09-17-2024 06:31 AM
I know a couple years back, and couple OS revisions back, there was a significant change to how one could access via SNMP the ASA's inside interface through a L2L tunnel. I have encountered now 2x FPR1010 (ASAs) with v9.18(2) that through the VPN I can not access the ASA's inside interface (ping, SSH, etc.) either direction. From the ASA I can ping a server, and traffic will not initiate tunnel. From the server I can initiate tunnel but no traffic.
I am not aware of what has actually changed, and what I can do for a work around. The purpose is usually to access the ASA from within the tunnel, and to save configs to tftp (within the tunnel) as well as remote monitoring (until the SNMP change).
Anyone else encountering similar, and was there a solution you found?
09-17-2024 06:35 AM
@TRENT WAITE from ASA 9.14 for SNMP polling over a site-to-site VPN, you had to include the IP address of the outside interface in the crypto map access-list as part of the VPN configuration.
In ASA 9.18 you can use a loopback interface for SNMP, so perhaps route that loopback network over the VPN. https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html
09-17-2024 06:51 AM
I am not aware of loopback's being created on the ASA platform. I can not create interfaces, only use what is available. Can the management port be used in this situation, i.e. provide that port with new IP/subnet and add to tunnel config & ACLs?
09-17-2024 07:00 AM
@TRENT WAITE the easiest thing to do would be to include the outside IP address in the crypto ACL.
Perhaps you could connect the ASA mgmt interface to a VLAN on the local switch and route that network over the VPN (include that network in the crypto ACL).
09-17-2024 07:24 AM
Use outside as source interface to connect for snmp' and then include host IP of outside interface in VPN ACL.
Try this way
MHM
09-17-2024 07:35 AM
I was using the change to SNMP as an example of changes the ASAs have made. My real problem is I need to access the inside interface of the ASA to send a config to the tftp server, or to access it from the server to make a necessary change. The old solution when this situation occurred was due to the "management access inside" not being applied to the config. That is no longer the case, the fix for access to that inside interface of the ASA is what is eluding me.
09-17-2024 07:57 AM
You can use flexconfig for add mgmt access inside if not work check bug below
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg50549?rfs=iqvred
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide