Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1306
Views
0
Helpful
2
Replies

ASDM/SSH access through IPsec with NAT?

Eric Snijders
Level 1
Level 1

‎10-28-2019 02:28 AM - edited ‎02-21-2020 09:38 AM

Hi all,

I think i have a simple question but can't find a solution for it yet.
Consider the following topology:

VuyYsVz

We have a IPsec tunnel between ASA1 and ASA2. The traffic through the tunnel is the AnyConnect Subnet (192.168.10.0/24) and the LAN behind ASA2 (192.168.254.0/24).

Now i want to manage ASA2 only through the VPN tunnel. So i tried making a static NAT entry on ASA2, but when i run packet-tracer it's getting dropped with: No valid adjacency

 

This is the NAT entry i tried on ASA2:

nat (OUTSIDE,OUTSIDE) source static AnyConnect_Subnet AnyConnect_Subnet destination static ASA_NAT_IP ASA_WAN_IP unidirectional no-proxy-arp

So, what i wanted to do was sending the traffic from AnyConnect from ASA1 through the tunnel like it was destined for the 192.168.254.0/24 subnet behind ASA2. But on ASA2, if the destination was 192.168.254.254 it would be NAT'ed to the Public IP on ASA2 so i could manage it with ASDM/SSH. This is not working.

 

What would be the best practice for this? In this case it's a Firewall in Azure, and i need to disable public ASDM/SSH access while still being able to manage it from our own AnyConnect entry.

0 Helpful
2 Replies 2

Sheraz.Salim
VIP Alumni
VIP Alumni

‎10-28-2019 01:52 PM

I think what you trying to achieve is not possible.

 

ideally, you could connect to your ASA2 in tunnel between ASA1 and ASA2. from ASA1 connected as anyconnect client, prior to this you need to define a standard access list giving your ASA2 ip address. also other point you have a site-to-site vpn between two boxes and you applied an identity nat on both boxes. you can not distinguish by saying if the destin 192.168.254.254 use public ip.

 

if you want to access the ASA2 from public ip addresses you can create ssh version 2 and define the public ip addresses you want the ASA2 to answer them.

 

ssh version 2

ssh 8.8.8.8 255.255.255.255 outside

!

username admin password cisco priv 15

aaa authentication ssh console LOCAL

 

please do not forget to rate.
0 Helpful

Eric Snijders
Level 1
Level 1
In response to Sheraz.Salim

‎10-28-2019 11:11 PM

Hi Sheraz,

 

I couldn't get it to work to manage it on the outside interface only through the VPN tunnel. I did get it working with the same NAT rule but on one of the inside interfaces with "management-access <INSIDE_INTERFACE>.

 

Thanks for your help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card