Re: ASA 5506 Management access from vpn with BVI

sandman42 · ‎10-17-2018

Hi,

I'm setting up an ASA 5506, and I'd like to use its ports like the ASA5505, so I use BVI1 interface.

I've set up a VPN from my site to the site where the ASA is located.

It works, I can access remote devices, but when I try to access the firewall itself either via SSH or via ASDM I cannot access it.

Here's the config (relevant part):

ASA Version 9.8(2)
!
hostname MyFw
enable password XXXXXXX
names

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address LOCAL_PUBLIC_IP 255.255.255.0
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network RemoteNetwork
 subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object udp destination eq domain
 service-object udp destination eq ntp
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 object RemoteNetwork
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object RemoteNetwork
access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 object RemoteNetwork
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
no failover
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside_1,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup
nat (inside_2,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup
nat (inside_3,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup
nat (inside_4,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup
nat (inside_5,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup
nat (inside_6,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup
nat (inside_7,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
object network obj_any2
 nat (inside_2,outside) dynamic interface
object network obj_any3
 nat (inside_3,outside) dynamic interface
object network obj_any4
 nat (inside_4,outside) dynamic interface
object network obj_any5
 nat (inside_5,outside) dynamic interface
object network obj_any6
 nat (inside_6,outside) dynamic interface
object network obj_any7
 nat (inside_7,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 REMOTE_PUBLIC_IP_GW 1
[...]
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
http 192.168.2.0 255.255.255.0 inside_1
http 192.168.2.0 255.255.255.0 inside_2
http 192.168.2.0 255.255.255.0 inside_4
http 192.168.2.0 255.255.255.0 inside_3
http 192.168.2.0 255.255.255.0 inside_5
http 192.168.2.0 255.255.255.0 inside_6
http 192.168.2.0 255.255.255.0 inside_7
[...]
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside_1
ssh 192.168.2.0 255.255.255.0 inside_1
ssh 192.168.1.0 255.255.255.0 inside_2
ssh 192.168.2.0 255.255.255.0 inside_2
ssh 192.168.1.0 255.255.255.0 inside_3
ssh 192.168.2.0 255.255.255.0 inside_3
ssh 192.168.1.0 255.255.255.0 inside_4
ssh 192.168.2.0 255.255.255.0 inside_4
ssh 192.168.1.0 255.255.255.0 inside_5
ssh 192.168.2.0 255.255.255.0 inside_5
ssh 192.168.1.0 255.255.255.0 inside_6
ssh 192.168.2.0 255.255.255.0 inside_6
ssh 192.168.1.0 255.255.255.0 inside_7
ssh 192.168.2.0 255.255.255.0 inside_7
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
[...]
group-policy GroupPolicy_REMOTE_PUBLIC_IP internal
group-policy GroupPolicy_REMOTE_PUBLIC_IP attributes
 vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username remoteuser password ZZZZZZZZZZZZZZZ pbkdf2 privilege 15
tunnel-group REMOTE_PUBLIC_IP type ipsec-l2l
tunnel-group REMOTE_PUBLIC_IP general-attributes
 default-group-policy GroupPolicy_REMOTE_PUBLIC_IP
tunnel-group REMOTE_PUBLIC_IP ipsec-attributes
 ikev1 pre-shared-key YYYYYYYYYYYYYYY

What's wrong?

Can you help me please?

Thanks

Rob Ingram · ‎10-17-2018

Hi,
So you wan't to manage the ASA remotely connecting to the INSIDE interface over the VPN tunnel using SSH/ASDM? You would need to use "management-access INSIDE" to permit this. Info here.

EDIT: to reflect correct interface.

HTH

sandman42 · ‎10-17-2018

Are you sure?

I have a working VPN from my office to the location of the ASA5506. From my office I can access all devices on the LAN whose inside is the ASA 5506 inside(s), i.e. the 5506 BVI1.

Usually on 5505 to access them from remote VIA VPN (not directly on their public IP) I set up management-access INSIDE. With 5506 have I to set it OUTSIDE? Usually I did this to access them from the public IP, not from their private one.

Rob Ingram · ‎10-17-2018

Yes, you are completely correct, my mistake - "management-access inside". Which you already have defined. Can you run packet-trace and upload the output please?

sandman42 · ‎10-17-2018

Hi,

from my office to remote:

officefw#  packet-tracer input inside tcp 192.168.59 12345 192.168.1.254 22

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.1.254/22 to 192.168.1.254/22

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any4 eq ssh 
Additional Information:

Phase: 4
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.1.59/12345 to 192.168.1.59/12345

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:       
Additional Information:

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
              
Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 4109083, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

from remote to my office:

remotefw# packet-tracer input inside_1 tcp 192.168.1.254 22 192.168.2.59 12345

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop REMOTE_PUBLIC_IP_GW using egress ifc  outside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside_1,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork  RemoteNetwork  no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.2.1/12345 to 192.168.2.1/12345

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside_1
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I've used my client (.59) and 12345 as source port, 22 as destination. If I have to run it in a different way, just tell me.

Thanks

sandman42 · ‎10-19-2018

Has anybody some ideas about my problem?

Thanks

Rahul Govindan · ‎10-19-2018

You are probably running into the limitation of managing the ASA via VPN through a BVI interface. This is still an open enhancement:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve82307

Issue stems from the fact that you cannot issue "http x.x.x.x x.x.x.x inside" when inside is a BVI interface.

kkirchev · ‎04-17-2019

Hi, everyone.

Is there a solution or upgrade to this bug/issue?

Thanks!

Regards K.Kirchev