:
"Management interface cannot be the lowest security interface"

Could it be that we need a special nat command here?:
nat(outside,outside) ...

Attached you find the configuration.

How can I solve the issue?

Every hint or sample configuration is welcome!

 

Thanks a lot!
R.

Preview file
87 KB
Preview file
100 KB
4 Replies 4

Marius Gunnerud
VIP
VIP

‎01-30-2023 05:51 AM

Well the error message you are getting explains it quite well.  You need to increase the security-level of the outside interface if you intend to administer it over the site2site VPN, not to mention you also are missing no-NAT statement for outside to outside.

That being said, what is the original issue that you were facing that TAC said you needed to use the outside interface  for administration? 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

swscco001
Level 3
Level 3
In response to Marius Gunnerud

‎01-30-2023 07:59 AM

Hi Marius,

thanks for your reply!

We had to upgrade the ASA OS because security reasons and threafter the
SNMPv2 requests were not answered anymore at this OS. We made no
configuration change.

The workaround from the TAC was to replace the inside-IF with the outside-IF
for monitoring.

Can you tell me how the no-NAT statement should look like in this case?

Thanks a lot!


Bye
Rene

0 Helpful

Marius Gunnerud
VIP
VIP
In response to swscco001

‎01-30-2023 03:01 PM

NAT would look like the following. replace the source and destination objects as needed.

nat (outside,outside) source static RU-VO_VPN_10.20.120.0_24 RU-VO_VPN_10.20.120.0_24 destination static DM_INLINE_NETWORK_14 DM_INLINE_NETWORK_14 no-proxy-arp route-lookup

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

MHM Cisco World
VIP
VIP
In response to swscco001

‎01-30-2023 03:48 PM

do you have L3SW connect to ASA ??
I Yes can you config management interface 
and connect this interface to L3SW, from there routed to Inside of ASA. 
then simply add management subnet to ACL of S2S. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card