ASA interface selection for connections

martinbuffleo · ‎07-26-2011

I have a CRL that is avaliable at the other end of a VPN, hosted on server 172.16.74.30.

If I "ping 172.16.74.30"

It selects the interface outside and the pings fail

If I "ping inside 172.16.74.30"

The pings work and the data is sent down the tunnel.

I assume this is the same reason why my ASA cannot down the CRL.

Is there anyway to force it to use the inside interface as a source when it accesses 172.16.74.30?

Thanks in advance.

varrao · ‎07-26-2011

Hi Martin,

you would need to nat the traffic to the inside interface so that the traffic to your machine goes through the inside interface.

Thanks,

Varun

Thanks,
Varun Rao

martinbuffleo · ‎07-26-2011

So the ASA doesn't have thsame capability as IOS


 crypto ca trustpoint ms-ca

 enrollment url http://ms-ca:80/certsrv/mscep/mscep.dll

 source interface ethernet0

martinbuffleo · ‎07-26-2011

Reason I ask is I'm trying to configure Dynamic VPN using PKI from an MS CA.

But on my hub I'm getting the following

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_PKI: Certificate not validated

varrao · ‎07-26-2011

You might just then need to move this thread to VPN.

-Varun

Thanks,
Varun Rao

Jason Gervia · ‎07-26-2011

Varun,

This isn't supported. the PKI process uses the routing table to determine what interface to use when sending packets. You'll need to have your account team put in a feature request for you.

Really though, your CRL should be reachable over the internet. It's not like it's doing anything other than providing revoked certficate information, which isn't much of a security risk.

--Jason