10-17-2018 02:49 AM
Hi,
I'm setting up an ASA 5506, and I'd like to use its ports like the ASA5505, so I use BVI1 interface.
I've set up a VPN from my site to the site where the ASA is located.
It works, I can access remote devices, but when I try to access the firewall itself either via SSH or via ASDM I cannot access it.
Here's the config (relevant part):
ASA Version 9.8(2) ! hostname MyFw enable password XXXXXXX names ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address LOCAL_PUBLIC_IP 255.255.255.0 ! interface GigabitEthernet1/2 bridge-group 1 nameif inside_1 security-level 100 ! interface GigabitEthernet1/3 bridge-group 1 nameif inside_2 security-level 100 ! interface GigabitEthernet1/4 bridge-group 1 nameif inside_3 security-level 100 ! interface GigabitEthernet1/5 bridge-group 1 nameif inside_4 security-level 100 ! interface GigabitEthernet1/6 bridge-group 1 nameif inside_5 security-level 100 ! interface GigabitEthernet1/7 bridge-group 1 nameif inside_6 security-level 100 ! interface GigabitEthernet1/8 bridge-group 1 nameif inside_7 security-level 100 ! interface Management1/1 management-only no nameif no security-level no ip address ! interface BVI1 nameif inside security-level 100 ip address 192.168.1.254 255.255.255.0 ! ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any1 subnet 0.0.0.0 0.0.0.0 object network obj_any2 subnet 0.0.0.0 0.0.0.0 object network obj_any3 subnet 0.0.0.0 0.0.0.0 object network obj_any4 subnet 0.0.0.0 0.0.0.0 object network obj_any5 subnet 0.0.0.0 0.0.0.0 object network obj_any6 subnet 0.0.0.0 0.0.0.0 object network obj_any7 subnet 0.0.0.0 0.0.0.0 object network RemoteNetwork subnet 192.168.2.0 255.255.255.0 object network NETWORK_OBJ_192.168.1.0_24 subnet 192.168.1.0 255.255.255.0 object-group service DM_INLINE_SERVICE_1 service-object tcp destination eq www service-object tcp destination eq https service-object udp destination eq domain service-object udp destination eq ntp object-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object icmp access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.1.0 255.255.255.0 any access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 object RemoteNetwork access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object RemoteNetwork access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 object RemoteNetwork pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside_1 1500 mtu inside_2 1500 mtu inside_3 1500 mtu inside_4 1500 mtu inside_5 1500 mtu inside_6 1500 mtu inside_7 1500 no failover no monitor-interface inside no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (inside_1,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup nat (inside_2,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup nat (inside_3,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup nat (inside_4,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup nat (inside_5,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup nat (inside_6,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup nat (inside_7,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup ! object network obj_any1 nat (inside_1,outside) dynamic interface object network obj_any2 nat (inside_2,outside) dynamic interface object network obj_any3 nat (inside_3,outside) dynamic interface object network obj_any4 nat (inside_4,outside) dynamic interface object network obj_any5 nat (inside_5,outside) dynamic interface object network obj_any6 nat (inside_6,outside) dynamic interface object network obj_any7 nat (inside_7,outside) dynamic interface access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 REMOTE_PUBLIC_IP_GW 1 [...] user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication login-history http server enable http 192.168.1.0 255.255.255.0 inside_1 http 192.168.1.0 255.255.255.0 inside_2 http 192.168.1.0 255.255.255.0 inside_4 http 192.168.1.0 255.255.255.0 inside_3 http 192.168.1.0 255.255.255.0 inside_5 http 192.168.1.0 255.255.255.0 inside_6 http 192.168.1.0 255.255.255.0 inside_7 http 192.168.2.0 255.255.255.0 inside_1 http 192.168.2.0 255.255.255.0 inside_2 http 192.168.2.0 255.255.255.0 inside_4 http 192.168.2.0 255.255.255.0 inside_3 http 192.168.2.0 255.255.255.0 inside_5 http 192.168.2.0 255.255.255.0 inside_6 http 192.168.2.0 255.255.255.0 inside_7 [...] ssh stricthostkeycheck ssh 192.168.1.0 255.255.255.0 inside_1 ssh 192.168.2.0 255.255.255.0 inside_1 ssh 192.168.1.0 255.255.255.0 inside_2 ssh 192.168.2.0 255.255.255.0 inside_2 ssh 192.168.1.0 255.255.255.0 inside_3 ssh 192.168.2.0 255.255.255.0 inside_3 ssh 192.168.1.0 255.255.255.0 inside_4 ssh 192.168.2.0 255.255.255.0 inside_4 ssh 192.168.1.0 255.255.255.0 inside_5 ssh 192.168.2.0 255.255.255.0 inside_5 ssh 192.168.1.0 255.255.255.0 inside_6 ssh 192.168.2.0 255.255.255.0 inside_6 ssh 192.168.1.0 255.255.255.0 inside_7 ssh 192.168.2.0 255.255.255.0 inside_7 ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside [...] group-policy GroupPolicy_REMOTE_PUBLIC_IP internal group-policy GroupPolicy_REMOTE_PUBLIC_IP attributes vpn-tunnel-protocol ikev1 dynamic-access-policy-record DfltAccessPolicy username remoteuser password ZZZZZZZZZZZZZZZ pbkdf2 privilege 15 tunnel-group REMOTE_PUBLIC_IP type ipsec-l2l tunnel-group REMOTE_PUBLIC_IP general-attributes default-group-policy GroupPolicy_REMOTE_PUBLIC_IP tunnel-group REMOTE_PUBLIC_IP ipsec-attributes ikev1 pre-shared-key YYYYYYYYYYYYYYY
What's wrong?
Can you help me please?
Thanks
10-17-2018 02:54 AM - edited 10-17-2018 06:39 AM
Hi,
So you wan't to manage the ASA remotely connecting to the INSIDE interface over the VPN tunnel using SSH/ASDM? You would need to use "management-access INSIDE" to permit this. Info here.
EDIT: to reflect correct interface.
HTH
10-17-2018 05:30 AM
Are you sure?
I have a working VPN from my office to the location of the ASA5506. From my office I can access all devices on the LAN whose inside is the ASA 5506 inside(s), i.e. the 5506 BVI1.
Usually on 5505 to access them from remote VIA VPN (not directly on their public IP) I set up management-access INSIDE. With 5506 have I to set it OUTSIDE? Usually I did this to access them from the public IP, not from their private one.
10-17-2018 06:38 AM
10-17-2018 07:16 AM
Hi,
from my office to remote:
officefw# packet-tracer input inside tcp 192.168.59 12345 192.168.1.254 22 Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup Additional Information: NAT divert to egress interface outside Untranslate 192.168.1.254/22 to 192.168.1.254/22 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any4 eq ssh Additional Information: Phase: 4 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup Additional Information: Static translate 192.168.1.59/12345 to 192.168.1.59/12345 Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 7 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 8 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup Additional Information: Phase: 9 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Phase: 10 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 11 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 12 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 13 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 4109083, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
from remote to my office:
remotefw# packet-tracer input inside_1 tcp 192.168.1.254 22 192.168.2.59 12345 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop REMOTE_PUBLIC_IP_GW using egress ifc outside Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside_1,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static RemoteNetwork RemoteNetwork no-proxy-arp route-lookup Additional Information: NAT divert to egress interface outside Untranslate 192.168.2.1/12345 to 192.168.2.1/12345 Phase: 4 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: inside_1 input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
I've used my client (.59) and 12345 as source port, 22 as destination. If I have to run it in a different way, just tell me.
Thanks
10-19-2018 06:46 AM
Has anybody some ideas about my problem?
Thanks
10-19-2018 07:19 AM - edited 10-19-2018 07:20 AM
You are probably running into the limitation of managing the ASA via VPN through a BVI interface. This is still an open enhancement:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve82307
Issue stems from the fact that you cannot issue "http x.x.x.x x.x.x.x inside" when inside is a BVI interface.
04-17-2019 06:55 AM
Hi, everyone.
Is there a solution or upgrade to this bug/issue?
Thanks!
Regards K.Kirchev
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide