Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2003
Views
0
Helpful
4
Replies

VTI as Source Interface

Ed Melendez
Level 1
Level 1

‎10-14-2021 10:18 PM

I have a 5506-x, v9.9, connecting to an AWS VPC with VTIs. Connectivity to AWS is fine, and all internal hosts can communicate with AWS resources.

 

Issue I'm having is that ASA cannot communicate with AWS resources with source interface set as "inside." AnyConnect is enabled on ASA and needs to communicate with LDAP resource in VPC to authenticate users. I'm guessing this is because the ASAs interface in this case would need to be the VTI, but it is not an option.

 

Anyone know of a way to get this working? How can I get the ASA to communicate with resources on the VTI side?

0 Helpful
4 Replies 4

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎10-15-2021 11:15 PM

Hi @Ed Melendez,

Take a look at this old post. I just tried this, and it works on v9.14.

In your case, you should define server with address of 'inside' zone, and your routng for that destination should point you to VTI. Something like (in your case is should be LDAP protocol, and LDAP relevant config):

aaa-server ISE protocol radius
aaa-server ISE (inside) host 10.20.0.20
key *****
!
route VTI 10.20.0.0 255.255.255.0 10.13.0.1 1
!

BR,

Milos

0 Helpful

Ed Melendez
Level 1
Level 1
In response to Milos_Jovanovic

‎10-16-2021 12:16 PM - edited ‎10-16-2021 12:22 PM

I already have the inside interface defined
vti_as_source.png

and the route is known via BGP.

 

What I find interesting, is that I see "identity" as the interface according to the log:

vti_as_source2.png

Anyone know why I may be seeing that, and not an actual interface?

And I was hoping to skip any versions 9.10 and up as I'd like to keep firePOWER active, but will upgrade if I have to.

Thank you so much for your reply.

0 Helpful

Ed Melendez
Level 1
Level 1
In response to Ed Melendez

‎10-16-2021 12:19 PM - edited ‎10-16-2021 12:27 PM

---------

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎10-18-2021 01:44 AM

Hi @Ed Melendez,

Identity means that this traffic was originated from ASA, instead of flowing through. In regular, most frequent flow, traffic enters on one interface (e.g. inside) and leaves on another (e.g. outside), in which case you would see both interfaces in log. In this case, ASA is the one sourcing the traffic (and there is no inbound interface), so it is presented as 'identity'.

Based on this log, I would assume that IP address next to 'identity' is actually IP address of your inside interface, and base on other end ('aws_vti_t1'), it looks to me it is doing exactly what you want. You can do a packet capture on VTI interface, to confirm that this traffic is indeed flowing this way.

You don't need to do an upgrade, as that post was from 2013, so it means it works same way long time ago. You should consider an upgrade, as 9.9 is announced EoL and no fixes are available for it anymore.

BR,

Milos

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card