Communication over site to site, traffic originating from ASA itself

fletchernickolas · ‎02-21-2023

Hello Cisco community!

I am running into an issue I am helping I can get some assistance with. I haven't worked heavily on Cisco equipment in a long time, so my knowledge is a bit hit or miss, so please bare with me.

I am working on 2 Cisco ASA's that are connected with a site-to-site VPN. The VPN is up and working. There is a primary ASA and a remote ASA. The remote ASA has a single inside network (network: 192.168.15.0/24 interface: 192.168.15.250). The primary ASA has a single inside network (network: 192.168.0.0/24 interface: 192.168.0.250) and a DMZ network (network: 172.16.5.0/24 interface: 172.16.5.250).

I am trying to setup communication from a server connected on the DMZ network to the IP 192.168.15.250. What I have tracked down is that it seems like any communication originating from 192.168.15.250 is not getting over the site-to-site VPN. Communication originating from anything else on the remote ASA inside network works fine, but when communication originates from the ASA itself it seems to go out the public interface (via traceroute) and not the tunnel.

Any insight or ideas on getting that traffic to route safely?

Thank you!

Rob Ingram · ‎02-21-2023

@fletchernickolas it depends on what you are trying to do, you can configure the command management-access <interfacename> on the remote ASA. You will then be able to manage (ssh, snmp, http etc) on the remote ASA's inside interface over a VPN tunnel.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_management.pdf

fletchernickolas · ‎02-21-2023

Hi Rob,

I am already able to SSH to the box. It seems like if the traffic originates from a network on the primary ASA to the 192.168.15.250 IP things work fine, but if I go to that remote box itself and try to ping something on a network connected to the primary ASA it never makes it over the VPN. A packet capture on the primary confirms nothing makes it across and a trace route shows the WAN IP as the next hop.

Rob Ingram · ‎02-21-2023

@fletchernickolas if you generate traffic from the ASA itself, the egress interface (outside) would be the source, which would not be defined in the crypto ACL. Normally you'd generate traffic flow, by sending traffic through the VPN not to/from the ASA.

fletchernickolas · ‎02-22-2023

@Rob Ingram the crypto ACL seems to include everything in the /24 network, which the ASA's IP falls into. Is this excluded in some systematic way I am missing?

I understand the flow would normally go through the VPN and not be sourced from the ASA itself. I am trying to setup RADIUS authentication on the ASA that reaches out to a RADIUS server on the DMZ network on the primary ASA, so that communication will originate from the remote ASA. I have everything I need to actually configure the RADIUS, it's just that the communication originating from that remote ASA is not getting across.

MHM Cisco World · ‎02-22-2023

originate from the ASA, meaning the management traffic??

fletchernickolas · ‎02-22-2023

@MHM Cisco World Specifically I am trying to define a RADIUS server on the remote ASA to reach back to a DMZ network on the primary ASA. When I test ping from the ASA to that device or run a packet tracer, it fails and acts like it is originating from the inside IP assigned to the remote ASA and sending that traffic out the WAN interface and not over the VPN. I am already able to SSH into the remote ASA. Traffic originating from elsewhere can traverse the VPN and reach the ASA IP fine, its communication starting on the remote ASA and going over the VPN that is problematic.

MHM Cisco World · ‎02-22-2023

check below comment

fletchernickolas · ‎02-22-2023

Are you saying to define a new IP for the mgmt interface that is different than that I am having issues with? Just trying to make sure I am following.

fletchernickolas · ‎02-23-2023

@MHM Cisco World Just wanted to follow up and see if you saw my message from yesterday. I only have access to the equipment through limited times so I want to make sure I understand when I go back and work on this. Sorry to follow up.

MHM Cisco World · ‎02-23-2023

please check comment below

fletchernickolas · ‎02-27-2023

@MHM Cisco World follow up question, can you think of a way to safely NAT the traffic from he ASA to a different IP to allow it to cross the tunnel? Is there a way to limit NAT to only apply if going to a specific destination?

MHM Cisco World · ‎02-27-2023

let me send you more detail about this issue today.
OK

fletchernickolas · ‎02-27-2023

Thank you!

MHM Cisco World · ‎02-27-2023

ASA1-VPN L2L-ASA2
ASA1 LAN 10.0.0.0
ASA2 LAN 20.0.0.0
I permit 10.0.0.0/24 to 20.0.0.0/24 for policy VPN
then config tacasc server with ip 20.0.0.3 and use IN (10.0.0.10)<<- this already config in ACL of L2L VPN

under the IN interface I config
management-access IN <<- this @Rob Ingram already mention it above

and I success and ASA using VPN S2S for telnet and enable password auth